±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36300
New Yesterday: 0 Visitors: 213

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

MacOS High Sierra Imaging

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Samuel1
Senior Member
 

MacOS High Sierra Imaging

Post Posted: Aug 28, 18 06:19

Got a new Mac I need to image. I would prefer to do it manually rather than buy a tool. Is it *really* as simple as just following these steps?

digitalforensicforest....gh-sierra/

I suspect not, but I'd like to know if you all have any experience before I begin.

Many thanks!  
 
  

giandega
Senior Member
 

Re: MacOS High Sierra Imaging

Post Posted: Aug 28, 18 08:46

usually with mac, I boot the system with caine in a USB  
 
  

randomaccess
Senior Member
 

Re: MacOS High Sierra Imaging

Post Posted: Aug 28, 18 09:35

That question depends on what tool you have to analyse the dump.

Although many tools are catching up, taking a logical image with a paid tool may be a better option than taking a free image, finding a Mac, creating a dmg, copying the files across from your image preserving metadata, and loading it onto a windows tool (and potentially not examining extended attributes)

However, if you have one for the tools that can interpret apfs (currently blacklight, xways, belkasoft evidence centre, and encase....YMMV, some support better than others. Some don't support encryption) then you can probably image fine with a free tool (ie paladin)  
 
  

Samuel1
Senior Member
 

Re: MacOS High Sierra Imaging

Post Posted: Aug 28, 18 19:58

Thanks for your prompt replies!

So, when using Caine Live USB, on a new APFS system, is there any need to disable SIP or anything else prior to imagine or is it as easy as booting up and beginning to image?  
 
  

randomaccess
Senior Member
 

Re: MacOS High Sierra Imaging

Post Posted: Aug 29, 18 08:59

I dont think you need to disable anything
But email Steve Whalen at Sumuri about the process with the free version of Paladin (it would be the same as with Caine)  
 
  

Passmark
Senior Member
 

Re: MacOS High Sierra Imaging

Post Posted: Aug 30, 18 04:36

If this is a new MAC, there is a reasonable chance it has a M2 NVMe SSD drive in it.

Some of the older USB bootable solutions will not support M2 NVME drives. Only know this as our own tool, OSFClone, didn't support this until recently.  
 

Page 1 of 1