By Kevin J. Ripa
PI, GSEC, GCFE, GCFA, EnCE, BAI, CDRP, CEH
Mar 8, 2016

The instructions below are designed to create a forensic image of a Mac Computer with Fusion drive via the command line and Target Disk Mode, so that you don’t have to spend piles of money on acquisition programs. This has NOT been tested on every Apple OS, but I have tested it on Mountain Lion, Mavericks, Yosemite, and El Capitan. It should work on any Intel based Mac. Instructions and screen shots are from El Capitan. Your system may vary slightly. Read all instructions FIRST, before attempting. This tutorial is about as simple and “step-by-step” as it gets. If, after reading this, there are still things you don’t understand, STOP before you START. If this is your first time dealing with acquisition of Mac computers, now is not the time to practice on a real case.

WARNING

This tutorial does not get into evidence intake procedures. It is assumed that you are already aware of them, and will follow them in every case. This tutorial also assumes that you have the necessary credentials to access the device. With FileVault enabled, you cannot extract a usable image without them.

What Is Fusion Drive

Without going into great detail, Fusion drive is a technology used by Apple in its iMac line of computers, as well as its Mac line. The Fusion drive consists of actually 2 hard drives. One solid state drive, and one traditional rotating media drive. The SSD gives the system its speed, while the HDD gives it ample storage space. This is not to be confused with two separate drives, or with a RAID system. In a fusion drive system, the user only sees one hard drive. This is a virtual drive created by system that incorporates both drives. Data first arrives and lives on the SSD. No data ever actually gets to the HDD until the SSD fills up. It then starts prioritizing data to keep on the SSD. That being said, if the SSD is 128 GB, it will reserve a portion for working space, and this portion does NOT get imaged when imaging the fusion drive. That is why, when faced with a fusion drive scenario you should absolutely image the virtual fusion drive, and it is recommended that you also image each of the physical drives separately. There are commands to rejoin the two drives into a single fusion drive after the fact, but they have mixed reviews as to the success rate. This tutorial assumes that you already know how to image the drives individually, and you can see a tutorial of this HERE.

Setup

There are some necessary steps to perform prior to actually starting your collection. First and foremost, we must determine if the computer is on or not. This is not a tutorial on seizure practices, but it is assumed that if the computer is on at time of seizure, it will be handled as such, with imaging of RAM, and potential imaging of a live system being the way to proceed. For instructions on acquiring RAM click HERE. For instructions on doing a live acquisition on a machine that is running, click HERE. The decision to image live or not is a judgment call based on the situation and goals of the investigation.

You will need to prepare destination media to receive the forensic image you are creating. A tutorial for how to format media for use in a Mac environment can be read HERE.

Press the spacebar a couple of times, and if the computer was simply asleep, it will come on. Since this tutorial is based on a computer that is off, we will proceed as such.

  1. You must first determine if imaging the drive via this method is even possible. You must check for a number of things in a particular order. a) is there a Firmware Password; b) is FileVault enabled; c) is there a Fusion drive; and d) what is the Block Size. The first two will be determined in early steps below, and the last two will be determined as the imaging process progresses.
  2. There are a number of special keystrokes that will cause a Mac to boot in various different ways, some of which are integral to performing forensic acquisitions. A list of these can be seen HERE.
  3. The first step will be to turn on the subject machine while holding down the “option” key. Keep holding down the “option” key until you see one of the two screens below. If you see anything other than these two (like a login screen), you boo-booed.

      IMG_5153     IMG_5154

The picture on the left is what you will most likely see, and that is a good thing. Now shut the computer off by holding down the power button for 4 seconds. The picture on the right is evidence that a Firmware Password is in use. This is pretty much bulletproof, and without having the password, your interaction with this computer is done, unless you are able to remove the hard drive and image it separately. (If it has FileVault enabled, and you have no passwords, this is useless). As before, shut the computer off by holding down the power button for 4 seconds. This Firmware Password is at the hardware level of the computer, and not on the hard drive, so hard drive removal bypasses this. I have made a tutorial on removing hard drives from Mac products, and it can be seen HERE.

