The easiest way to image a Mac computer is to use the Target Disk Mode (TDM) with a firewire connection to the host. Invoke the TDM by pressing the T key during the boot and wait for the Firewire symbol on the screen. The host must be XP or W2K (no macdrive reading drivers may be installed), The target can be: Mac OS 8.6 or later * PowerBook (FireWire) * PowerBook G4 * PowerBook G4 (Gigabit Ethernet) * PowerBook G4 (DVI) * iBook (FireWire) * iBook SE (FireWire) * iBook (Dual USB) * iBook (Late 2001) * iBook (14.1 LCD) * iBook (16 VRAM) * iBook (14.1 LCD 16 VRAM) * Power Mac G4 (AGP Graphics) with ATA drive * Power Mac G4 Cube * Power Mac G4 (Gigabit Ethernet) * Power Mac G4 (Digital Audio) * Power Mac G4 (QuickSilver) * Power Mac G4 (QuickSilver 2002) * iMac (Slot Loading) with Firmware version 2.4 or later * iMac (Summer 2000) * iMac (Early 2001) * iMac (Summer 2001) * iMac (Flat Panel) * iMac (17-inch Flat Panel) * eMac Regards, Etienne Meersschaut IT Security & Computer Forensic Manager Belgacom -----Original Message----- From: Michael Stone [mailto:mstoneat_private] Sent: 17 July 2003 02:25 To: forensicsat_private Subject: imaging apple disks Has anyone had success/failure imaging an oem disk from a new apple computer (e.g., an Xserve)? The disks look like normal ide disks, but I can't access them using the techniques I normally use for such devices. For example, when I attach one of these disks to a generic PC running linux it doesn't properly read the manufacturer & device info from the drive, doesn't negotiate dma and hangs if it is forced, and doesn't appear to be reading the proper data. A write-blocking firewire bridge that I usually use for ide imaging refuses to access the drive at all. Third party ide disks used in the mac's are readable, and disks from older mac's are also ok. But I've seen several cases now where the newer disks (IBM deathstars with a little apple logo on them) are just acting weird. Mike Stone ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 17 2003 - 09:59:27 PDT