Forensic Acquisition of Mac Computers With CoreStorage

By Kevin J. Ripa
PI, GSEC, GCFE, GCFA, EnCE, BAI, CDRP, CEH
Mar 14, 2016

The instructions below are designed to create a forensic image of a Mac Computer with FileVault enabled, via the command line and Target Disk Mode, so that you don’t have to spend piles of money on acquisition programs. This has NOT been tested on every Apple OS, but I have tested it on Mountain Lion, Mavericks, Yosemite, and El Capitan. It should work on any Intel based Mac. Instructions and screen shots are from El Capitan. Your system may vary slightly. Read all instructions FIRST, before attempting. This tutorial is about as simple and “step-by-step” as it gets. If, after reading this, there are still things you don’t understand, STOP before you START. If this is your first time dealing with acquisition of Mac computers, now is not the time to practice on a real case.

WARNING

This tutorial does not get into evidence intake procedures. It is assumed that you are already aware of them, and will follow them in every case. This tutorial also assumes that you have the necessary credentials to access the device. With FileVault enabled, you cannot extract a usable image without them.

What is FileVault & CoreStorage

An important distinction to be made is that CoreStorage and FileVault are NOT the same thing. This is a popular misconception. FileVault and FileVault2 are processes that encrypt the data on the hard drive. CoreStorage is a technology that is basically a window into the encrypted data. In other words, CoreStorage allows that the entire drive does not have to be decrypted in order to see data. Only the data in use at the time is actually decrypted on the fly, and viewable through the use of CoreStorage. When CoreStorage exists, it will be seen in Terminal as a separate physical drive, called a virtual disk. This is what you want to be imaging. The important takeaway is that Mac computers are shipping with CoreStorage enabled, but FileVault is off. In this case, you could use the normal method of forensic imaging outlined HERE.

Although the information below is designed around, and recommends imaging of the virtual physical CoreStorage drive, it is also possible to take a forensic image of the physical (/dev/disk0) and decrypt the .dd later. Great instructions outlined HERE.

Setup

There are some necessary steps to perform prior to actually starting your collection. First and foremost, we must determine if the computer is on or not. This is not a tutorial on seizure practices, but it is assumed that if the computer is on at time of seizure, it will be handled as such, with imaging of RAM, and potential imaging of a live system being the way to proceed. For instructions on acquiring RAM click HERE. For instructions on doing a live acquisition on a machine that is running, click HERE. The decision to image live or not is a judgment call based on the situation and goals of the investigation.

You will need to prepare destination media to receive the forensic image you are creating. A tutorial for how to format media for use in a Mac environment can be read HERE.

Especially with Apple laptops, they rarely ever get turned off. Most importantly for laptops, ensure that they are plugged into the power supply before doing anything. Any good lab will have an assortment, in case the device didn’t arrive with one. Press the spacebar a couple of times, and if the computer was simply asleep, it will come on. Since this tutorial is based on a computer that is off, we will proceed as such.

  1. You must first determine if imaging the drive via this method is even possible. You must check for a number of things in a particular order. a) is there a Firmware Password; b) is FileVault enabled; c) is there a Fusion drive; and d) what is the Block Size. The first two will be determined in early steps below, and the last two will be determined as the imaging process progresses.
  2. There are a number of special keystrokes that will cause a Mac to boot in various different ways, some of which are integral to performing forensic acquisitions. A list of these can be seen HERE.
  3. The first step will be to turn on the subject machine while holding down the “option” key. Keep holding down the “option” key until you see one of the two screens below. If you see anything other than these two (like a login screen), you boo-booed.

      IMG_5153     IMG_5154

The picture on the left is what you will most likely see, and that is a good thing. Now shut the computer off by holding down the power button for 4 seconds. The picture on the right is evidence that a Firmware Password is in use. This is pretty much bulletproof, and without having the password, your interaction with this computer is done, unless you are able to remove the hard drive and image it separately. (If it has FileVault enabled, and you have no passwords, this is useless). As before, shut the computer off by holding down the power button for 4 seconds. This Firmware Password is at the hardware level of the computer, and not on the hard drive, so hard drive removal bypasses this. I have made a tutorial on removing hard drives from Mac products, and it can be seen HERE.