  1. The second step to seeing what you are up against is to determine if FileVault is enabled or not. Unfortunately, if it is, you are going to alter the contents on the hard drive before you find out. As long as you follow the steps below, you will be able to explain what you did, and why the forensic image might look like it was accessed while in your custody, and it won’t be a problem. What you need to do is enter what is called “Single User Mode”.
  2. Single User Mode is accessed by holding down the Apple (⌘) key simultaneous with the “S” key, and pressing the power button. Keep pressing these two keys until one of two things happens. Either you will see a Terminal window open with all kinds of writing in it as shown below (GOOD), or you will arrive at the regular login screen (BAD). If the former, continue reading. If the latter, STOP. Press and hold the power button for 4 seconds until the computer turns off. If you arrived at the latter, this means that FileVault is enabled, meaning you can’t access Single User Mode. You can still image the hard drive (because you have the password or FileVault key, right?), but there is certain system data you don’t have easy access to. If this is the case, you can jump ahead to the section on enabling Target Disk Mode now. If you got the Terminal window, it looks like the picture below.

IMG_5150

  1. Type “date” as shown below. This is the closest thing to BIOS or UEFI style date/time data accuracy against the metadata on the drive. Take a photo of this information. I like to take a photo of the screen while holding my phone beside it, so I capture the phone’s date and time beside the computer date and time. Reason being that the phone date and time are issued by a server out of your control, so are considered to be accurate. It will also give you a reference later, to determine accuracy of metadata on the computer.

IMG_5151

  1. Now let’s grab some data about the computer system. Again, this is only if you are able to access Single User Mode. If not, at the end of this tutorial are instructions on what to do to collect system information for drives with FileVault enabled. In the picture below, you will see we have gathered system information by typing “system_profiler SPHardwareDataType”.

IMG_5412

  1. Take a picture of this. Then type “system_profiler SPSerialATADataType”.

IMG_5413

  1. This will give you the hard drive data. For some reason, when doing this on a computer with Fusion drive, it only shows the HDD, and not the SSD. Some is better than none. Once this is recorded, hold the power button down for 4 seconds to turn off the computer.
  2. We will now proceed under the assumption that you already know the computer you are imaging has a fusion drive.
  3. At this point, we need to ensure that you are performing the functions outlined, on the right computer. From this point forward, we will refer to the computers as follows: the computer you are imaging is the SUBJECT COMPUTER; the computer that performs the functioning, and where most of your typing will be is the CONTROL computer, and the external hard drive where the forensic image is going to be written to is the DESTINATION drive or media.
  4. We will now prepare the control computer. Ensure that it is turned on and that you are logged in to it. Open a Terminal window.
  5. Go to the top right of the desktop screen and click on the magnifying glass (Spotlight Search).

5.46.40 PM

  1. In the middle of the screen, a box will open up. Type in the word “Terminal” as shown below. As you type, you will see the options appear below your typing. Once you have typed the whole word, press Enter.

5.47.08 PM

  1. After pressing Enter, the Terminal window will open.

When typing instructions in the following steps, only type what is inside the quotes. Don’t type the quotes themselves. It is assumed that you will hit Enter at the end of each instruction. It will not always look like you accomplished anything. Don’t worry about it. Keep following the steps unless you get some kind of error message. Especially at times when prompted for a Password, you will not see anything happening as you type it. That is normal. Just type it and press Enter. Anything placed inside < > is a variable that will be determined by you. Don’t type the < >.

Acquisition

  1. Connect the destination external drive to the control machine. What should you use for a destination drive? I have created a document where I benchmarked multiple configurations, so you can see speeds across different methods. The document can be read HERE.
  2. Unless otherwise stated, the following steps are assumed to be on the control machine.
  3. Back in the Terminal you just opened, note the User name, as you may need it later. Everything you will see behind the flashing cursor is info about the computer. In the example below, the computer name is “ELEMENTS”. The “~” means that we do NOT have Root level access on the system. The User name on this computer is JF and is immediately followed by the “$” sign. Then you see the cursor. This line along with the cursor is called a command prompt.

8.29.09 PM

  1. Type “date” to get the control system date, time, and time offset, as shown below, and take a photo. I like to take a photo of the screen while holding my phone beside it, so I capture the phone’s date and time beside the computer date and time. Reason being that the phone date and time are issued by a server, so are considered to be accurate. It will also give you a reference later, to determine accuracy of metadata on the computer.

