Teach on Udemy

Turn what you know into an opportunity and reach millions around the world.

Learn More

Your cart is empty.

Keep shopping

Created byMichael Leclair

Last updated 10/2015

English

What you'll learn

Image a Mac using just a Mac and freely available tools
Learn how to install DCFLDD on a Mac
Learn how to use DCFLDD in Terminal
Image Mac Fusion drives
Apply different hashing algorithms to the imaging process
Create segmented image files
Target image partitions only

Course content

4 sections • 20 lectures • 49m total length

Welcome to the SDF Series!4:27
Welcome to the Surviving Digital Forensics Series!
About this class3:47
Let's talk about what this class is all about and what you will get out of it.
Maximize your learning3:51
Here a few tips to get the most out of this training.
The problem and the solution2:30
Let's look at the issue at hand and how we are going to solve it.

Turning off Disk Arbitration2:10
You may use Disk Arbitration as a software write block so long as you validate it! In this next section I go over the steps of turning off Disk Artbitration.
Identifying your evidence disk in Terminal2:00
Since we are working in Terminal you need a way to identify your local disks from your evidence disks. This next sections walks you through the steps to do it.
Imaging with DCFLDD2:22
Now let's get to it and create an image.
Lock you DMG file0:49
Remember to lock your DMG file to keep it in read only mode.
DCFLDD Breakdown3:14
In this section I break down DCFLDD so you better understand the command. This comes in handy if you have to explain it.
Getting the DCFLDD Version1:02
Many examiners need to document the version of the tool they use. In this section I will show you how to identify the version of DCFLDD you are using.
Using different hash algorithms2:22
MD5 is old fashion, let's adjust our command so we can hash using different algorithms and hash with multiple algorithms at once.
Splitting your image1:42
Next up is learning how to segment your image file. I will show you how to set it up and how to customize it.
Changing the file extensions of your image segments1:35
In this module I will show you how to change the file extension of your segmented image file.
Imaging partitions2:49
Sometimes you do not want to image the entire disk. Rather, you just need to image a certain partition on the disk. I show you how to do that next.
Imaging a Mac Fusion Drive2:49
If you are imaging a Mac Fusion drive, or any Mac for that matter, an option is to place it into target disk mode and image it that way. In this section I will walk you through the steps.
New Method! - Imaging & reassembling a Fusion Drive5:06
This section teaches you how to image the pieces of a Mac Fusion drive and then reassemble them on a forensic Mac to be recombined into a new image file.
Mac Imaging Quiz

Thank you and final thoughts1:44
Thanks for joining me in another edition of the Surviving Digital Forensics series. I hope you enjoyed the class!

Check out other classes of the SDF series at http://sumuri.com/training/surviving-digital-forensics/

Follow me on Twitter @LeclairDF to get the latest happenings of the SDF series.

Check out our Blog at http://sumuri.com/about/news/

Check out our Youtube channel https://www.youtube.com/user/SumuriNews

Requirements

All you need is a Mac running OS 10.7+ (OS 10.10 recommended) and the desire to learn.

Description

Welcome to the Surviving Digital Forensics series. This series is focused on helping you become a better computer forensic examiner by teaching core computer forensic skills - all in about one hour. In this class you will learn how to image a Mac using only a Mac and freely available software. This will give you not only an additional imaging option but also provide you a solution for imaging Mac Fusion drives.

As with previous SDF classes you will learn by doing. The class begins with a brief overview of the issue at hand. Then we set up our forensic systems and off we go. Learning is hands on and we will use low cost and no cost computer forensic tools to do so.

Expert and novice computer forensic examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply using our method or customize to meet your needs. We cover basic imaging as well as some additional options you may need such as, splitting an image, using different hash algorithms, imaging partitions and more.

Class Outline

1. Introduction and Welcome to the SDF series

2. What this class is all about

3. How to get the most of this class

4. The problem and the solution

5. Getting your forensic system setup

6. Imaging steps download

7. Turning off Disk Arbitration

8. Identifying your evidence in Terminal

9. Imaging with DCFLDD

10. Lock your DMG file

11. DCFLDD breakdown

12. Getting the DCFLDD version

13. Using different hash algorithms

14. Splitting your image

15. Changing the image file extensions of your image segments

16. Imaging partitions

17. Imaging Mac Fusion drives

18. Mac imaging quiz

18. Thank you & final thoughts

A Mac running OS 10.9+ is required for this course. If you are running 10.7 or 10.8 you likely will be okay, but a more up-to-date platform is recommended. The forensic tools we use are all freely available, so beyond your operating system all you need is the desire to become a better computer forensic examiner.

Who this course is for:

Computer forensic analysts
IT professionals
Students

What you'll learn

Explore related topics

Course content

Introduction4 lectures • 15min

Getting Set Up3 lectures • 5min

Practicals12 lectures • 28min

Conclusion1 lecture • 2min

Requirements

Description

Who this course is for: