Pinpoint Network Bottlenecks (by Jim MacLeod)
LMTV | Cyber Crime and Computer Forensics (by Casey Mullis)

Never Give Up While Freedom Is On The Line (by Casey Mullis)

I recently had the pleasure of assisting another Investigator from Carroll County with forensics on one of the new Macbook Pro 13 inch with a 128 GB SSD. The first thing you notice is there is no CD/DVD drive. There is also no Firewire port only a thunderbolt port and USB 3.0.

So now what? I first tried booting with Blackbag's  MacQuasition but it would not boot. I called Blackbag tech support and found out that the version I had did not support the new model of Macbook that we were working on. The hard drive in the Macbook was a SSD nonstandard drive. See image(s) below.

  Cybercrime

So what do you do? Do you give up on getting the forensic image of the hard drive or do you push forward and keep digging to find a solution?

Macbook

Macbook SSD

Here is where I may differ from most investigators - .If it was worth seizing to acquire evidence and it very well may contain evidence, it is our job to collect that evidence, no matter what effort is required. No matter if the evidence is for or against the person in question, the fact remains that we are to collect the evidence and let the courts sort it out. My dad always told me “Son, anything worth doing, is worth doing right!” and as an investigator I have found that doing it right sometimes requires a lot of effort!

In today’s digital (data) oriented world it is too easy to make it look like a person committed a crime when they did not. Take for instance the hundreds of web sites that can be used to send fake text messages. If you are using push button evidence acquisition tools and only ripping text messages versus doing a complete / true computer forensics review; you very well may send an innocent person to jail because of what maybe a prank. Remember there is only one letter difference between prosecute and persecute.

At what point do you say “No more!”? Depending on the case as listed above, you may have someone’s freedom hanging in the balance. Would you want an Officer of the Law cutting corners if it were your freedom on the line? No, of course not! Not everyone can afford a computer expert because we are not all born with money, but we do depend on our governmental agencies to do their very best. Cutting corners is not our very best!

In this case, I was working with Investigator Jimmy. A., who is employed with a local County Sheriff’s Office. We have worked in the past together and taught computer forensic classes together. Jimmy is a very good computer forensics investigator and I can always call upon him for help.

Due to this case being a little outside Jimmy’s area of expertise, he asked for my help. We met and after speaking with Blackbag tech support, we came up with a solution to the problem at hand.

This case spans multi states and is an ongoing investigation, so I am unable to speak about it directly. I am able to share how we got to the evidence in the new model Macbook. The Sheriff’s had to spend roughly one hundred and twenty dollars to get the forensic image. We had to buy first a power supply because there was not one with the computer when it was seized. The new MacBook’s do not use the old power supply. We also had to purchase the thunderbolt to Firewire connection cable.

  Firewire

I have an older model Macbook Pro with Intel CPU. This is important to have as we will still use the Blackbag MacQuasition to boot a mac, just not the suspect machine because it is not supported yet.

After we got these two items we were able to get what was needed by taking the following steps.

  1. Set suspect machine in “T”arget mode by booting the machine and holding the “T” key down.
  2. Connect the thunderbolt to Firewire cable to suspect machine.
  3. Run Firewire cable from adapter on suspect machine to your Macbook Firewire port.
  4. Plug Blackbag’s MacQuasition in to your Macbook.
  5. Turn your  Macbook on and hold down the “Option”/”Alt” key down
  6. Select the MacQuasition USB drive from the list on your Macbook
  7. MacQuasition will see the connected (Suspect) computer in target mode. This gives you complete access to the hard drive in a forensically sound manner
  8. Connect external storage media to your computer and mount as read/write to dump suspect hard drive image to.

Now as a follow up and for your edification MacQuasition will have an update soon that will support the newer models of MacBook’s.

Another option on the market and FREE is Paladin and Raptor.

Never give up, not while freedom is on the line. Give it everything you got and then when you think you have done everything you can, call a couple other folks to see if they have any ideas. Remember in this digital age “No one person can know it all. We need each other.”

Thank you for your time and I hope this helps others who may run across a similar issue.

Remember – The evidence speaks for itself but only if the evidence is properly gathered by the correct forensic processes! The Evidence is all we can rely on, so do the job like you would hope someone would do it if you were on trial!

Please look for the upcoming Man’ority Report interreview coming this Saturday,  February 16.


Casey Mullis
Author - Investigator Emory Mullis has been in Law Enforcement for roughly 14 years including military and civilian law enforcement. He started learning about computers back when Gateway 266 MHz was the top of the line and cost about $2000.00.Right out the box, I was compelled to take my new found 266 apart. Why I have no idea other than pure curiosity. Once I had the computer out the box and on the floor in pieces, my wife walked in. Trust me people, this was not a good thing! Either way I got a good understanding at this point on how a computer is put together and / or the components inside. This was my starting point with computers and I still hear my wife in the back ground “It better work when you put it back together!” That was my humble beginnings as a Cyber Investigator. Now with many Cyber cases under my belt, I have learned that you must question, challenge and test almost daily to keep up with all the new tools, software, computers and cell phone formats to be able to forensically acquire evidence and it is a real challenge. I enjoy the challenge and look forward to learning more every day!

Tim is the Oldcommguy and Chief Technical Editor of Lovemytool.com and working as a volunteer for the Georgia POST helping to train Georgia's Law Enforcement community in sound techniques for recognition, protection and acquisition of lawful cyber evidence.

 

Comments