MacOS High Sierra I...
 
Notifications
Clear all

MacOS High Sierra Imaging

6 Posts
4 Users
0 Likes
1,128 Views
Samuel1
(@samuel1)
Posts: 63
Trusted Member
Topic starter
 

Got a new Mac I need to image. I would prefer to do it manually rather than buy a tool. Is it *really* as simple as just following these steps?

https://digitalforensicforest.com/2018/01/20/forensic-imaging-mac-os-10-13-high-sierra/

I suspect not, but I'd like to know if you all have any experience before I begin.

Many thanks!

 
Posted : 28/08/2018 6:19 am
 dega
(@dega)
Posts: 261
Reputable Member
 

usually with mac, I boot the system with caine in a USB

 
Posted : 28/08/2018 8:46 am
(@randomaccess)
Posts: 385
Reputable Member
 

That question depends on what tool you have to analyse the dump.

Although many tools are catching up, taking a logical image with a paid tool may be a better option than taking a free image, finding a Mac, creating a dmg, copying the files across from your image preserving metadata, and loading it onto a windows tool (and potentially not examining extended attributes)

However, if you have one for the tools that can interpret apfs (currently blacklight, xways, belkasoft evidence centre, and encase….YMMV, some support better than others. Some don't support encryption) then you can probably image fine with a free tool (ie paladin)

 
Posted : 28/08/2018 9:35 am
Samuel1
(@samuel1)
Posts: 63
Trusted Member
Topic starter
 

Thanks for your prompt replies!

So, when using Caine Live USB, on a new APFS system, is there any need to disable SIP or anything else prior to imagine or is it as easy as booting up and beginning to image?

 
Posted : 28/08/2018 7:58 pm
(@randomaccess)
Posts: 385
Reputable Member
 

I dont think you need to disable anything
But email Steve Whalen at Sumuri about the process with the free version of Paladin (it would be the same as with Caine)

 
Posted : 29/08/2018 8:59 am
Passmark
(@passmark)
Posts: 376
Reputable Member
 

If this is a new MAC, there is a reasonable chance it has a M2 NVMe SSD drive in it.

Some of the older USB bootable solutions will not support M2 NVME drives. Only know this as our own tool, OSFClone, didn't support this until recently.

 
Posted : 30/08/2018 4:36 am
Share: