Sometimes an investigator may not have access to a hardware write blocker or may not be able to remove the suspect drive from their Mac (we do not recommend investigators attempt to image a drive without a hardware write blocker but at times situations may necessitate it). In this case the investigator can connect the suspect Mac to their forensic workstation to process the investigation using a process called Target Disk Mode. Target Disk Mode causes the suspect Mac to act like an external FireWire drive at which point it can then be connected to a forensic workstation running MacForensicsLab for imaging and examination.
- The fist and MOST important step in this process is making sure that Disk Arbitration is disabled. You can do this by following the process for disabling Disk Arbitration found here. Make you verify that it is disabled using Disk Utility once you have completed this. This will ensure that the suspect drive stays forensically sound.
- Boot the suspect Mac and hold down the "T" key until the FireWire icon appears on screen. The suspect machine is now in Target Disk Mode.
- Connect the suspect machine to your examination workstation. Once the suspect drive appears in MacForensicsLab's Device area, you can proceed with acquiring an image of it (note: the suspect drive will not appear on the desktop as Disk Arbitration is disabled).
- Once the image has been created, you can hold down the power button on the suspect machine until it powers itself off. Then disconnect it from the examination machine.
