dfm covers
 
 

Imaging the MacBook Air

Written by DFM team

Mac Forensics always starts with imaging the device. This article is a short synopsis of imaging Macs and the challenges of the new MacBook Air  

Sean Morrissey writes


Imaging Macs has been quite easy over the years. Drives could be extracted, use of fi rewire processes and there were numerous Linux boot CD’s that could image the internal SATA and Solid State Drives. When it came to removing the drives from Macs, iMacs, MacBooks, and MacBook Pros, the ease of removal was variable in complexity depending upon the engineering design of the device. Some were as simple as removing a few screws whilst others required that the whole Mac literally had to be taken apart.


Some thought that the new unibody construction of MacBook Pros would be diffi cult to remove drives when in fact it became very simple. The one Mac that had given me heartburn when first released was the MacBook Air; however industrious forensicators soon came up with processes and methods for imaging this new Mac Notebook. The use of Linux CDs, removing drives, zif adapters, all became the way of imaging Macs. The emergence of the MacBook Air gave the promise of what was once challenging to become a lot simpler even with only having one USB port. 


In October 2010, Steve Jobs introduced the world the New MacBook Air. The devices were thin and fast with the speed coming from it’s new solid state drive (SSD), the mSATA drive that at first glimpse looked similar to a SATA dimm drive that was starting to make their appearance on the computer landscape.


This gave the MacBook Air remarkable speed with boot ups taking in the region of 8 seconds, shutdowns even faster and “Instant On” became the new buzzword however this threw digital forensics a curveball. This new drive wasn’t something that could be removed and imaged at this time. In time I am sure there will be an adapter that will allow hardware imaging to be carried out, using present forensic tools.


To preface my testing, I wanted to test all known methods of imaging the previous editions of the Macs and the previous MacBook Airs, these were:

• Fire Wire Target Disk Mode – The MacBook Air never had a Fire Wire port, making this method impossible.

• Linux Boot CDs

• MacQuisition

• Windows Based tools


The previous edition of the MacBook Air were relatively simple, LinuxCDs like SPADA and Raptor were used in conjunction with USB hubs and external storage devices. The Linux CDs all had GUI based applications that made imaging the old MacBook Air very simple. Also the ability to removal the internal storage in its various forms was not diffi cult and could be investigated by using write blockers, adapters, and free imaging tools Like Access Data’s FTK Imager and Guidance Software’s Encase in Acquisition mode.


The New MacBook Air didn’t seem that easy in regards to the type in internal storage deployed. So it was first back to the Linux boot CD’s and so began my trek on imaging the new MacBook Air.


Read more on this subject - and Apple forensics - in Issue 7 of DFM - out now - login or subscribe today!


 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Andrew Harbison

Andrew Harbison is a Director and IT Forensics Lead at Grant Thornton

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 38 on sale from February 2019:


Crowd Sourcing Digital Evidence The Risk v The Reward

All digital devices used today can be considered as a potential source for digital evidence. Andrew Ryan investigates the current state in the art of crowd sourced digital evidence. Read More »

Recovery of Forensic Artifacts from Deleted Jump-List in Windows 10

Jump-Lists are widely discussed in forensics community since the release of Windows 7 and are having more capabilities to reveal forensics artifacts in Windows 10. Read More »

Subscribe today


Operacion Bitcoin

The article is an actual case study of an Interpol investigation carried out in association with CertUY that has been ongoing for some months. It is written by the first hacker sent to prison in Uruguay who is currently out on bail pending sentencing. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue