Tuesday, September 18, 2007

Enter the MAC

When apple moved to intel based hardware I was really excited. For years I abhorred apple and macs, commonly referring to them as macintrash, macincrap, or the ubiquitous doorstop. With the move to the intel platform I decided to give them another try. Last week I turned in my IBM T41 and picked up a 15" macbook pro with a 2.4GHz core 2 duo, 2GB Ram (upgraded to 4GB using geil dimms), 160GB hard drive. Big deal right? Well as an incident response/forensics d00d I now have the best of all three worlds in which I commonly live.

My first move was to install Vmware fusion. Installation was simple. I gave myself 30GB, entered a username and password and the serial number, and off went my vista installation. I next went ahead and installed Ubuntu 7.04 Fiesty Fawn.



Note if you will, that the windows start button is in the lower left hand corner. That's pretty sweet if I do say so myself.

The other pieces of the system that are nice are the built in firewire 400 and 800 for attaching those pesky write blockers.

I'll be adding XP soon, but so far I'm very hopeful about the new platform for investigations. I just hope the hardware holds up. Anyone else doing this?

6 comments:

Anonymous said...

Yes indeed. Some of our forensic investigators are now using Macs with virtual Windows and Linux images. Not only can they use the multiple platforms, but investigators with little previous Mac experience are gaining valuable handson experience just using and playing with their Macs which leads to increased response, analysis, and tool development for any Mac forensic analysis or incident response scenarios.

H. Carvey said...

Funny you should mention this...we're getting the same thing for our folks, and I just set up a MacBook Pro with BootCamp, XP SP2 and Parallels...

Anonymous said...

What about dongles for EnCase, FTK, Mercury, etc.? Is anyone having issues with tools in virtual images accessing the dongles plugged into the Mac?

Mark

echo6 said...

We have MacBook Pro's. Currently I have mine setup with tribble boot OSX, XP, Gentoo Linux.

We have vmfusion on order so will look forward to testing it out.

I have however tried virtualbox. Unfortunately on Linux with the Mac it is unable to access the USB susbsytem. I've had an EnCase dongle working fine with virtualbox on Linux on another machine. Although the mac version states it has support for USB it doesn't appear to pass through the EnCase dongle very well. The dongle gets detected in Windows within virtualbox but EnCase does not appear to see it.

We have parallels but I've not tried that yet.

They are seriously very nice machines. I tend to use Linux with open office for presentations but even with windows these machines sometimes display weird problems displaying output via the dvi :(

200Gb split three ways is still not enough ;-)

hogfly said...

I tried parallels 3 and wasn't all that happy with it. Parallels definitely has some benefits over vmfusion, but I think I'll be sticking with vmware.

I've so far tested x-ways on vista in vmfusion and the dongle is happy and the program runs well.

echo6 said...

I got EnCase 6.71 working within VirtualBox on the MacBookPro under Linux after adding the appropriate entry in /etc/fstab to allow access for my user for the usb subsystem :-)

http://forums.virtualbox.org/viewtopic.php?t=979
The sharing access violation problem described in this post is a pain, hopefully Apple will resolve this with future updates :*(

I have also finally got EnCase to work within Virtualbox in OSX also :-)