Wednesday, August 18, 2010

FTK Imager (for OS X) to the Rescue

So you have been tasked with acquiring an Apple Macbook Air. There you are, it’s just you and the laptop and you’re losing;

·         Your favorite Linux distribution disk won’t boot,
·         You spent hours taking the laptop apart only to discover the internal hard drive has a ZIFF or LIF interface and you don’t have an adapter,
·         The Firewire and Ethernet ports are missing,
·         there is only one USB port,
·         and the laptop won’t boot from your USB hub.

This documentation specifically applies to Apple’s Macbook Air models. However, the procedures outlined here should be applicable to all Intel-based Macs. When acquiring Macbook Airs traditional acquisition methods can often be challenged by the lack of external media interfaces and software compatibility issues. 
SO…WHAT’S NEXT?!?! In April 2010, Access Data released Command Line (CLI) versions of its popular FTK Imager tool. Supported by one of the versions are Intel-based Mac OS versions 10.5 and 10.6x. I have found this tool to be a strong candidate for Mac collections. This article will explore two collection techniques that exercise this tool:

1.     (Live Collection) – Acquisition of a targeted system in a live (booted) state. FTK CLI tool is executed from target’s system and image is written to external USB hard drive. This method is frequently used to acquire systems that cannot be taken offline or when encryption is involved.

2.     (Secondary-boot Collection) – Acquisition of a targeted system from a secondary-boot device. Target’s system is booted from a bootable external USB hard drive containing OS X and pre-installed with the FTK CLI tool. Once booted FTK CLI imager is executed from this device and image is written to the same USB hard drive in a separate partition FAT32 partition.

Note: As a forensic practitioner, you should weigh the pros and cons of the two collection techniques and use discretion to what method (if any) suits the requirements and needs of your engagement.

Approach 1: Live Collection – Preparation:

1.     OS X does not natively support writing to NTFS or EXT volumes. Therefore, you will need to prepare a HSFS or FAT32 formatted hard drive to write your image too. I prefer FAT32 over HFS because it is readily accessible from Windows.

If you decide to go the HFS route, there is a tool called MacDrive that will allow full read/write to HFS from Windows (

2.     Download and extract “ImagerCLI” from Access Data onto the external device:

File: Mac/FTK ImagerCLI
Supports: Mac OS 10.5 and 10.6x
MD5: 5b33f0ec0c6d5096371f07d19cc698de

Approach 1: Live Collection – Getting Started:

1.     If applicable, power on the device and log in.

2.     Plug in the USB hard drive you have prepared as the destination drive.

3.     Open the console application located in:            /Applications/Utilities/Console

This is a window into the other side of OS X. All commands hereafter will be issued from the console.

4.     Switch to user “root”: Ftechs-Mac-mini:~ ftech$  Su root

Root privileges are needed for FTK CLI to interact with the host device. You will be prompted for the root password.

*Note 1: The default Mac OS X installation has the "root" account disabled. To enable it, follow the steps here:

*Note 2: If you don’t know the root password you can try this to reset it,

*By following this step you are making substantial changes to the host system.

5.     After you have switched users to root, you will need to  identify the source and destination hard drives for acquisition:            Ftechs-Mac-mini:~ root$ diskutil list

This will query all active disks and their partition layouts:
            This information can be interpreted as follows:

"/dev/disk0" is representative of the first physical hard drive (attached to the system). It is determined based on size, volume name, and partition layout that this is the hard drive inside of the system. In this example, the physical device, "/dev/disk0" will be the source of the acquisition.  

/dev/disk1is representative of the second physical hard drive (attached to the system). It is determined based on size, volume name, and partition layout that this is destination hard drive connected via USB to the system.

On this hard drive there is one volume disk1s1 named Evidence_Drive. This is the volume we will use to write the acquisition to.

However, before you can write to a volume you need to determine what the “mount point” of the volume is. A mount point is the connection the operating system uses to interact with a volume on a hard drive.

6.     Mac OS will automatically create a mount point (with full read/write permissions) when a device is attached to the system with a recognizable file system.

The mount point should be consistent with the volume name appended to /Volumes/. The mount command can be used to verify this:  Ftechs-Mac-mini:~ root$  Mount

This will list all volumes mounted on the system:

We see here that “/Volumes/Evidence_Driveis the full path of the mount point for volume “disk1s1” on the destination hard drive “/dev/disk1”. This is the destination mount point.

