During live and dead acquisition, it’s important not to mess up with the evidence. Write blockers protect the evidence from accidental tampering the evidence making sure it will be admissible in court.
Hardware write blockers
Windows Software Write Blocker Basically, one can do this manually. This includes changing the value in the registry.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies changing the value of the WriteProtect DWORD to 1 under this key, the device will be set to read-only mode, preventing any data from being written to it.
Either use a hardware write blocker or turn off disk arbitration.
Disk Arbitration prevents the host computer from writing data to the target MacBook using Target Disk Mode. To turn off this feature, refer to this page. It’s needed so the forensic machine won’t change the data on the suspect MacBook. For Mac acquisition - follow these steps.
🧪 What files are changed when something is connected to a Mac (USB or using Thunderbolt)? Is turning off the disk arbitration feature really preventing changes to the target drive?
🧪 When attaching my MacBook to another via Share Disk mode, I deleted files from the target MacBook even with DA off. Why? Share Disk doesn’t work the same way as the Target Disk mode. It’s an SMB share. See the comprehensive research above.
There is also a tool 🛠️ https://github.com/aburgh/Disk-Arbitrator. That helps and eases the work. I need to check this out.
# Turn DA off
# Old macOS
sudo cp diskarbitrationd.plist /
sudo rm diskarbitrationd.plist.
# New macOS
# Option #1. Kill the process
# cat /var/run/diskarbitrationd.pid gives the PID
# ps -ex gives the proc list
ps -ex | grep $(cat /var/run/diskarbitrationd.pid)
# Option #2. Remove the plist
sudo cp /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist /
# give read-only FS
# Turn on
sudo cp /diskarbitrationd.plist /etc/mach_init.d.