Acquire Mac OS Sier...
 
Notifications
Clear all

Acquire Mac OS Sierra with 4096 block size

3 Posts
2 Users
0 Likes
748 Views
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

I've been attempting to image an iMac running Sierra and have some issues.

Firstly XWF couldn't see the file system when attached in target disk mode, so I assumed Filevault might be in play.

I've logged into the system live and confirmed Filevault is not enabled.
I then acquired a E01 image using CAINE and Guyimager, but when I attempt to load the resulting image in XWF it crashes every time it's trying to parse the image. Load the same image into FTK Imager and it can load the image no problems, but can't recognise the file system.

So I do a little more googlefu and come across a page with step by step instructions of using DD via terminal to push out an image, I'm a few steps in on this and I come across a statement that says if the block size is 4096 then Macquisition is the only tool around that can make a forensic image that other tools can recognise.

Apparently only other systems with 4096 block size allocations will be able to read/understand the image.

I haven't come across this before so not really sure on the accuracy of those statements. Anyone had issues like this before? Any solutions other than Macquisition?

 
Posted : 07/08/2017 7:40 am
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

I've been testing out some new tools and one of the machines that I imaged for testing is the Macbook Pro I'm on right now. It has an allocation block size of 4k but a device block size of 512 bytes. I imaged it using dd

sudo dd if=/dev/rdisk1 bs=4k conv=sync,noerror of=/Volumes/External\ WD/my_mac.dd

I loaded the image into EnCase Imager and reacquired it as an Ex01. EnCase imager had no issues with it. Magnet Axiom had no issue reading the raw (dd) image or the Ex01. Blacklight had no problems with the raw image (I didn't try Ex01).

Try loading your image into EnCase imager and/or FTK Imager and see if it recognizes the filesystem and can read it. If not, there may be other issues at play.

If you're still having issues, please answer

1) Is this a Fusion drive?
2) What is the exact command line you are using to image?
3) Please share the results of "diskutil info" and "diskutil info /"

 
Posted : 07/08/2017 10:51 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

Sorry for slow response, I ended up using Recon imager from Paladin which worked perfectly.

FTK in this instance didn't recognize the file system after loading the previous image I'd taken.

 
Posted : 10/08/2017 11:13 am
Share: