dfm covers

Imaging the MacBook Air

Written by DFM team

Mac Forensics always starts with imaging the device. This article is a short synopsis of imaging Macs and the challenges of the new MacBook Air  

Sean Morrissey writes

Imaging Macs has been quite easy over the years. Drives could be extracted, use of fi rewire processes and there were numerous Linux boot CD’s that could image the internal SATA and Solid State Drives. When it came to removing the drives from Macs, iMacs, MacBooks, and MacBook Pros, the ease of removal was variable in complexity depending upon the engineering design of the device. Some were as simple as removing a few screws whilst others required that the whole Mac literally had to be taken apart.

Some thought that the new unibody construction of MacBook Pros would be diffi cult to remove drives when in fact it became very simple. The one Mac that had given me heartburn when first released was the MacBook Air; however industrious forensicators soon came up with processes and methods for imaging this new Mac Notebook. The use of Linux CDs, removing drives, zif adapters, all became the way of imaging Macs. The emergence of the MacBook Air gave the promise of what was once challenging to become a lot simpler even with only having one USB port. 

In October 2010, Steve Jobs introduced the world the New MacBook Air. The devices were thin and fast with the speed coming from it’s new solid state drive (SSD), the mSATA drive that at first glimpse looked similar to a SATA dimm drive that was starting to make their appearance on the computer landscape.

This gave the MacBook Air remarkable speed with boot ups taking in the region of 8 seconds, shutdowns even faster and “Instant On” became the new buzzword however this threw digital forensics a curveball. This new drive wasn’t something that could be removed and imaged at this time. In time I am sure there will be an adapter that will allow hardware imaging to be carried out, using present forensic tools.

To preface my testing, I wanted to test all known methods of imaging the previous editions of the Macs and the previous MacBook Airs, these were:

• Fire Wire Target Disk Mode – The MacBook Air never had a Fire Wire port, making this method impossible.

• Linux Boot CDs

• MacQuisition

• Windows Based tools

The previous edition of the MacBook Air were relatively simple, LinuxCDs like SPADA and Raptor were used in conjunction with USB hubs and external storage devices. The Linux CDs all had GUI based applications that made imaging the old MacBook Air very simple. Also the ability to removal the internal storage in its various forms was not diffi cult and could be investigated by using write blockers, adapters, and free imaging tools Like Access Data’s FTK Imager and Guidance Software’s Encase in Acquisition mode.

The New MacBook Air didn’t seem that easy in regards to the type in internal storage deployed. So it was first back to the Linux boot CD’s and so began my trek on imaging the new MacBook Air.

Read more on this subject - and Apple forensics - in Issue 7 of DFM - out now - login or subscribe today!

Please make cache directory writable.

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Mark Osborne

Mark Osborne is the author of 'How To Cheat at Managing Information Security'


Coming up in the Next issue of Digital Forensics Magazine

Graph Database Technology

Attackers examine how your assets are connected, looking for a vulnerable part of the network, and navigating via methods such as “spear phishing.” What they’re really doing is abstracting out the graph of your networked systems, which is the set of security dependencies. Read More »

Fraudulent Use of Digital Images and Detection Survey

This article looks at the basic concepts related to image forgery; the types, detection procedure algorithms and all possible techniques to detect malicious signatures ibased on forgery types and detection techniques. Read More »

Subscribe today

Discovery in the Cloud: An Investigator’s Close Look at Unexpected Risks and Challenges

Documents residing in cloud storage accounts are increasingly coming into scope in digital forensic investigations such as IP theft, regulatory, corruption, merger clearance and civil matters.  Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the future issues