  1. We proceed under the assumption that you already know the drive you are imaging has FileVault enabled. If you are unsure, stop and go through our tutorial on imaging drives when you don’t know if the above is enabled. It is HERE. If the determination there is that it is enabled, come back here and continue.
  2. At this point, we need to ensure that you are performing the functions outlined, on the right computer. From this point forward, we will refer to the computers as follows: the computer you are imaging is the SUBJECT COMPUTER; the computer that performs the functioning, and where most of your typing will be is the CONTROL computer, and the external hard drive where the forensic image is going to be written to is the DESTINATION drive or media.
  3. We will now prepare the control computer. Ensure that it is turned on and that you are logged in to it. Open a Terminal window.
  4. Go to the top right of the desktop screen and click on the magnifying glass (Spotlight Search).

5.46.40 PM

  1. In the middle of the screen, a box will open up. Type in the word “Terminal” as shown below. As you type, you will see the options appear below your typing. Once you have typed the whole word, press Enter.

5.47.08 PM

  1. After pressing Enter, the Terminal window will open.

When typing instructions in the following steps, only type what is inside the quotes. Don’t type the quotes themselves. It is assumed that you will hit Enter at the end of each instruction. It will not always look like you accomplished anything. Don’t worry about it. Keep following the steps unless you get some kind of error message. Especially at times when prompted for a Password, you will not see anything happening as you type it. That is normal. Just type it and press Enter. Anything placed inside < > is a variable that will be determined by you. Don’t type the < >.

Acquisition

  1. Connect the destination external drive to the control machine. What should you use for a destination drive? I have created a document where I benchmarked multiple configurations, so you can see speeds across different methods. The document can be read HERE.
  2. Unless otherwise stated, the following steps are assumed to be on the control machine.
  3. Back in the Terminal you just opened, note the User name, as you may need it later. Everything you will see behind the flashing cursor is info about the computer. In the example below, the computer name is “ELEMENTS”. The “~” means that we do NOT have Root level access on the system. The User name on this computer is JF and is immediately followed by the “$” sign. Then you see the cursor. This line along with the cursor is called a command prompt.

8.29.09 PM

  1. Type “date” to get the control system date, time, and time offset, as shown below, and take a photo. I like to take a photo of the screen while holding my phone beside it, so I capture the phone’s date and time beside the computer date and time. Reason being that the phone date and time are issued by a server, so are considered to be accurate. It will also give you a reference later, to determine accuracy of metadata on the computer.

8.32.57 PM

  1. Type “diskutil list” and press Enter, as seen below. This will now give you the list of hard drives on the control computer, as well as the architecture of each hard drive. It will also list various elements such as if the drive is encrypted or not, and whether or not CoreStorage is enabled, and if there is a Fusion drive in use. You MUST understand this layout in order to identify exactly what to image, and how. A description of this can be seen HERE.

20.31 PM

  1. Understand that the above screenshot is our control computer. We have not yet involved our subject computer.
  2. In our example on the subject machine, CoreStorage is enabled, FileVault is enabled, and the drive is not a Fusion drive, so we will proceed with the instructions based on that. No encryption, and Fusion drives bring an entirely different dynamic to the playing field, and change the way you would image them. I have written a paper on the differences in acquisition of the different situations you may face. That paper can be read HERE. As well, a tutorial for acquiring drives with no encryption can be seen HERE, and a tutorial for acquiring Fusion drives can be seen HERE.
  3. Back to the task at hand. In the picture above, we see /dev/disk0, /dev/disk1, and /dev/disk2. This is quite a simple layout. /dev/disk0 is the physical hard drive in the control machine, /dev/disk1 is the virtual CoreStorage drive on the control machine (inconsequential to this tutorial), and /dev/disk2 is the destination hard drive. In the right most column, you see disk0s1, disk0s2, disk0s3, etc. These are the partitions or Volumes of the hard drive. On Macs (and Linux/Unix flavors), they are called Slices, hence the s1, s2, s3 following the disk0. On Slice 2 of disk0, or disk0s2, you can see the words “Apple_CoreStorage”. When you see this, it does NOT automatically mean FileVault is enabled. The existence of disk1 in the above is the first sign that FileVault is enabled. If it was not enabled, this disk would not exist. You can also see that immediately following /dev/disk1, it states (internal, virtual). Dead giveaway of FileVault. One last pointer is the bottom of the section under /dev/disk1. It says Unlocked Encrypted. In other words, because FileVault is enabled, it says Encrypted, but because I am logged into the machine with the proper credentials, it is Unlocked. Remember that this step is on the control machine, and is for explanation and understanding purposes only. You will not see this when connecting the subject computer.
  4. Take note of the physical disks above, as you will need them later in the process.
  5. You need to now disable DiskArbitration on the control computer. This function mounts the drives connected to it. Obviously the moment we plug in the subject computer, the drives will mount, and we have now just written to our subject drive. Not good. RECAP. Don’t disable DiskArbitration until AFTER you plug in your destination drive. But don’t plug in your subject computer until AFTER you have disabled DiskArbitration.
  6. To disable DiskArbitration, type “sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist” and press Enter, as seen below.

