Mac Forensics Essentials: Single-User Mode
Over the years, our training curriculum and instructors have provided Mac Forensics students with many ways to collect detailed forensic evidence from a Mac OS X system. But from time-to-time, our students ask us questions such as, “How do I get the date and time from a Mac without logging into the computer?” or, “Before I begin my examination, how do I determine if the computer is running OS X Lion or Snow Leopard?”
An examiner can quickly answer these and other basic Mac OS X system information questions, in a forensically sound manner, by booting the machine into ‘Single-User’ mode. A Mac in ‘Single-User’ mode operates from a bare-bones command-line interface. A forensic examiner may then issue a few simple commands to extract basic machine information without actually booting into the operating system.
Important Notes to Consider Before Booting into Single-User Mode
1 – To access Single-User mode, a live machine must be rebooted. Therefore, if an examiner comes upon an OS X machine that is running with encryption enabled (i.e. FileVault,) it may not be wise to reboot the machine, as the data is fully encrypted after the restart. A live data acquisition, using a tool such as MacQuisition, may be a better choice under these circumstances.
2 – A user may have disabled Single-User mode. If this is the case, the system may bypass Single-User mode and boot to the Mac OS X operating system (not good!). If this happens, IMMEDIATELY shut the computer down by pressing and holding the power button.
3 – A machine running OS X Lion (10.7.x) with FileVault 2 enabled is easily identifiable; the machine does not boot directly into Single-User mode. Instead, a FileVault 2 login screen with a password prompt appears.
Important Notes About Single-User Mode
Before booting a machine into Single-User mode, an examiner should understand two additional key points:
1 – In Single-User mode, devices, including the boot drive, are protected with read-only (essentially write-blocked) privileges,
2 – Commands issued in Single-User mode are issued as root, so some commands may circumvent read-only protection. Therefore, use caution and have a full understanding of each command before proceeding.
Booting Into Single-User Mode
1 – With the power off and the source system plugged into a power source (when possible), press the power button and immediately hold down the Option (alt) key. The EFI Boot screen (Startup Manager) appears.
2 – Select the machine’s main boot device to highlight it.
3 – Hold down the Command-S keys on the source computer’s keyboard, and select the arrow below the main boot device icon to begin the Single-User mode boot process.
4 – The source system boots into Single-User mode. During the Single-User mode boot process, the boot sequence appears as white text on a black screen as it executes. The boot sequence completes and a root# shell prompt appears.
5 – DO NOT issue the fsck -fy command on a suspect device. While this is a helpful troubleshooting/repair command under normal circumstances, using it on a source device results in file modifications.
6 – DO NOT issue the mount -uw command on a source device. This causes a mounted file system to change from read-only status to read-write (not write protected!) status.
7 – DO NOT issue the exit command. This causes the machine to boot to the operating system (again, not good!) Instead, use the halt -ln (‘l’ rhymes with tell) command to shutdown the machine.
Once again, if the Apple logo appears at any point during the boot process, IMMEDIATELY shut the computer down by pressing and holding the power button; the source system is attempting to boot to the OS X operating system and changes are written to the source device.
Issuing Commands In Single-User Mode
The following commands may be issued at the Single-User command prompt:
What: Display the system’s current local date and time with the local time zone (from the kernel clock, not the system clock)
What: Display the system’s current local date and time in UTC (Coordinated Universal) time (from the kernel clock, not the system clock)
Command: date -u
What: Display the system’s Mac OS X version and other system software information
Command: system_profiler SPSoftwareDataType
What: Display the machine’s model, serial number, and other hardware information
Command: system_profiler SPHardwareDataType
If at any point the machine ‘hangs’ after a command is issued, type Control-C to return to the command prompt.
After all desired information is gathered, issue the halt -ln (‘l’ rhymes with tell) command to shutdown the computer.
You can learn more about acquiring data from a Mac computer here on our blog or by visiting BlackBag TV. For more information about MacQuisition, our 3-in-1 data acquisition solution, please visit our MacQuisition product page.
Please feel free to contact support at anytime as well with any additional questions or comments.