This section will discuss the acquisition capabilities of MacForensicsLab.
MacForensicsLab can work with original devices and media, as well as disk image copies of these same data sources. Using the ‘Acquire’ function ensures that the evidential integrity of the suspect drive is protected, by allowing the examiner to create a disk image for analysis and investigation, rather than having to work with the suspect drive.
In performing the acquisition scan ‘Acquire’ benefits from a number of features. These include checksum hashing for validation, the ability to create a separate golden master, the ability to create a smeared image in an environment when a volume cannot be unmounted, segmentation for ease of backup to alternative media, and, proprietary fault tolerant bad block recovery to work around faults, thus allowing the examiner to create disk images from damaged media or resume a previous acquire attempt that failed due to faulty media and/or electrical shortages.
Creating a Disk Image
When creating a disk image, the examiner can do so directly from either a partition or device, although it is recommended that copies be made of an entire device rather than of individual partitions.
Having selected the respective device or partition from the ‘Device’ panel, the examiner must press the Acquire button, bringing the function window to the fore.
In performing an acquisition the examiner can set a number of options:
Segment Size - This refers to the amount of data on each acquired image, thus allowing the examiner to separate his or her acquisition into multiple images. Each segment can then be limited to a specific data size, thus allowing for easier backup, for example, if the examiner plans to burn the image to a set of DVDs. To do so the examiner need only select the “4.36 GB (DVD-R/DVD+R)” option from the popup list.
Packet Size – Refers to data intervals at which MacForensicsLab will perform a checksum validation on the data being written to the acquisition image. A lower setting means many more checksum verifications are performed, thus improving overall data integrity but reducing the overall speed of the acquisition.
Smeared Image – Allows the examiner to generate an image from a drive that cannot, or perhaps that he or she may not wish to be unmounted. This would apply for example, when the examiner wishes to acquire the main volume on an operational file server that cannot be taken offline to avoid alerting users to the actions of the examiner.
Golden Master - In addition to the working copy, this option allows the examiner to save an extra disk image copy for other purposes. When the Golden Master option is selected, the user will be prompted to choose a save location twice before the acquisition is made. Once to select a location for the disk image, and the second time to choose the location for the golden master. This allows the user to save the golden master to a different location then that of the working image.
Resume – Provides the examiner with the option to continue on from a previous acquisition, if, for whatever reason, the prior acquisition process was interrupted. This means that the ‘Open’ dialog window rather than the ‘Save’ dialog window will appear when the acquisition is initiated.
Having made the desired changes to the presets, click the Start button to begin the acquisition process. This will bring up a ‘Save file’ dialog box, if creating the image rather than resuming, and the examiner will be prompted to enter a filename for the disk image. By default the file name appears as “Disk Image”, select and edit this to a preferred name and then chose a location into which to save the disk image. The click Save and the process will begin.
Note: Always be sure to save the disk image to a location other than that which one is creating an image of. Also, make sure that the device one is saving the new disk image to has enough storage space. The acquisition of a 60GB hard drive will require the destination disk to have a minimum of 60GB of free capacity.
Unless the“Create a Smeared Image” option has been selected, MacForensicsLab will first attempt to unmount the selected volume or volumes of the selected device. A status bar then marks the progress of the acquisition, along with a variety of other information. This information includes: checksum mismatch total; total bad blocks; total data remaining to be copied; total data copied; total capacity; approximate current data transfer rate; and total time remaining till acquisition completed.
During the process of acquisition a DAT file is created in the same location as the image file, and contains checksum data for the disk image. It is a small file and takes up less than 25 KB of space and is deleted after the acquisition process is complete.
Once completed, a dialog window will notify the examiner of such and will provide them with an error count. The examiner should simply take note of this and then close the said dialog box by clicking Close, returning to the ‘Main’ window. The disk image can then be found in the previously specified location. By default the disk image file/segments will be locked, thus avoiding the opportunity to further modify or to delete it/them.
Attaching Disk Images
Once an image file or segment has been created, the examiner will want to prepare it for analysis. In order to do this the examiner must attach the disk image and mount it in the Finder.
To access the disk image, while in the ‘Main’ window, select “Attach Disk Image” from the File menu, or use the keyboard shortcut [Command] + [T]; the Attach Disk Image dialog box will appear. Click the Select button to choose the disk image to mount. There are two options listed for attaching the image.
Use Shadow File – This option will mount the disk image using a shadow file which emulates the disk being writable without actually writing to the disk image itself.
Ignore Permissions – This option turns on the feature in the Finder that maintains all disk permissions but ignores them, giving you access to any user files on all parts of the image.
Once you have selected the desired disk image and options, click the Attach button.
Using this method avoids the need to unlock and lock the image file from the Finder. After mounting disk images, the examiner may need to force MacForensicsLab to rescan for new devices or images; this can be done either by selecting “Rescan Bus” from the file menu, or with the keyboard shortcut [Command] + [R].
It should be noted that if the examiner is using Anti-Virus software, it may be configured to scan all newly attached disks, this includes disk images as they are brought into MacForensicsLab. This process will slow the mounting of the image.
To detach a disk image after analysis, select the item from the ‘Device’ panel in the ‘Main’ window, followed by “Detach” from the File menu. Alternatively, select the disk image in the main window and use the keyboard shortcut [Command] + [D]