8.32.57 PM

  1. Type “diskutil list” and press Enter, as seen below. This will now give you the list of hard drives on the control computer, as well as the architecture of each hard drive. It will also list various elements such as if the drive is encrypted or not, and whether or not CoreStorage is enabled, and if there is a Fusion drive in use. You MUST understand this layout in order to identify exactly what to image, and how. A description of this can be seen HERE.

20.31 PM

  1. Understand that the above screenshot is our control computer. We have not yet involved our subject computer.
  2. In our example on the subject machine, CoreStorage is enabled, FileVault is not enabled, and the drive is a Fusion drive, so we will proceed with the instructions based on that. No encryption, and FileVault drives bring an entirely different dynamic to the playing field, and change the way you would image them. I have written a paper on the differences in acquisition of the different situations you may face. That paper can be read HERE. As well, a tutorial for acquiring drives with no encryption can be seen HERE, and a tutorial for acquiring FileVault enabled drives can be seen HERE.
  3. Back to the task at hand. In the picture above, we see /dev/disk0, /dev/disk1, and /dev/disk2. This is quite a simple layout. /dev/disk0 is the physical hard drive in the control machine, /dev/disk1 is the virtual CoreStorage drive on the control machine (inconsequential to this tutorial), and /dev/disk2 is the destination hard drive. In the right most column, you see disk0s1, disk0s2, disk0s3, etc. These are the partitions or Volumes of the hard drive. On Macs (and Linux/Unix flavors), they are called Slices, hence the s1, s2, s3 following the disk0. On Slice 2 of disk0, or disk0s2, you can see the words “Apple_CoreStorage”. When you see this, it does NOT automatically mean FileVault is enabled. The existence of disk1 in the above is the first sign that FileVault is enabled. If it was not enabled, this disk would not exist. You can also see that immediately following /dev/disk1, it states (internal, virtual). Dead giveaway of FileVault. One last pointer is the bottom of the section under /dev/disk1. It says Unlocked Encrypted. In other words, because FileVault is enabled, it says Encrypted, but because I am logged into the machine with the proper credentials, it is Unlocked. Remember that this step is on the control machine, and is for explanation and understanding purposes only. You will not see this when connecting the subject computer.
  4. Just for the purposes of familiarization, below is a screenshot of the “diskutil list” command run on a computer with fusion drive. Although you can’t see this during the imaging process, I have provided the picture below just as a point of reference.

9.17.32 AM

  1. As mentioned above, you will never look at the computer you are imaging in this way. This is for description purpose only. Let’s outline what you are seeing. /dev/disk0 is the physical drive in the control computer. /dev/disk1 is the virtual CoreStorage drive on our control computer created by the enabling of FileVault. /dev/disk2 is our destination external drive connected to the control machine. /dev/disk3 is the SSD in the subject computer. /dev/disk4 is the HDD in the subject computer. /dev/disk5 is the virtual fusion drive that is a combination of the space on /dev/disk3 and 4. If FileVault were enabled on this fusion drive computer, you would see a /dev/disk6. It would be this virtual disk you would want to image, rather than /dev/disk5.
  2. Back to the process at hand. Take note of the physical disks in step 20, as you will need them later in the process.
  3. You need to now disable DiskArbitration on the control computer. This function mounts the drives connected to it. Obviously the moment we plug in the subject computer, the drives will mount, and we have now just written to our subject drive. Not good. RECAP. Don’t disable DiskArbitration until AFTER you plug in your destination drive. But don’t plug in your subject computer until AFTER you have disabled DiskArbitration.
  4. To disable DiskArbitration, type “sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist” and press Enter, as seen below.

2.24.27 PM

  1. You will be prompted for the password on your control computer. Enter it and press Enter.
  2. Now it is best to test if it worked. Type “diskutil list” again. If DiskArbitration is off, you will see the message below.

