Forensic Acquisition of Mac Computers

By Kevin J. Ripa
PI, GSEC, GCFE, GCFA, EnCE, BAI, CDRP, CEH
Mar 8, 2016

The instructions below are designed to create a forensic image of a Mac Computer via the command line and Target Disk Mode, so that you don’t have to spend piles of money on acquisition programs. This has NOT been tested on every Apple OS, but I have tested it on Mountain Lion, Mavericks, Yosemite, and El Capitan. It should work on any Intel based Mac. Instructions and screen shots are from El Capitan. Your system may vary slightly. Read all instructions FIRST, before attempting. This tutorial is about as simple and “step-by-step” as it gets. If, after reading this, there are still things you don’t understand, STOP before you START. If this is your first time dealing with acquisition of Apple computers, now is not the time to practice on a real case.

WARNING

This tutorial does not get into evidence intake procedures. It is assumed that you are already aware of them, and will follow them in every case. This tutorial also assumes that you have the necessary credentials to access the device

Setup

There are some necessary steps to perform prior to actually starting your collection. First and foremost, we must determine if the computer is on or not. This is not a tutorial on seizure practices, but it is assumed that if the computer is on at time of seizure, it will be handled as such, with imaging of RAM, and potential imaging of a live system being the way to proceed. For instructions on acquiring RAM click HERE. For instructions on doing a live acquisition on a machine that is running, click HERE. The decision to image live or not is a judgment call based on the situation and goals of the investigation.

You will need to prepare destination media to receive the forensic image you are creating. A tutorial for how to format media for use in a Mac environment can be read HERE.

Especially with Apple laptops, they rarely ever get turned off. Most importantly for laptops, ensure that they are plugged into the power supply before doing anything. Any good lab will have an assortment, in case the device didn’t arrive with one. Press the spacebar a couple of times, and if the computer was simply asleep, it will come on. Since this tutorial is based on a computer that is off, we will proceed as such.

1. You must first determine if imaging the drive via this method is even possible. You must check for a number of things in a particular order. a) is there a Firmware Password; b) is FileVault enabled; c) is there a Fusion drive; and d) what is the Block Size. The first two will be determined in early steps below, and the last two will be determined as the imaging process progresses.
2. There are a number of special keystrokes that will cause a Mac to boot in various different ways, some of which are integral to performing forensic acquisitions. A list of these can be seen HERE.
3. The first step will be to turn on the subject machine while holding down the “option” key. Keep holding down the “option” key until you see one of the two screens below. If you see anything other than these two (like a login screen), you boo-booed.

          

The picture on the left is what you will most likely see, and that is a good thing. Now shut the computer off by holding down the power button for 4 seconds. The picture on the right is evidence that a Firmware Password is in use. This is pretty much bulletproof, and without having the password, your interaction with this computer is done, unless you are able to remove the hard drive and image it separately. (If it has FileVault enabled, and you have no passwords, this is useless). As before, shut the computer off by holding down the power button for 4 seconds. This Firmware Password is at the hardware level of the computer, and not on the hard drive, so hard drive removal bypasses this. I have made a tutorial on removing hard drives from Mac products, and it can be seen HERE.

4. The second step to seeing what you are up against is to determine if FileVault is enabled or not. Unfortunately, if it is, you are going to alter the contents on the hard drive before you find out. As long as you follow the steps below, you will be able to explain what you did, and why the forensic image might look like it was accessed while in your custody, and it won’t be a problem. What you need to do is enter what is called “Single User Mode”.
5. Single User Mode is accessed by holding down the Apple (⌘) key simultaneous with the “S” key, and pressing the power button. Keep pressing these two keys until one of two things happens. Either you will see a Terminal window open with all kinds of writing in it as shown below (GOOD), or you will arrive at the regular login screen (BAD). If the former, continue reading. If the latter, STOP. Press and hold the power button for 4 seconds until the computer turns off. If you arrived at the latter, this means that FileVault is enabled, meaning you can’t access Single User Mode. You can still image the hard drive (because you have the password or FileVault key, right?), but there is certain system data you don’t have easy access to. If this is the case, you can jump ahead to the section on enabling Target Disk Mode now. If you got the Terminal window, it looks like the picture below.

6. Type “date” as shown below. This is the closest thing to BIOS or UEFI style date/time data accuracy against the metadata on the drive. Take a photo of this information. I like to take a photo of the screen while holding my phone beside it, so I capture the phone’s date and time beside the computer date and time. Reason being that the phone date and time are issued by a server out of your control, so are considered to be accurate. It will also give you a reference later, to determine accuracy of metadata on the computer.

7. Now let’s grab some data about the computer system. Again, this is only if you are able to access Single User Mode. If not, at the end of this tutorial are instructions on what to do to collect system information for drives with FileVault enabled. In the picture below, you will see we have gathered system information by typing “system_profiler SPHardwareDataType”.

8. Take a picture of this. Then type “system_profiler SPSerialATADataType”.

9. This will give you the hard drive data. For some reason, when doing this on a computer with Fusion drive, it only shows the HDD, and not the SSD. Some is better than none. Once this is recorded, hold the power button down for 4 seconds to turn off the computer.
10. At this point, we need to ensure that when you are performing the functions outlined, they are being performed on the right computer. From this point forward, we will refer to the computers as follows: the computer you are imaging is the SUBJECT COMPUTER; the computer that performs the functioning, and where most of your typing will be is the CONTROL computer, and the external hard drive where the forensic image is going to be written to is the DESTINATION drive or media.
11. We will now prepare the control computer. Ensure that it is turned on and that you are logged in to it. Open a Terminal window.
12. Go to the top right of the desktop screen and click on the magnifying glass (Spotlight Search).

