Acquisition

Once you have decided that an image of a Macintosh is necessary, there are many valid and forensically sound methods for acquiring a complete physical image of a Macintosh computer. This page will serve as an outline of the methods available.

Be sure to reference the Disk Arbitration page when utilizing a Mac as your imaging platform.

Target Disk Mode
Apple has built-in to all late model Macintosh computers, a technology found in no other personal computer, Target Disk Mode. This technology allows the Macintosh to become an external Firewire hard drive providing access to the contents contained within. This technology is available on the following Macintosh models according to Apple’s Support website, Article HT1661:

In summary, Target Disk Mode is available on Macs that have Firewire or Thunderbolt Technology. Legacy products that have SCSI ports may also supper this feature. USB is never supported.

For Target Disk Mode on the Xserve, see our
Reference Guide

Apple provides an import “Tip” in Article HT1661 regarding Target Disk Mode. It reads as follows:

Tip: FireWire Target Disk Mode works on internal ATA drives only. Target Disk Mode only connects to the master ATA drive on the Ultra ATA bus. It will not connect to Slave ATA, ATAPI or SCSI drives.



What this note means to us: The Power Mac, Mac Pro and XServe all support multiple internal hard drives. If you have multiple ATA drives inside of these models, Target Disk Mode will only make the “master” drive available. The Power Mac shipped with IDE as a standard and SCSI as an option. Mac Pros and XServes ship with SATA or SAS drives and they will all appear in Target Disk Mode. If the person has installed additional drives that use SCSI or IDE, you may not get the whole picture presented in Target Disk Mode.

Once you have determined that Target Disk Mode is for you, here is how to use it:

  1. Power on the Macintosh and IMMEDIATELY hold down the Option key.
  2. This will cause the Macintosh to boot to either the “Startup Manager” or “Firmware Password”
  3. If you are presented with the bootable partitions, you successfully booted to the Startup Manager. Power Off the Mac by holding down the Power button until shut down.
  4. If you are presented with a Lock with password dialog box, you have booted to the Firmware Password. See “Firmware Password” below.
  5. Once you have shut down the Mac and determined Target Disk Mode will be available, Power it back on and this time, immediately hold down the “T” key.
  6. You should now see the Firewire and/or Thunderbolt symbol floating around the screen. This indicates the Macintosh is in Target Disk Mode. You can now insert the proper cable into the target Mac and connect it to your acquisition computer.

Cable Tip: Thunderbolt Macs can use Apple’s Thunderbolt to Firewire 800 adapter. This adapter is two-way communications offering a Firewire acquisition even when a Firewire port is not available.

Firmware Password
You cannot boot to Target Disk Mode until you remove this password. Older Macs support Firmware Password removal by changing the amount of physical RAM in the Mac and reseting the PRAM. This also resets the clock so weigh the consequences carefully to your own case. Newer Macintoshes do not support such resets, requiring a visit to the Apple Genius Bar or other Apple Certified Technical assistance.


Windows Tip for Target Disk Mode Acquisitions
Windows users have long been plagued with the problem of Macs in Target Disk Mode not showing up as a device. There is a fix for this. Using Regedit, we need to remove the 1394 (Firewire) entry. Here is how:

In Windows (of course)
  1. Click on Start -> Run and type “regedit” and click on Ok.
  2. In Regedit, navigate to the key, “My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum” and delete the entry for “1394”
  3. Exit Regedit.

Changes to the Registry are live and there should be no need to reboot your system. The entry for 1394 will be recreated as new Firewire devices are connected.

What should your Acquisition computer be?

A Mac
  • If you choose a Mac, then it should be a Mac that you have successfully disabled Disk Arbitration. Once you have disabled Disk Arbitration, you can use DD (or any of its derivatives). You can also use MacQuisition to perform an acquisition. This is the most ideal scenario because of CoreStorage. Only OS X can properly recognize and allow access to all logical structures of CoreStorage.

A PC
  • If you choose a PC, and it is running Windows, you will need to consider a hardware write blocking device. Windows, all versions, will write to a Mac in Target Disk Mode if the Mac has a FAT32 partition. Windows versions that support NTFS will write to a Mac that has an NTFS partition. Once you have write-blocked the TDM Macintosh, you can acquire using your favorite acquisition method, including the freely available FTK Imager.
  • Linux boot CDs
  • If you choose Linux boot CDs as your preferred method, you can boot a PC or Mac. You will need to consider media recognition and auto-mounts. Insure that your Linux box is not auto-mounting the Mac. You can use freely available Live CD distributions that have been modified to be forensically sound to insure against such detrimental actions. Live CD distributions typically allow for the installation to your hard drive so you can make an acquisition computer based on Linux.

What file format should you acquire to?

Of course this is a personal choice but consider this:
  • A raw image, such as the one produced from DD, is the most widely accepted file format of all analysis tools. Although it is uncompressed, the resulting file can be compressed and split to fit whatever archival media you use.
  • A raw image can be directly mounted on a Macintosh as a virtual disk. Any other media format is not directly supported until other support files are installed to your Macintosh (an example is the Encase Expert Witness File Format and the “libewf” project to support it directly on your Macintosh) BlackBag Technologies “BlackLight” comes with an application called “EWMounter” which will add the support files and allow for virtual read-only mounting of E01 format evidence files.

What to do if Target Disk Mode is not an Option?

Without Target Disk Mode, you will need to either remove the internal storage, or utilize a bootable imaging solution.

Removal of storage from most Macs is covered very well at the website: www.iFixIt.com

Bootable solutions include BlackBag Technologies Imaging and Live Response tool, MacQuisition, and Linux boot CDs. These solutions allow you to boot the target Macintosh, and perform the acquisition to an external hard drive. Using these methods, you will use media that contains an operating system to boot the Macintosh.

Linux boot CDs include (but not limited to):
  • Paladin from Sumuri LLC
  • Raptor from Forward Discovery (Intel and PPC versions available) - Ubuntu Linux based
  • ASR Data’s SMART - Ubuntu and Slackware Linux based
  • E-Fense Helix v2 - Ubuntu based
  • Subrosasoft’s MacForensicsLab which will give you a bootable DVD containing a bootable Mac OS X with the proper modifications - Mac OS X based

What happens when the LiveCD is failing?
Linux LiveCDs are only as good as the kernel and driver updates on them. This is true for every Mac or PC you are trying to boot with them. When it comes to Macs, sometimes it is difficult for the Linux community to have the most current LiveCD available for the newest Macs or the oldest Macs. Fortunately, there is an answer for this as well.
  • BlackBag MacQuisition - MacQ is a USB flash drive that is Mac OS X based. It offers a GUI and command line boot for widest compatibility with Macs.

Begin Imaging
You will need an external hard drive that is larger than the internal disk of the target Mac to guarantee adequate space for acquisition to complete. To use your forensic media, use the following steps:

  1. Power on the Macintosh and IMMEDIATELY hold down the Option key.
  2. This will cause the Macintosh to boot to either the “Startup Manager” or “Open Firmware Password”
  3. If you are presented with the bootable partitions, you successfully booted to the Startup Manager. Insert your acquisition media. If it does not automatically show, click the rescan arrow.
  4. If you are presented with a Lock with password dialog box, you have booted to Open Firmware Password. You cannot boot to your media until you remove this password. Firmware Password is covered above.
  5. If you have determined that you can boot from a Live CD, connect you external drive here, prior to booting from the Live CD.
  6. Select your Live CD to boot from.

Note: Your external hard drive should be formatted such that your destination analysis machine can read the contents! If you plan to acquire the Mac using a Live CD, you will be able to use an external drive that is formatted Mac OS Extended (No Journaling Enabled), NTFS and FAT32. If you acquire to a Mac OS Extended file system and then connect to a Windows system, your Windows system will not be able to read the contents of the drive! (MacDrive for Windows fixes this but it costs money)

What if a Live CD and MacQuisition both are not options?

Here, you are probably stuck taking the Mac apart to gain access to the physical hard drive(s). A fabulous website to assist you in taking apart Macs is the iFixit website (www.ifixit.com) where their step-by-step guides will show you, down to the last screw, how to get hard drives out of every Macintosh model made! With the hard drive removed, you are free to acquire using any write-blocked method you have traditionally used for any hard drive.



Quick Navigation