19.6. Command-Line Tools for Forensic Analysis
A wide variety of command-line tools are included with Leopard that can be used with forensic investigations and primarily the acquisition of forensic images.
You can use the mount command to mount connected disks to a forensic system. To mount a system as read-only for inspection, you can use the mount -r command. Once the disk is mounted, you will typically want to use dd on the drive.
The dd command is a method for creating disk images that can be used for acquiring a forensic disk image. The dd command is preferred over Disk Utility, because it can create a disk image without being required to actually mount a drive, which, as discussed, can potentially contaminate the drive for future use as ...
Get Enterprise Mac Security: Mac OS X Snow Leopard now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
