Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Digital Forensics - Lecture 16 - Basics of OS - MAC OSX

Basic Functions of Mac OSX
by

Masudur rahman

on 21 November 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Digital Forensics - Lecture 16 - Basics of OS - MAC OSX

Investigating Operating Systems
Mac OSX

3 Pass Erase
Session Objectives:
Understand some basic features of latest OSX
Data Storage Sanitisation by using MAC OSX
RAID 0, RAID 1 AND RAID 5
Introduction to MAC Hardware
Macbooks & Desktop Computers
Intel based systems, that can dual boot
Bootcamp is used to dual boot (OS)
Slot load DVD/CD (right side)
Ethernet 10/100/100
Two USB ports
One Thunderbolt port

Boot Camp
DMG Files and Mounting
OS X is a variant of the BSD operating system named Darwin.
All Unix, BSD and Linux distribution, a device or network share must be first mounted before it can be utilised by the operating system
The mounting process will determine the correct type of file system the device is configured with and mount it so it’s usable by the operating system
What is .DMG File?
Double click and the file will be mounted on the desktop as a virtual drive . You can then access or work with any files available on the desktop
DMG file is a single file that has properties like a separate hard drive or CD device.
To view the drive info screen, highlight the mounted virtual drive (Drive-1) and select
File | Get Info
Difference in the info screen for the actual disk image (Drive-1-Image.dmg) and the mounted drive (Drive-1)
Size of the actual file is only using 204KB of disk space on the system,
Mounted image is showing 20.5 MB used out of a 5.68 Gig Volume.
Notice the difference
Un-mount?
Physical layer data security built directly in the operating system
OS X has the ability to forensically wipe the “Free space” while leaving current files intact. When this feature is used you can select three options
Zero Out Deleted Files
3-pass Erase of Deleted Files
7-pass Erase of Deleted Files
35 – Pass Erase of Deleted files

Security Features
The option will overwrite the entire disk or volume with zeros one time
It is the fastest available option and is theoretically secure enough to prevent the data from being forensically recoverable using normal software methods
It is also a good option to forensically prepare a drive to be used to store digital evidence.

7 Pass
The option will overwrite the entire disk seven times
This option meets the DoD 5220 22-M specification for data storage sanitization
Each pass will vary the data written to the physical disk
Last pass will overwrite the storage media with random data.
35 Pass Erase?
The Highest degree of security against data recovery.
It uses Gutmann algorithm to write 35 patterns to the disk to overwrite data.
The last four passes in this method will write random data to the disk.
Disadvantage-Gutmann algorithm Is a very time consuming option

When a hard disk is broken into more than on logical drive
OS X disk utility makes it easy for you to set up different types of volume schemes.
Volume scheme allows you to define how many partitions you want to create on the drive.
By default a drop down menu will split the hard disk into equal size partitions
The partition can also be manually edited by using lower buttons in the lower section of the disk utility screen
A technology that uses multiple hard drives to provide
Improved performance
fault tolerance against hardware failure
Larger data volumes.
Hardware RAID Controller
Dedicated Card
A lot more reliable
Software Raid Controller
Shared resources with the OS
Loss of performance duo to shared resources
Mirrored RAID Set (RAID 1)
The most common of the RAID types
Requires two hard drives
They provide fault tolerance in the even of a hard dive failure
If one of the drives fails the system will continue to operate correctly without any disruptions or data loss
The failed drive can be replaced and the mirror set rebuilt.

Recap

What have we learned today?
Important Disk Utility of OSX
Disk Information (cont..)
Feature within Disk Utility to retrieve hardware information
Can give valuable information that can be recorded in your investigation notes.
Retrieve information about the drivers connected to the system & Individual partition.
Click device or partition displayed in the left pane in the Disk Utilities then click Info button in the upper menu bard.
Disk utility application
Chose the desired disk/volume
Just select the option to sanitize the storage device / disk

Optimum Slides
Tool that allows users to easily format, delete and repair disks and portions
Disk utility have some forensic implications
Ability to zero out data on drives
Perform a complete 3, 7 or 35 pass erase
Enable the user to have multiple disks or partitions on a system
Ability to set up mirrored, stripped and concatenated RAID sets

Disk Mounting
What is an Operating System?
What is Shell? Kernel?
What are the main functions of any OS
Are you familiar with the following terms -Machine Management, Peripheral Management, File Management, Providing Security etc as function of an OS?
Quick check of our previous learning...
Disk Utility Tool
Disk Copy Disk Image File is a mountable disk image file that is commonly used in OS X.
DMG files are created to be store groups of files and folders into one easy to mange file.
These files are used to distribute OS X updates, create backups and restore, Send multiple files to another OSX user. They Support File Compressions, Encryption (AES-128), Password protection etc.
How .DMG works?
Zero Out Data
Erase
Disk Partition
RAID (Redundant Array of Inexpensive disks )
Provides greater performance for applications
Video processing (require large amounts of data)
Striped set stores files across all of the drives in the set and is able to improve performance by reading and writing to all the drives simultaneously
This type does not provide fault tolerance
If one disk failed the entire set will be lost
So it is important to back up frequently

Striped RAID Set
Known AS RAID 0
Full transcript