This now establishes that we will be imaging (source): /dev/disk0 and writing our acquisition image to (destination mount point): /Volumes/Evidence_Drive

After you have determined the source and destination mount point, navigate to the destination mount point where the FTK CLI took resides: Ftechs-Mac-mini:~ root$ cd /Volumes/Evidence_Drive

7.     Execute the following command and flags to execute FTK CLI. This will acquire the source /dev/disk0 (physical hard drive inside of the computer) and save to /Volumes/Evidence_Drive (on the destination hard drive volume) in .EO1 format and fragment every 4 GB with no compression

Ftechs-Mac-mini:~ root$ ./ftkimager /dev/disk0 /Volumes/Evidence_Drive/imagename –e01 –frag 4G –compress 0

A full list of usage and options can be viewed on the man page. This can accessed from the command by: Ftechs-Mac-mini:~ root$ ./ftkimager help

Approach 2: Secondary-boot Collection – Preparation:

1.     Before you start you will need:

·         An Intel-based Mac to use (examiner maEV0ne),
·         OS X 10.5.x or later installation DVD,
·         and a large enough external USB hard drive to install both OS X onto and contain the image(s) of the collection (apx. 320 gb +).

2.     You will need to partition the USB hard drive with two volumes:

1.     Volume 1 - Boot: Approximately 16 GBs formatted OS X Extended (Journaled)

2.     Volume 2 - Storage Area: Remainder of drive formatted Fat 32 

Partition Layout Example:

·         One volume to install OSX which will be the boot partition. The second volume as a storage area that can be used to write your image(s) to.

·         I would suggest using Apple’s Disk Utility, located at /Applications/Utilities/, to prepare this drive.

3.     To make the USB hard drive bootable it must have ownership enabled.

1.     Locate the 16 GB volume on your Mac desktop, right-click its icon, and select ‘Get Info’ from the pop-up menu.

2.     In the Info window that opens, expand the ‘Sharing & Permissions’ section, if it’s not already expanded.

3.     Click the lock icon in the bottom right corner.

4.     Enter your administrator password when asked.

5.     Remove the check mark from ‘Ignore ownership on this volume.’

6.     Close the Info panel.

7.     Once you complete, your USB flash drive will be ready for you to install OS X.

4.     Install OS X - Summarized

1.     Plug USB hard drive (prepared above) into Mac.

2.     Put Install DVD in the Mac.

3.     Reboot.

4.     Choose to install OS X on the USB hard drive 16 GB partition, OSX Journaled Extended.

5.     You may want to customize the software packages that OS X will install to minimize disk space required for the installation.

5.     After install, test to make sure the Mac will boot from the secondary boot drive you just created instead of the internal hard drive. At start up hold down the “Option” key and you will be prompted with the boot options menu.

6.     Once you are booted to the USB hard drive, the secondary OSX boot drive, you will need to copy over the FTK CLI application onto it. You can use a flash drive to do this or just go online and download it if you are connected to the internet.

7.     The default Mac OS X installation has the "root" account disabled. Enable it by following the steps listed here:

8.     Your secondary OSX boot drive is now created and has FTK CLI on it.

Approach 2: Secondary-boot Collection – Getting Started:

1.     Plug the secondary OSX boot drive you created above into the Mac maEV0ne you would like to acquire.

2.     Start the Mac up holding down the Option key at start up to get to the boot options menu. Select to boot to the external secondary OSX boot drive.

3.     Once booted, follow the steps listed above starting in Approach 1.3. In summary:

a.     Go to console.
b.    Switch to user root.
c.     As illustrated below, identify the physical source hard drive (hard drive inside of the computer)
d.    As illustrated below, identify the destination hard drive, volume, and mount point of the FAT32 storage-area volume on the Secondary-boot hard drive.

Attached disks:

Mounted devices:

e.     Navigate to the location of the FTK CLI tool and execute the command with the proper usage and flags.

Ftechs-Mac-mini:~ root$ ./ftkimager /dev/disk0 /Volumes/EV0-09027_F/imagename –e01 –frag 4G –compress 0