Cannot Image MacBoo...
 
Notifications
Clear all

Cannot Image MacBook using DD

10 Posts
8 Users
0 Likes
452 Views
(@hagrid)
Posts: 2
New Member
Topic starter
 

Hello - Over the past few days, I have made about a dozen attempts to image an Apple MacBook. I have tried Helix Adepto, Raptor and about every way possible using DD from the command line. Allow me to make it very clear that I can image other Mac computers using all these methods without any problem. What makes this Mac different from the other Macs is that this is a MacBook "Intel" machine. One key difference between the Intel Macs and the older PowerPC Macs is that the Intel versions uses the GUID "GPT" partition scheme. I don't know if this is an issues for DD.

I have not tried to image a different MacBook "Intel" machine to see if the problem is specific to the MacBook that I'm trying to image or if this is something effecting all Intel based Macs.

One thing for sure, I cannot find any specific details on the actual "block size" used by Apple for GUID partitions.

And one last comment, I'm using Target Disk Mode to access the drive in the MacBook.

Does anyone have any experience with this or suggestions?

Thank you…

 
Posted : 13/01/2009 9:25 pm
(@dccfguru)
Posts: 22
Eminent Member
 

Try using the Macquisition Boot Disk. It's made by BlackBag Tech specifically for Macintosh acquisitions. You can google the company to find out more. I also believe there is a free trial available for the Boot Disk.

 
Posted : 13/01/2009 10:25 pm
(@hagrid)
Posts: 2
New Member
Topic starter
 

Thanks for the tip on Macquisition, their current demo disk has expired and they expect their new version to be available later today. Plus the person I spoke with on the phone at Blackbag, yes I talked with a real person, said a technician would call me back later today to answer the questions I have about imaging Intel based Macs… So hopefully that will save me from having to find another Inter Mac to test…

Thanks again…

 
Posted : 13/01/2009 11:06 pm
(@dccfguru)
Posts: 22
Eminent Member
 

No problem. Glad I could help.

 
Posted : 13/01/2009 11:32 pm
(@broberson)
Posts: 10
Active Member
 

I have used a Slax Cd, loaded with dcfldd many times to image macbooks and airs with 100% success. Reconstructing, in Encase anyway, is no problem. If you accidentally image just the partition and not the full disk with the GPT, the following will help you reconstruct…

http//128.175.24.251/forensics/RecoverHFSPartition.htm

 
Posted : 13/01/2009 11:56 pm
(@indur)
Posts: 67
Trusted Member
 

I think the block size restrictions for dd are governed more by the host operating system. I have a PPC Mac with GPT that uses 4k blocks, and I think our Intel is the same way. (That is, raw device access on the Macintosh must be 4k-block-aligned. Ioctl claims the underlying hardware uses 512-byte blocks, and the HFS+ allocation block size is a multiple of 4k, but doesn't really matter.)

Are you trying to dd the full disk or just a partition? If you are capturing the whole disk, the partitioning scheme on it should not matter.

What sort of error do you end up with?

 
Posted : 14/01/2009 12:38 am
(@rkubasiak)
Posts: 9
Active Member
 

Imaging the Macbook with 'dd' should work like you have accomplished in the past. On my website, www.macosxforensics.com, I have several methods of acquisition detailed using free and paid-for tools.

You mentioned you are using Target Disk Mode for the Macbook. Does it show up as a physical disk with slices on the computer you are using to image with? An Intel Mac should present 3 slices at a minimum, more if the user has added additional custom partitions.

Does your 'dd' acquisition start and then fail part way into it? Maybe you have a bad cable and you are actually doing everything correctly?

 
Posted : 14/01/2009 3:54 am
neddy
(@neddy)
Posts: 182
Estimable Member
 

If you are dealing with this model, the hard drive is easily removed.

http//manuals.info.apple.com/en/MacBook_13inch_HardDrive_DIY.pdf

 
Posted : 17/01/2009 1:40 am
(@crutey)
Posts: 32
Eminent Member
 

Just whip the hard disk out. I've dealt with dozens of macs and never resorted to target disk mode or boot disks. Hard disk out and pop it on a writeblocker - only way to be 100% sure it doesn't get booted.

There are plenty of guides online to dismantling individual models, general rule is 'less than 3 bits left at the end, nothing rattling, job done!' 😉

 
Posted : 17/01/2009 2:07 am
CdtDelta
(@cdtdelta)
Posts: 134
Estimable Member
 

Just a quick question, but the Intel version of Raptor didn't work either? I thought that's what it was for.

Tom

 
Posted : 17/01/2009 9:28 am
Share: