Surviving Digital Forensics: Imaging a Mac Fusion Drive
Helping you sharpen your computer forensic skills
Description
Welcome to the Surviving Digital Forensics series. This series is focused on helping you become a better computer forensic examiner by teaching core computer forensic skills - all in about one hour. In this class you will learn how to image a Mac using only a Mac and freely available software. This will give you not only an additional imaging option but also provide you a solution for imaging Mac Fusion drives.
As with previous SDF classes you will learn by doing. The class begins with a brief overview of the issue at hand. Then we set up our forensic systems and off we go. Learning is hands on and we will use low cost and no cost computer forensic tools to do so.
Expert and novice computer forensic examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply using our method or customize to meet your needs. We cover basic imaging as well as some additional options you may need such as, splitting an image, using different hash algorithms, imaging partitions and more.
Class Outline
1. Introduction and Welcome to the SDF series
2. What this class is all about
3. How to get the most of this class
4. The problem and the solution
5. Getting your forensic system setup
6. Imaging steps download
7. Turning off Disk Arbitration
8. Identifying your evidence in Terminal
9. Imaging with DCFLDD
10. Lock your DMG file
11. DCFLDD breakdown
12. Getting the DCFLDD version
13. Using different hash algorithms
14. Splitting your image
15. Changing the image file extensions of your image segments
16. Imaging partitions
17. Imaging Mac Fusion drives
18. Mac imaging quiz
18. Thank you & final thoughts
A Mac running OS 10.9+ is required for this course. If you are running 10.7 or 10.8 you likely will be okay, but a more up-to-date platform is recommended. The forensic tools we use are all freely available, so beyond your operating system all you need is the desire to become a better computer forensic examiner.
What You Will Learn!
- Image a Mac using just a Mac and freely available tools
- Learn how to install DCFLDD on a Mac
- Learn how to use DCFLDD in Terminal
- Image Mac Fusion drives
- Apply different hashing algorithms to the imaging process
- Create segmented image files
- Target image partitions only
Who Should Attend!
- Computer forensic analysts
- IT professionals
- Students