Forensically Imaging a Mac

There have been a few articles of late about imaging a Mac, specifically a MacBook Air.  The consensus is that there are three methods:

1. Pull the hard drive out and use an adapter to image the drive.

2. Use a bootable CD/USB such as Raptor and/or Helix.

3. Create a bootable Mac OS X thumb drive, boot from it, and use dc3dd.

All of these are indeed options; however, they all present some problematic issues. Let me explain.

Option 1:  Pull out the hard drive.

Removing the hard drive from an MacBook Air and imaging it is very difficult to accomplish successfully.  I'd recommend you not even consider it, with one exception: if you need to bypass a firmware password. The reason you may need to remove it is that in a MacBook Air, the RAM is soldered to the motherboard.  If you do remove the hard drive, it is safer to place the original drive in a similar MacBook Air, so as to avoid the use of third party adapters that very likely will not work.  However, if you need to bypass/recover the EFI firmware password you can contact us at BlackBag and we can help you.

You will not be able to find an adapter for the newer drives (which are not hard drives at all - they are solid state drives).  The original MacBook Air had a proprietary connector from Samsung for which there is one known adapter.  It looks like a standard ZIF (zero insertion force) connector, but it's not - it's much smaller.  The new MacBook Airs use a newer mSATA  connector developed by Toshiba.

MacBook Air pin connector

New MacBook Air solid state drive (courtesy of iFixit) Picture courtesy of iFixit

Option 2:  Use a bootable CD/USB such as Raptor and/or Helix.

While this is an option, the MacBook Air does not have an internal CD-ROM so you will have to use an external USB unit.  You must also be aware that some external USB CD/DVD drives are not recognized by the MacBook Air, even when a boot CD might work.  Having created the Helix Boot CD, I can tell you that there are definitely issues using a Linux bootable distribution to image Macs.  Remember, the Linux kernel and its drivers for Mac are reverse-engineered hacks in order to avail the hardware and filesystems.  Many proprietary Apple devices such as RAIDs, etc., will not be seen by these bootable Linux distributions.

By all means feel free to try them, especially if they are free. If they work for you, then all the better.

Option 3: Create a bootable Mac OS X thumb drive, boot from it and use dc3dd.

This is by far the best of the three options I've listed, but it requires you to be able to install Mac OS X onto a thumb or external hard drive, and set it up properly with disk arbitration and a version of DC3DD for Mac OS X, etc..  This is not a monumental task by any means, and in fact, there are many sites out there which will show you how to do it.  The main problem with this method is that in installing Mac OS X, you may violate Apple's software agreement.  The other issue is you may not have the time or resources to do this.

A better option: MacQuisition.

MacQuisition has been built specifically for imaging Macs.  It uses a licensed version of OS X from Apple so you don't have to worry about violating license agreements.  Since it is Mac OS X, you also don't have to worry about MacQuisition not recognizing special Apple hardware, drivers, etc.  It works with firewire and USB, so you can image almost any Apple computer you encounter (more on this later).

MacQuisition imaging a MacBook Air

With MacQuisition, you never have to worry about taking multiple screws out of the computer and ending up with leftovers at the end of the process.  You'll also not have to worry about writing to the disk, as MacQuisition write-protects the drives and walks you step by step through the acquisition process.  Nothing could be easier!

Imaging your Mac can be accomplished in 5 short, easy steps:

Step 1 of MacQuisition

Step 2 of MacQuisition

Step 3 of MacQuisition

Step 4 of MacQuisition

Step 5 of MacQuisition

One thought on “Forensically Imaging a Mac”

  • Greg Dominguez
    Greg Dominguez 02/22/2011 at 07:43

    i was wondering when you would blog about imaging the Air. Thanks for taking the time to get it right.

Leave a Reply

Sorry, you must be logged in to post a comment.