wordup cyber geek girlz.. welcome to NIBBLE on DAV NADS!! This is my palace on the .com domain where i build connectors from connections, plug universal plugs into adapters, convert binary input into burberry output, and port gigabytes into jigabytes. LOL whaat! 2 ya'll hax0rs, start logging yo girlz keyz cause your @Myspace. Wer we spinning platters and pulling magnetic chatters. Dav nads speaks geek for chic and means tweak for twitter. Spread the google wave, followers!
So you have been tasked with acquiring an Apple Macbook Air. There you are, it’s just you and the laptop and you’re losing;
·Your favorite Linux distribution disk won’t boot,
·You spent hours taking the laptop apart only to discover the internal hard drive has a ZIFF or LIF interface and you don’t have an adapter,
·The Firewire and Ethernet ports are missing,
·there is only one USB port,
·and the laptop won’t boot from your USB hub.
This documentation specifically applies to Apple’s Macbook Air models. However, the procedures outlined here should be applicable to all Intel-based Macs. When acquiring Macbook Airs traditional acquisition methods can often be challenged by the lack of external media interfaces and software compatibility issues.
SO…WHAT’S NEXT?!?! In April 2010, Access Data released Command Line (CLI) versions of its popular FTK Imager tool. Supported by one of the versions are Intel-based Mac OS versions 10.5 and 10.6x. I have found this tool to be a strong candidate for Mac collections. This article will explore two collection techniques that exercise this tool:
1.(Live Collection) – Acquisition of a targeted system in a live (booted) state. FTK CLI tool is executed from target’s system and image is written to external USB hard drive. This method is frequently used to acquire systems that cannot be taken offline or when encryption is involved.
2.(Secondary-boot Collection) – Acquisition of a targeted system from a secondary-boot device. Target’s system is booted from a bootable external USB hard drive containing OS X and pre-installed with the FTK CLI tool. Once booted FTK CLI imager is executed from this device and image is written to the same USB hard drive in a separate partition FAT32 partition.
Note: As a forensic practitioner, you should weigh the pros and cons of the two collection techniques and use discretion to what method (if any) suits the requirements and needs of your engagement.
Approach 1: Live Collection – Preparation:
1.OS X does not natively support writing to NTFS or EXT volumes. Therefore, you will need to prepare a HSFS or FAT32 formatted hard drive to write your image too. I prefer FAT32 over HFS because it is readily accessible from Windows.
*By following this step you are making substantial changes to the host system.
5.After you have switched users to root, you will need to identify the source and destination hard drives for acquisition: Ftechs-Mac-mini:~ root$ diskutil list
This will query all active disks and their partition layouts:
This information can be interpreted as follows:
"/dev/disk0" is representative of the first physical hard drive (attached to the system). It is determined based on size, volume name, and partition layout that this is the hard drive inside of the system. In this example, the physical device, "/dev/disk0" will be the source of the acquisition.
“/dev/disk1” is representative of the second physical hard drive (attached to the system). It is determined based on size, volume name, and partition layout that this is destination hard drive connected via USB to the system.
On this hard drive there is one volume disk1s1 named Evidence_Drive. This is the volume we will use to write the acquisition to.
However, before you can write to a volume you need to determine what the “mount point” of the volume is. A mount point is the connection the operating system uses to interact with a volume on a hard drive.
6.Mac OS will automatically create a mount point (with full read/write permissions) when a device is attached to the system with a recognizable file system.
The mount point should be consistent with the volume name appended to /Volumes/. The mount command can be used to verify this: Ftechs-Mac-mini:~ root$ Mount
This will list all volumes mounted on the system:
We see here that “/Volumes/Evidence_Drive” is the full path of the mount point for volume “disk1s1” on the destination hard drive “/dev/disk1”. This is the destination mount point.
This now establishes that we will be imaging (source): /dev/disk0 and writing our acquisition image to (destination mount point): /Volumes/Evidence_Drive
After you have determined the source and destination mount point, navigate to the destination mount point where the FTK CLI took resides: Ftechs-Mac-mini:~ root$ cd /Volumes/Evidence_Drive
7.Execute the following command and flags to execute FTK CLI. This will acquire the source /dev/disk0(physical hard drive inside of the computer) and save to/Volumes/Evidence_Drive(on the destination hard drive volume) in .EO1 format and fragment every 4 GB with no compression
·One volume to install OSX which will be the boot partition. The second volume as a storage area that can be used to write your image(s) to.
·I would suggest using Apple’s Disk Utility, located at /Applications/Utilities/, to prepare this drive.
3.To make the USB hard drive bootable it must have ownership enabled.
1.Locate the 16 GB volume on your Mac desktop, right-click its icon, and select ‘Get Info’ from the pop-up menu.
2.In the Info window that opens, expand the ‘Sharing & Permissions’ section, if it’s not already expanded.
3.Click the lock icon in the bottom right corner.
4.Enter your administrator password when asked.
5.Remove the check mark from ‘Ignore ownership on this volume.’
6.Close the Info panel.
7.Once you complete, your USB flash drive will be ready for you to install OS X.
4.Install OS X - Summarized
1.Plug USB hard drive (prepared above) into Mac.
2.Put Install DVD in the Mac.
4.Choose to install OS X on the USB hard drive 16 GB partition, OSX Journaled Extended.
5.You may want to customize the software packages that OS X will install to minimize disk space required for the installation.
5.After install, test to make sure the Mac will boot from the secondary boot drive you just created instead of the internal hard drive. At start up hold down the “Option” key and you will be prompted with the boot options menu.
6.Once you are booted to the USB hard drive, the secondary OSX boot drive, you will need to copy over the FTK CLI application onto it. You can use a flash drive to do this or just go online and download it if you are connected to the internet.