2.24.27 PM

  1. You will be prompted for the password on your control computer. Enter it and press Enter.
  2. Now it is best to test if it worked. Type “diskutil list” again. If DiskArbitration is off, you will see the message below.

9.59.01 AM

  1. With DiskArbitration off, you can no longer see the drive names and volumes. This could make things very confusing if you are not prepared. That is why logging the drive numbers was important. We can use a different tool to at least see what drive numbers we have. So type the following as shown below: ls –l /dev/disk* | grep disk.$

9.59.39 AM

  1. The same three physical drives are being shown, even though /dev/disk1 is not a real physical drive, but a virtual CoreStorage drive that is seen as a physical drive (not important here, but important if your subject computer had FileVault enabled).
  2. At this point, turn your attention to the subject machine. You need to place it into Target Disk Mode.
  3. This is done by holding down the “T” key and then turning on the subject computer. Continue holding down the “T” key until you see the image below, then you can let go.

IMG_5384

  1. You have two choices at this point. You can use Thunderbolt or FireWire. But of course, both the subject computer and the control computer must have the same. Pretty much everything since 2011 has Thunderbolt. Anything prior to that would not have any of the security in today’s systems, and thus could be imaged using normal tools after removing the hard drive. In my example, I used Thunderbolt.
  2. Plug the Thunderbolt cable into the subject computer, then plug the other end into the control machine.
  3. At this point, you should be prompted on the control computer, to enter the subject machine password. This is the final indicator that FileVault is enabled. Without the password, you are done.
  4. Suggesting you have the password and have entered it, you can now type the same command as you did in step 23. You will now see something like the below.

10.28.15 PM copy

  1. You can see that there is an additional 2 disks now. This is the subject drive physical (disk3), and the virtual CoreStorage drive (disk4) being seen. This will always happen in sequential order, so you know that disk3 and disk4 are the newest additions, or the computer that you just plugged in. You want to image the virtual CoreStorage drive, and NOT the physical drive.
  2. At this point, we are faced with a potential problem. Device Block Size. Generally speaking, on most Macs, the Device Block Size is 512 bytes, and the Allocation Block Size is 4096 bytes. Anybody recognize this? In NTFS, it is called Sector Size (512 bytes), and Cluster Size (4096). But I digress. Some 2015 and newer models of MacBook and MacBook Air now have a Device Block Size of 4096 bytes, and this will be adopted by all Macs in the near future. It has to do with data speed, and storage optimization, and it means they are completely unreadable by computers that have a Device Block Size of 512 bytes. If you forensically image a 4096 byte computer with a 512 byte computer, you will NOT be able to open the image. You will need another 4096 byte computer to mount the image. The only forensically sound method if not using a 4096 byte computer (as of the time of this writing) is to use a tool called MacQuisition (not cheap, but incredible), and image the logical volume. So before we waste a bunch of time creating a useless forensic image, let’s see what the Block size is.
  3. This instruction is also great for seeing what is inside a /dev/disk if you lose track.
  4. Type “hdiutil partition /dev/disk<?>”, where the <?> is the number of the disk you want information on. You will get a warning message asking for your control password, as shown below.

10.02.56 AM

  1. Once you enter it, you will get the following screen. For /dev/disk3, we see the below.

10.03.07 AM

  1. You can now see that /dev/disk3 is the MBR, and not the /dev/disk that we want to image. Let’s look at /dev/disk5 with the same instruction.

10.04.02 AM

  1. We now see that this is “whole disk”. This is the disk we want to image. We also see “block size”, and in this case, it is 512.
  2. Another indicator that you may be looking at a 4096 byte block size computer, is that when you run the command to see all the /dev/disks, a 4096 byte block size will not show anything other than one extra /dev/disk beyond what was shown before you plugged the subject computer in. So if you don’t see all of the disks that you were expecting, this may be why.
  3. It is imperative that you understand that Target Disk Mode will NOT show all drives in the subject computer. It will only show the Master drive(s), and no Slave drives. You must check the computer physically to determine if there are more drives.
  4. Now, type “date” (yes, again), press Enter, and take a picture. Don’t waste any time from this point forward, as any time unaccounted for will be difficult to explain in court.
  5. Type the instruction to start the imaging, as seen below. The actual line you type will be different than mine. The line to type is sudo dd if=/dev/rdisk4 of=/Volumes/<name of your destination Volume>/<name of your image file>.dd bs=64k conv=noerror,sync

10.28.15 PM

  1. Let’s break down what is happening in that line. “sudo” means “SuperUser Do”. In other words, run the following command as “Root”. “dd” is the name of the program we are using to perform the forensic image. “if=” means “Input File equals”. In other words, what are you imaging? This is the file path to the subject drive. You will note that we have used “rdisk4” instead of “disk4”. Why? Google it. Biggest reason that matters is it speeds up imaging by 20-30%. Next command is “of=”, or “Output File equals”. This is the file that will be created on the destination drive, so we have typed the path to the destination drive, and given our acquisition a name, and .dd on the end. Next is “bs=64k”. This is the block size that the program will use as it is imaging. In other words, in this case, it will process the data in 64 kb chunks. Why does this matter? When the chunk of data is being read, if there is a problem with the subject media, it will just fill the rest of the block with zeros. If the block size is small, you will not have lost much data, but if the block size is large, you may very well lose vast amounts of data that you otherwise would have gotten. So you might think that making it really small is better. Block size will also dictate how long the imaging process will take. The same drive that takes 1 hour with a 64k block size will take a dozen hours or more at 4k. So we need a happy medium. 64k is that happy medium. Next in line is conv=noerror,sync. This means that if, when reading a block, there is a problem, don’t stop the imaging process. Just skip over the rest of the block to the next one, and pad the space on the destination drive with zeros. It is also worth noting that if there are any issues during the imaging process, you will be notified at the end, of any blocks that had problems.
  2. Back to the process. Once you type the instruction and press Enter, you will be prompted for the password of the control machine. Enter it here and press Enter, and the imaging will start. It will look like nothing is happening. Nothing will appear on the next line until the image is complete, at which time you will see something like the picture below. Depending on the size of the subject drive, this could be hours.

10.23.01 AM

  1. Again, type “date”, and immediately take a photo. The reason you have done this is to show that you have not had time to alter data in the dump. You can see that the total time for the image is listed above in seconds. Immediately hash the RAM dump by typing md5 /Volumes/<name of your destination>/<name you called your image file>.dump”. This process will take some time.
  2. Once done, the hash of the file will be shown as below. It goes without saying that you should record this.

10.48.10 PM

  1. If you would rather hash using other processes like SHA, refer to the document outlining the different commands at HERE.
  2. You are now done. Close the terminal window, and navigate to your destination drive. Right click on the .dd file you just created, and select “Get Info”. In the screen that appears, click in the box beside the word “Locked”, as seen below. This will lock the file and protect from inadvertent writing later.

9.30.49 AM

  1. Now power down the control computer. Because you previously turned off DiskArbitration, you cannot properly eject the destination drive.
  2. Once the control computer is powered down, unplug the subject computer, and the destination drive. Power down the subject computer by holding down the Power button for 4 seconds. You are now done the acquisition portion, but you are not done with the collection. Remember that because FileVault was enabled, we could not start the subject computer in Single User Mode to get the information regarding the components in the subject computer, or the baseline Date/Time. We will do this now in a different way.
  3. We do this AFTER the acquisition is performed, because it will cause access changes to the subject hard drive. Again, while doing this, document your actions meticulously.
  4. Hold down the Apple (⌘) key simultaneous with the “R” key, and press the power button. Keep holding these two keys until you see the Apple logo and a progress bar. You can then release them.
  5. This will boot the computer into what is called recovery mode, and your screen should look like this.

IMG_5414

  1. At the top left corner, click on Utilities, and then Terminal from the drop down.

IMG_5415

  1. A terminal window will open as shown below. Type “date” and record the info.

IMG_5419

  1. Type “system_profiler SPHardwareDataType” and record the system output as below.

IMG_5416

  1. Now type “system_profiler SPSerialATADataType” and record the drive output as shown below.

IMG_5417

  1. As seen above, not only do you get the hard drive information, but you also get the logical structure as well.
  2. Besides the above information, there is a great deal of other system information you can extract here, and a comprehensive list of the commands can be seen HERE.
  3. Once you have recorded this information, you can shut the system down in a normal fashion, and you are done.