Creating a “Portable OS X Workstation” means that you can install the current version of OS X to an external drive, USB, Firewire, or eSATA and always be able to boot to a clean environment to do your digital forensic work.
NOTE: You MUST purchase a new copy of OS X in order to be fully licensed to follow this method. The OS X DVD media that came with your Mac is meant for that Mac internal drive. To create another operating system environment and stay within Apple’s license agreement, you need to purchase another copy of OS X.
The advantages of this environment are:
- you can image those pesky Macbook that don’t offer TDM (Target Disk Mode)
- you can image a Macbook Air with your USB drive, a hub, and a collection drive
- you will always have your favorite digital forensic tools available in the OS X environment
- this method will be compatible with all of the Macs!
First, you must choose which version of OS X you are going to use. OS X 10.6 will offer compatibility with the Intel Macs. OS X 10.5 will offer compatibility with the PPC Macs.
To create you Portable OS X Workstation, choose an external drive that offers both Firewire and USB connections. With the HD chosen, follow these easy steps:
- Partition your drive GUID Partition scheme using Disk Utility. Intel Macs require this for any boot drive.
- Initialize your HD using Disk Utility to MacOS Extended (Journaled) and give it a very unique name such as “10.6 Portable Workstation”
- install OS X to this external drive. For this article we will assume OS X 10.6 is being installed.
- Boot into your newly installed OS X environment and install all Updates from Apple. This will insure compatibility with the latest Intel Macs (10.6.x)
- Install Disk Arbitrator (free) or SoftBlock (BlackBag Technologies) to your environment so you are able to easy and graphically take control of Disk Arbitration, as well as individually control attached devices
- Install all of your favorite digital forensic tools to this drive. ‘dd’ is installed by default, but you may choose to also add other imagers, or full forensic suites. See our Mac Forensic Software page for possibilities.
Once this has been completed, you now have a portable workstation! In order to safely use it, you will need to boot from it of course. The safe method to boot from an available media on a Mac is to hold down the Option key at Power-On, which will present either the “Open Firmware Password” screen or the devices available to boot from. If an Open Firmware Password has been applied, you need to remove it to go father using Apple’s tech Note HT1352. (THIS RESET DOES NOT WORK FOR THE MB AIR!!!) Select your device from the disks shown and you will boot into your known environment.
You are now operating safely.
Suggestions:
- If you have chosen Disk Arbitrator, be certain it is set to run as a Login Item for your account.
- Be certain that you always create a new account for each case, and don’t keep reusing the same account for everything you do.
- Always be certain that your software write blocker of choice is operating properly before doing anything. If something appears amiss, power down and fix your Portable OS X Workstation on another Mac.
- Keep your Portable OS X Workstation up-to-date with all Apple updates. If a new Mac comes out, it likely will be running a new version of the system.
Imaging
- know your collection drive from the drives connected to the Mac originally.
- ‘dd’ is a great way to image because the resulting file can be directly mounted on your Mac, but it the image file will take up and enormous amount of space
- carry a hub with you so you can connect your Portable OS X Workstation and your collection drive to one USB port, just in case that is all that is available.