Tool for creating D...
 
Notifications
Clear all

Tool for creating Digital Binary image of an iMac

6 Posts
4 Users
0 Likes
690 Views
(@chriscdw)
Posts: 3
New Member
Topic starter
 

Please could somebody recommened a tool that will allow me to create a DBI image of an iMac.

I have searched on google and various forensic forums, but have found no information regarding it.

Thanks,

 
Posted : 12/09/2019 1:06 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Please could somebody recommened a tool that will allow me to create a DBI image of an iMac.

I have searched on google and various forensic forums, but have found no information regarding it.

Thanks,

What do you mean by "DBI image"? ?

jaclaz

 
Posted : 12/09/2019 1:11 pm
(@chriscdw)
Posts: 3
New Member
Topic starter
 

Hi Jaclaz,

Digital Binary Image

Thanks

 
Posted : 12/09/2019 1:15 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hi Jaclaz,

Digital Binary Image

Thanks

I guessed that that was the meaning of the acronym, possibly because you already hinted it in the title of the thread, but that doen't explain what you are actually looking for.

A forensic image can be either RAW (or "dd-like") i.e. an exact representation - byte by byte - of the contents of a device (a whole disk or a volume partition, or if you prefer physical vs. logical) or in one of several "special" (often proprietary to this or that tool) formats (usually at the scope of compressing the size of the output).

I am not familiar with any format called "Digital Binary Image" or DBI, so I was asking a description of what you are looking for or however any reference/program using it, etc., or anyway explain it, as probably that is a non-familiar (to me at least) way to call something that is normally called some other names, to me a (digital) binary image is only this
https://en.wikipedia.org/wiki/Binary_image

Or, if you prefer, it is possible/probable that you found nothing because you were searching for the "wrong" terms.

jaclaz

 
Posted : 12/09/2019 4:21 pm
(@geogoo)
Posts: 2
New Member
 

Like Jaclaz I am also unsure of what you mean by Digital Binary Image…

If you can remove the drive from the iMac you could use the free tool Access Data FTK Imager. Although depending on the year of manufactuer of the iMac it may not be feasible to open the iMac's casing as I believe Apple use glue to seal the device, not to mention on new models the PSU is exposed when the casing is removed. THIS IS DANGEROUS. So please make sure you take precautions before going down this route.

Failing removing the drive from the iMac, my next go to would be Black Bag's MacQuisition, although this option requires a paid license it will allow you to boot into MacQuisition from the suspect iMac with the suspect drive in situ and create a forensic image to an external drive. Furthermore, MacQuisition supports APFS encrypted volumes as long as you know the password or key.

 
Posted : 13/09/2019 7:42 am
Marksman1969
(@marksman1969)
Posts: 2
New Member
 

DBI is a new term for me, but maybe you used this term as a general term for (forensic) images?

Macquisition from BlackBag is a good one. You can image Mac devices as raw, E01 and AFF (to mention a few). They also take care of hashing your image and logging the entire process. Macquisition also is able to work with Apples T2 chip.

Sumuri has Recon, bu I don't have any experience with their software (yet)

You could of course use Linux distro's like Kali (boot with a usb/DVD version, depending on what's possible), and then use Guymager. However, this method excludes synthesized disks (Fusion Drives) and T2 encryption will prevent a useable copy.

dd and dc3dd is possible in various stages (during LDF and/or DBF), but this could require a passport.

Bambiraptor and Cedarpelta are useful (free) LDF tools, that also are able to image the HDD on a running system (password required).

Sumuri and Macquisition are both paid solutions.

Hope this helps.

 
Posted : 13/09/2019 7:48 am
Share: