Sysadmin > SecurityAndPentests > ForensiC > MacForensic
Changes | Index | Search
Tags(edit)

Forensic on Mac

wipwipwipwipwipwipwipwipwipwipwipwip

  1. Do not write anything on the disk and/or make clean disk image
    1. disable automounter
      • onetime 
        sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist
      • persistent 
        sudo mv /System/Library/LauchDaemons/com.apple.diskarbitrationd.plist ~/Backup/
  2. dcfldd 
    /opt/local/bin/dcfldd if=/dev/disk2s2 hash=sha1 sha1log=/Volumes/Backup\ 500G/verification.txt bs=512 conv=noerror,sync split=10G of=/Volumes/Backup\ 500G/image.raw
Edit | Attach | More topic actions
Copyright © Creative Commons License