wordup cyber geek girlz.. welcome to NIBBLE on DAV NADS!! This is my palace on the .com domain where i build connectors from connections, plug universal plugs into adapters, convert binary input into burberry output, and port gigabytes into jigabytes. LOL whaat! 2 ya'll hax0rs, start logging yo girlz keyz cause your @Myspace. Wer we spinning platters and pulling magnetic chatters. Dav nads speaks geek for chic and means tweak for twitter. Spread the google wave, followers!
So you have been tasked with acquiring an Apple Macbook Air. There you are, it’s just you and the laptop and you’re losing;
·Your favorite Linux distribution disk won’t boot,
·You spent hours taking the laptop apart only to discover the internal hard drive has a ZIFF or LIF interface and you don’t have an adapter,
·The Firewire and Ethernet ports are missing,
·there is only one USB port,
·and the laptop won’t boot from your USB hub.
This documentation specifically applies to Apple’s Macbook Air models. However, the procedures outlined here should be applicable to all Intel-based Macs. When acquiring Macbook Airs traditional acquisition methods can often be challenged by the lack of external media interfaces and software compatibility issues.
SO…WHAT’S NEXT?!?! In April 2010, Access Data released Command Line (CLI) versions of its popular FTK Imager tool. Supported by one of the versions are Intel-based Mac OS versions 10.5 and 10.6x. I have found this tool to be a strong candidate for Mac collections. This article will explore two collection techniques that exercise this tool:
1.(Live Collection) – Acquisition of a targeted system in a live (booted) state. FTK CLI tool is executed from target’s system and image is written to external USB hard drive. This method is frequently used to acquire systems that cannot be taken offline or when encryption is involved.
2.(Secondary-boot Collection) – Acquisition of a targeted system from a secondary-boot device. Target’s system is booted from a bootable external USB hard drive containing OS X and pre-installed with the FTK CLI tool. Once booted FTK CLI imager is executed from this device and image is written to the same USB hard drive in a separate partition FAT32 partition.
Note: As a forensic practitioner, you should weigh the pros and cons of the two collection techniques and use discretion to what method (if any) suits the requirements and needs of your engagement.
Approach 1: Live Collection – Preparation:
1.OS X does not natively support writing to NTFS or EXT volumes. Therefore, you will need to prepare a HSFS or FAT32 formatted hard drive to write your image too. I prefer FAT32 over HFS because it is readily accessible from Windows.
*By following this step you are making substantial changes to the host system.
5.After you have switched users to root, you will need to identify the source and destination hard drives for acquisition: Ftechs-Mac-mini:~ root$ diskutil list
This will query all active disks and their partition layouts:
This information can be interpreted as follows:
"/dev/disk0" is representative of the first physical hard drive (attached to the system). It is determined based on size, volume name, and partition layout that this is the hard drive inside of the system. In this example, the physical device, "/dev/disk0" will be the source of the acquisition.
“/dev/disk1” is representative of the second physical hard drive (attached to the system). It is determined based on size, volume name, and partition layout that this is destination hard drive connected via USB to the system.
On this hard drive there is one volume disk1s1 named Evidence_Drive. This is the volume we will use to write the acquisition to.
However, before you can write to a volume you need to determine what the “mount point” of the volume is. A mount point is the connection the operating system uses to interact with a volume on a hard drive.
6.Mac OS will automatically create a mount point (with full read/write permissions) when a device is attached to the system with a recognizable file system.
The mount point should be consistent with the volume name appended to /Volumes/. The mount command can be used to verify this: Ftechs-Mac-mini:~ root$ Mount
This will list all volumes mounted on the system:
We see here that “/Volumes/Evidence_Drive” is the full path of the mount point for volume “disk1s1” on the destination hard drive “/dev/disk1”. This is the destination mount point.
This now establishes that we will be imaging (source): /dev/disk0 and writing our acquisition image to (destination mount point): /Volumes/Evidence_Drive
After you have determined the source and destination mount point, navigate to the destination mount point where the FTK CLI took resides: Ftechs-Mac-mini:~ root$ cd /Volumes/Evidence_Drive
7.Execute the following command and flags to execute FTK CLI. This will acquire the source /dev/disk0(physical hard drive inside of the computer) and save to/Volumes/Evidence_Drive(on the destination hard drive volume) in .EO1 format and fragment every 4 GB with no compression
·One volume to install OSX which will be the boot partition. The second volume as a storage area that can be used to write your image(s) to.
·I would suggest using Apple’s Disk Utility, located at /Applications/Utilities/, to prepare this drive.
3.To make the USB hard drive bootable it must have ownership enabled.
1.Locate the 16 GB volume on your Mac desktop, right-click its icon, and select ‘Get Info’ from the pop-up menu.
2.In the Info window that opens, expand the ‘Sharing & Permissions’ section, if it’s not already expanded.
3.Click the lock icon in the bottom right corner.
4.Enter your administrator password when asked.
5.Remove the check mark from ‘Ignore ownership on this volume.’
6.Close the Info panel.
7.Once you complete, your USB flash drive will be ready for you to install OS X.