9.59.01 AM

  1. With DiskArbitration off, you can no longer see the drive names and volumes. This could make things very confusing if you are not prepared. That is why logging the drive numbers was important. We can use a different tool to at least see what drive numbers we have. So type the following as shown below: ls –l /dev/disk* | grep disk.$

9.59.39 AM

  1. The same three physical drives are being shown, even though /dev/disk1 is not a real physical drive, but a virtual CoreStorage drive that is seen as a physical drive.
  2. At this point, turn your attention to the subject machine. You need to place it into Target Disk Mode.
  3. This is done by holding down the “T” key and then turning on the subject computer. Continue holding down the “T” key until you see the image below, then you can let go.

IMG_5384

  1. You have two choices at this point. You can use Thunderbolt or FireWire. But of course, both the subject computer and the control computer must have the same. Pretty much everything since 2011 has Thunderbolt. Anything prior to that would not have any of the security in today’s systems, and thus could be imaged using normal tools after removing the hard drive. In my example, I used Thunderbolt.
  2. Plug the Thunderbolt cable into the subject computer, then plug the other end into the control machine.
  3. At this point, if your fusion drive also has FileVault enabled, you will be prompted on the control computer, to enter the subject machine password. This is the final indicator that FileVault is enabled. Without the password, you are done.
  4. Suggesting you have the password and have entered it, you can now type the same command as you did in step 31. You will now see something like the below.

10.00.07 AM

  1. You can see that there are an additional 3 disks now. This is the subject drive physical SSD (disk3), the subject drive HDD (disk4) and the virtual Fusion drive (disk5) being seen. If you also had FileVault enabled on the subject machine, you would also see a disk6. This will always happen in sequential order, so you know that disk3, disk4, and disk5 are the newest additions, or the computer that you just plugged in. You want to image the virtual Fusion drive, unless you also have FileVault enabled. In that case, you would image the virtual FileVault drive. In our example, that is not the case.
  2. At this point, we are faced with a potential problem. Device Block Size. Generally speaking, on most Macs, the Device Block Size is 512 bytes, and the Allocation Block Size is 4096 bytes. Anybody recognize this? In NTFS, it is called Sector Size (512 bytes), and Cluster Size (4096). But I digress. Some 2015 and newer models of MacBook and MacBook Air now have a Device Block Size of 4096 bytes, and this will be adopted by all Macs in the near future. It has to do with data speed, and storage optimization, and it means they are completely unreadable by computers that have a Device Block Size of 512 bytes. If you forensically image a 4096 byte computer with a 512 byte computer, you will NOT be able to open the image. You will need another 4096 byte computer to mount the image. The only forensically sound method if not using a 4096 byte computer (as of the time of this writing) is to use a tool called MacQuisition (not cheap, but incredible), and image the logical volume. So before we waste a bunch of time creating a useless forensic image, let’s see what the Block size is.
  3. This instruction is also great for seeing what is inside a /dev/disk if you lose track.
  4. Type “hdiutil partition /dev/disk<?>”, where the <?> is the number of the disk you want information on. You will get a warning message asking for your control password, as shown below.

10.02.56 AM

  1. Once you enter it, you will get the following screen. For /dev/disk3, we see the below.

10.03.07 AM

  1. You can now see that /dev/disk3 is the MBR, and not the /dev/disk that we want to image. Let’s look at /dev/disk5 with the same instruction.

10.04.02 AM

  1. We see that this is “whole disk”. This is the disk we want to image. We also see “block size”, and in this case, it is 512.
  2. Another indicator that you may be looking at a 4096 byte block size computer, is that when you run the command to see all the /dev/disks, a 4096 byte block size will not show anything other than one extra /dev/disk beyond what was shown before you plugged the subject computer in. So if you don’t see all of the disks that you were expecting, this may be why.
  3. It is imperative that you understand that Target Disk Mode will NOT show all drives in the subject computer. It will only show the Master drive(s), and no Slave drives. You must check the computer physically to determine if there are more drives.
  4. Now, type “date” (yes, again), press Enter, and take a picture. Don’t waste any time from this point forward, as any time unaccounted for will be difficult to explain in court.
  5. Type the instruction to start the imaging, as seen below. The actual line you type will be different than mine. The line to type is sudo dd if=/dev/rdisk5 of=/Volumes/<name of your destination Volume>/<name of your image file>.dd bs=64k conv=noerror,sync

