±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35880
New Yesterday: 1 Visitors: 109

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Forensic Imaging of MacBook Mini w/ FTK CLI...

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Samuel1
Senior Member
 

Forensic Imaging of MacBook Mini w/ FTK CLI...

Post Posted: Nov 06, 15 12:45

Howdy,

I'm imaging a MacBook Mini with CLI, and I've done this many times before, but this time I am getting the error message: Resource Busy (16), and I have no idea what to do about that.

Disk util shows /dev/disk1 as the logical partition for the "Core Storage" which is Disk0s2, which as I understand it is encrypted and therefore would do no good to image.

So, has anyone here successfully figured out how to get around the "Resource Busy (16)" error message? I am sure my commands are correct as I've done it many, many times before.

Thanks everyone for your help!  
 
  

mrmoo28
Member
 

Re: Forensic Imaging of MacBook Mini w/ FTK CLI...

Post Posted: Nov 12, 15 22:35

Image the physical disk /dev/disk1, convert it to a raw image with a .dmg extension, mount this on another mac box which will request decryption passphrase, you can then image the decrypted logical volume as DD, then convert to E01 if you wish.

Useful link:

www.forensicon.com/for...overy-key/  
 
  

shep47
Senior Member
 

Re: Forensic Imaging of MacBook Mini w/ FTK CLI...

Post Posted: Nov 19, 15 17:11

Slightly delayed repsonse but I have spoken via PM to Samuel. Posted here for reference for future Mac imaging issues.

Firstly run 'diskutil list' from Terminal and note the /dev/disk reference of the OS mounted decrypted drive ie 'disk2'.

In terminal, substitute '/dev/disk2' for '/dev/rdisk2'

of=output path on target media

sudo dd if=/dev/rdisk2 of=/Volumes/Path/Image.dmg bs=4096 conv=noerror,sync

Rgds  
 

Page 1 of 1