4.Install OS X - Summarized
1.Plug USB hard drive (prepared above) into Mac.
2.Put Install DVD in the Mac.
4.Choose to install OS X on the USB hard drive 16 GB partition, OSX Journaled Extended.
5.You may want to customize the software packages that OS X will install to minimize disk space required for the installation.
5.After install, test to make sure the Mac will boot from the secondary boot drive you just created instead of the internal hard drive. At start up hold down the “Option” key and you will be prompted with the boot options menu.
6.Once you are booted to the USB hard drive, the secondary OSX boot drive, you will need to copy over the FTK CLI application onto it. You can use a flash drive to do this or just go online and download it if you are connected to the internet.
I had a small window of time the other day to image a Apple Macbook Air. It was like “my first time” so I felt it would be appropriate to do a little research about “how to turn it on” and “what buttons to press” to make sure things didn’t get sloppy ;-p
I can’t emphasize how important it is to go into situations with more than one option. It’s like the old sang, “Why carry a tool box if you only have one tool in it?” After a little research, I came up with a Plan A and Plan B. Not talking about the Plan B - One-Step here :-)
Before I jump into my procedures, let me note a few things:
I knew ahead of time that this Macbook Air did not have an Apple Super Drive (external CD/DVD drive). I do not have an external CD/DVD drive or Apple Super Drive in my forensic kit. Maybe I need to get one!! Furthermore it is reported that not all USB CD/DVD drives are compatible.The Macbook Air only has one USB port. This USB port is buried in the shell so not all thumb drives will physically fit into it. Yes, I had this problem… What can I say, Dav Nads has a BIG USB thumb drive!!
Similar to the external CD/DVD drive issue, it is reported that some USB hubs do not let you let you boot from them. The one I tried was a Belkin Desktop Hub (Model F4U016) which comes with an external power supply to power the USB ports.
The Macbook Air does not have a Firewire port. Therefore, you CANNOT acquire using Targeted Disk Mode.
There is no eSata port, ethernet port, or PCMCIA slot
Here’s what I tried:
A) Forensic Linux Boot Disk to Acquire:
We have an in-house Linux variant comparable to Helix, Knopix, Raptor that we use for boot acquisitions. Note that since I did not have an external CD/DVD drive it was a requirement that I load the Boot Disk into RAM since the laptop only has one USB port. I needed the one and only USB port free so I could plug in an external USB hard drive as a destination to save the image to. Our boot disk has a “Load to RAM” option which allowed me to do this. I believe others do as well.
Boot to Forensic Linux from USB thumb drive.
Load into RAM. Some boot disks have this option as noted above.
Remove USB thumb drive and plug USB storage hard drive in.
Unfortunately, the specific chipset in the Macbook Air I was acquiring from was not compatible with my Linux boot disk. I found this interesting because it worked for a colleague a few months ago on an earlier MacBook Air model which was also Intel-based. Regardless, it was on to Plan B. I will note here that I have heard Raptor works well booting in Mac environments. However, I did not have time to try it in the field and I do not think it has the option to load into RAM.
Here is what I did:
B) Remove Hard Drive:
Before you get started note that for Rev A Macbook's I would expect you would find a PATA ZIF hard drive. For Rev B&C, you should find a SATA LIF hard drive.
Unfortunately, I have not found a adapter yet for LIF interfaces. So stop reading here if you know that is what your working with. The only place I have seen an adapter advertised for purchase is here, but it has always been out of stock. I recently told that LIF adapters could also be purchased here but I have not personally verified this. If you don't have a adapter to interface with LIF and now looking for a plan C, check back for my next post on FTK's CLI tool for OSX.
There is an excellent tutorial, written by Lee Whitfield, on Forensic 4cast documenting how to remove the hard drive from a Macbook Air. This can be found here. Alternatively, there are a number of videos on YouTube. This is the one I watched.
Whenever I take something a part, I like to draw a picture of where I extracted each piece/screw from. Something that may come in handy when putting it back together! It's also not a bad idea to tape the screws to the piece of paper. I actually had an experience were a person knocked the screws over once and I had to be real creative about putting the laptop back together. Live and learn LOL.
If the laptop has a SSD hard drive you will need a ZIF adapter. I recommend the one that Tableau sells (now owned by Guidance Software). If you use this one, it must be connected this way: To image a Samsung 1.8" drive, connect the Tableau TC20-3-2 ZIF cable to the adapter label face-up. Then connect the cable to the Samsung 1.8" drive, positioning the drive label face-up
Image the hard drive externally using hard drive duplicator or your tool of choice.
Put it back together!!
I will note that it has been reported that some Linux boot disks may temporary disable or render the one USB Port inactive. To reset the USB port, make sure the Mac is turned off. Press and hold the following keys on the keyboard: Shift, Control, Option (all on the bottom left side of the keyboard) and Press and hold the Power button (top right of the keyboard). Hold for about 5 seconds and then release them all. You will not see indication of anything. Try to boot from the External Drive again.
I will document another collection option using FTK Imager CLI for OSX in my next post.