10.06.42 AM

  1. Let’s break down what is happening in that line. “sudo” means “SuperUser Do”. In other words, run the following command as “Root”. “dd” is the name of the program we are using to perform the forensic image. “if=” means “Input File equals”. In other words, what are you imaging? This is the file path to the subject drive. You will note that we have used “rdisk4” instead of “disk4”. Why? Google it. Biggest reason that matters is it speeds up imaging by 3-4 times. Next command is “of=”, or “Output File equals”. This is the file that will be created on the destination drive, so we have typed the path to the destination drive, and given our acquisition a name, and .dd on the end. Next is “bs=64k”. This is the block size that the program will use as it is imaging. In other words, in this case, it will process the data in 64 kb chunks. Why does this matter? When the chunk of data is being read, if there is a problem with the subject media, it will just fill the rest of the block with zeros. If the block size is small, you will not have lost much data, but if the block size is large, you may very well lose vast amounts of data that you otherwise would have gotten. So you might think that making it really small is better. Block size will also dictate how long the imaging process will take. The same drive that takes 1 hour with a 64k block size will take a dozen hours or more at 4k. So we need a happy medium. 64k is that happy medium. Next in line is conv=noerror,sync. This means that if, when reading a block, there is a problem, don’t stop the imaging process. Just skip over the rest of the block to the next one, and pad the space on the destination drive with zeros. It is also worth noting that if there are any issues during the imaging process, you will be notified at the end, of any blocks that had problems.
  2. Back to the process. Once you type the instruction and press Enter, you will be prompted for the password of the control machine. Enter it here and press Enter, and the imaging will start. It will look like nothing is happening. Nothing will appear on the next line until the image is complete, at which time you will see something like the picture below. Depending on the size of the subject drive, this could be hours.

10.23.01 AM

  1. Again, type “date”, and immediately take a photo. The reason you have done this is to show that you have not had time to alter data in the dump. You can see that the total time for the image is listed above in seconds. Immediately hash the RAM dump by typing md5 /Volumes/<name of your destination>/<name you called your image file>.dump”. This process will take some time.
  2. Once done, the hash of the file will be shown as below. It goes without saying that you should record this.

10.48.10 PM

  1. If you would rather hash using other processes like SHA, refer to the document outlining the different commands at HERE.
  2. You are now done. Close the terminal window, and navigate to your destination drive. Right click on the .dd file you just created, and select “Get Info”. In the screen that appears, click in the box beside the word “Locked”, as seen below. This will lock the file and protect from inadvertent writing later.

9.30.49 AM

  1. Now power down the control computer. Because you previously turned off DiskArbitration, you cannot properly eject the destination drive.
  2. Once the control computer is powered down, unplug the subject computer, and the destination drive. Power down the subject computer by holding down the Power button for 4 seconds. You are now done the acquisition portion, but if FileVault was enabled, you are not done with the collection. Remember that if FileVault was enabled, we could not start the subject computer in Single User Mode to get the information regarding the components in the subject computer, or the baseline Date/Time. We will do this now.
  3. We do this AFTER the acquisition is performed, because it will cause access changes to the subject hard drive. Again, while doing this, document your actions meticulously.
  4. Hold down the Apple (⌘) key simultaneous with the “R” key, and press the power button. Keep holding these two keys until you see the Apple logo and a progress bar. You can then release them.
  5. This will boot the computer into what is called recovery mode, and your screen should look like this.

IMG_5414

  1. At the top left corner, click on Utilities, and then Terminal from the drop down.

IMG_5415

  1. A terminal window will open as shown below. Type “date” and record the info.

IMG_5419

  1. Now type “system_profiler SPHardwareDataType” and record the system output as below.

IMG_5416

  1. Now type “system_profiler SPSerialATADataType” and record the drive output as shown below.

IMG_5417

  1. As seen above, not only do you get the hard drive information, but you also get the logical structure as well.
  2. Besides the above information, there is a great deal of other system information you can extract here, and a comprehensive list of the commands can be seen HERE.
  3. Once you have recorded this information, you can shut the system down in a normal fashion, and you are done.


ARTICLES

    UPCOMING EVENTS

    • Events are coming soon, stay tuned!

    RULINGS