RE: imaging apple disks

From: etienne.meersschautat_private
Date: Thu Jul 17 2003 - 06:18:14 PDT

Next message: J: "Waste, Fraud, Abuse"

Previous message: Michael Stone: "imaging apple disks"
Maybe in reply to: Michael Stone: "imaging apple disks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The easiest way to image a Mac computer is to use the Target Disk Mode
(TDM) with a firewire connection to the host. 

Invoke the TDM by pressing the T key during the boot and wait for the
Firewire symbol on the screen.  The host must be XP or W2K (no macdrive
reading drivers may be installed),   

The target can be: 

Mac OS 8.6 or later

* PowerBook (FireWire)
* PowerBook G4
* PowerBook G4 (Gigabit Ethernet)
* PowerBook G4 (DVI)
* iBook (FireWire)
* iBook SE (FireWire)
* iBook (Dual USB)
* iBook (Late 2001)
* iBook (14.1 LCD)
* iBook (16 VRAM)
* iBook (14.1 LCD 16 VRAM)
* Power Mac G4 (AGP Graphics) with ATA drive
* Power Mac G4 Cube
* Power Mac G4 (Gigabit Ethernet)
* Power Mac G4 (Digital Audio)
* Power Mac G4 (QuickSilver)
* Power Mac G4 (QuickSilver 2002)
* iMac (Slot Loading) with Firmware version 2.4 or later
* iMac (Summer 2000)
* iMac (Early 2001)
* iMac (Summer 2001)
* iMac (Flat Panel)
* iMac (17-inch Flat Panel)
* eMac


Regards,
Etienne Meersschaut
IT Security & Computer Forensic Manager
Belgacom


-----Original Message-----
From: Michael Stone [mailto:mstoneat_private] 
Sent: 17 July 2003 02:25
To: forensicsat_private
Subject: imaging apple disks


Has anyone had success/failure imaging an oem disk from a new apple
computer (e.g., an Xserve)? The disks look like normal ide disks, but I
can't access them using the techniques I normally use for such devices.
For example, when I attach one of these disks to a generic PC running
linux it doesn't properly read the manufacturer & device info from the
drive, doesn't negotiate dma and hangs if it is forced, and doesn't
appear to be reading the proper data. A write-blocking firewire bridge
that I usually use for ide imaging refuses to access the drive at all.
Third party ide disks used in the mac's are readable, and disks from
older mac's are also ok. But I've seen several cases now where the newer
disks (IBM deathstars with a little apple logo on them) are just acting
weird. 

Mike Stone

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

text/plain attachment: Disclaimer_Belgacom.txt

----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Next message: J: "Waste, Fraud, Abuse"
Previous message: Michael Stone: "imaging apple disks"
Maybe in reply to: Michael Stone: "imaging apple disks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 17 2003 - 09:59:27 PDT