13. In the middle of the screen, a box will open up. Type in the word “Terminal” as shown below. As you type, you will see the options appear below your typing. Once you have typed the whole word, press Enter.

14. After pressing Enter, the Terminal window will open.

When typing instructions in the following steps, only type what is inside the quotes. Don’t type the quotes themselves. It is assumed that you will hit Enter at the end of each instruction. It will not always look like you accomplished anything. Don’t worry about it. Keep following the steps unless you get some kind of error message. Especially at times when prompted for a Password, you will not see anything happening as you type it. That is normal. Just type it and press Enter. Anything placed inside < > is a variable that will be determined by you. Don’t type the < >.

Acquisition

15. Connect the destination external drive to the control machine. What should you use for a destination drive? I have created a document where I benchmarked multiple configurations, so you can see speeds across different methods. The document can be read HERE.
16. Unless otherwise stated, the following steps are assumed to be on the control machine.
17. Back in the Terminal you just opened, note the User name, as you may need it later. Everything you will see behind the flashing cursor is info about the computer. In the example below, the computer name is “ELEMENTS”. The “~” means that we do NOT have Root level access on the system. The User name on this computer is JF and is immediately followed by the “$” sign. Then you see the cursor. This line along with the cursor is called a command prompt.

18. Type “date” to get the control system date, time, and time offset, as shown below, and take a photo. I like to take a photo of the screen while holding my phone beside it, so I capture the phone’s date and time beside the computer date and time. Reason being that the phone date and time are issued by a server, so are considered to be accurate. It will also give you a reference later, to determine accuracy of metadata on the computer.

19. Type “diskutil list” and press Enter, as seen below. This will now give you the list of hard drives on the control computer, as well as the architecture of each hard drive. It will also list various elements such as if the drive is encrypted or not, and whether or not CoreStorage is enabled,, and if there is a Fusion drive in use. You MUST understand this layout in order to identify exactly what to image, and how. A description of this can be seen HERE.

20. Understand that the above screenshot is our control computer. We have not yet involved our subject computer.
21. In our example on the subject machine, CoreStorage is not enabled, FileVault is not enabled, and the drive is not a Fusion drive, so we will proceed with the instructions based on that. CoreStorage, FileVault, and Fusion bring an entirely different dynamic to the playing field, and change the way you would image them. I have written a paper on the differences in acquisition of the different situations you may face. That paper can be read HERE. As well, a tutorial for acquiring FileVault (CoreStorage) can be seen HERE, and a tutorial for acquiring Fusion drives can be seen HERE.
22. Back to the task at hand. In the picture above, we see /dev/disk0, /dev/disk1, and /dev/disk2. This is quite a simple layout. /dev/disk0 is the physical hard drive in the control machine, /dev/disk1 is the logical CoreStorage drive on the control machine (inconsequential to this tutorial), and /dev/disk2 is the destination hard drive. In the right most column, you see disk0s1, disk0s2, disk0s3, etc. These are the partitions or Volumes of the hard drive. On Macs (and Linux/Unix flavors), they are called Slices, hence the s1, s2, s3 following the disk0. On Slice 2 of disk0, or disk0s2, you can see the words “Apple_CoreStorage”. When you see this, it does NOT automatically mean FileVault is enabled.
23. Take note of these physical disks, as you will need them later in the process.
24. You need to now disable DiskArbitration on the control computer. This function mounts the drives connected to it. Obviously the moment we plug in the subject computer, the drives will mount, and we have now just written to our subject drive. Not good. RECAP. Don’t disable DiskArbitration until AFTER you plug in your destination drive. But don’t plug in your subject computer until AFTER you have disabled DiskArbitration.
25. To disable DiskArbitration, type “sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist” and press Enter, as seen below.

26. You will be prompted for the password on your control computer. Enter it and press Enter.
27. Now it is best to test if it worked. Type “diskutil list” again. If DiskArbitration is off, you will see the message below.

28. With DiskArbitration off, you can no longer see the drive names and volumes. This could make things very confusing if you are not prepared. That is why logging the drive numbers was important. We can use a different tool to at least see what drive numbers we have. So type the following as shown below: ls –l /dev/disk* | grep disk.$

29. The same three physical drives are being shown, even though /dev/disk1 is not a real physical drive, but a logical CoreStorage drive that is seen as a physical drive (not important here, but important if your subject computer had FileVault enabled).
30. At this point, turn your attention to the subject machine. You need to place it into Target Disk Mode.
31. This is done by holding down the “T” key and then turning on the subject computer. Continue holding down the “T” key until you see the image below, then you can let go.

32. You have two choices at this point. You can use Thunderbolt or FireWire. But of course, both the subject computer and the control computer must have the same. Pretty much everything since 2011 has Thunderbolt. Anything prior to that would not have any of the security in today’s systems, and thus could be imaged using normal tools after removing the hard drive. In my example, I used Thunderbolt.
33. Plug the Thunderbolt cable into the subject computer, then plug the other end into the control machine.
34. One of two things will happen. Either nothing noticeable (which is good), or you are prompted for a subject machine password on the control machine (bad). This means that FileVault is enabled. Without the password, you are done.
35. In the event that nothing happens, you can now type the same command as you did in step 28. You will now see something like the below.

36. You can see that there is an additional disk now. This is the subject drive being seen. This will always happen in sequential order, so you know that disk3 is the newest addition, or the computer that you just plugged in.
37. At this point, we are faced with a potential problem. Device Block Size. Generally speaking, on most Macs, the Device Block Size is 512 bytes, and the Allocation Block Size is 4096 bytes. Anybody recognize this? In NTFS, it is called Sector Size (512 bytes), and Cluster Size (4096). But I digress. Some 2015 and newer models of MacBook and MacBook Air now have a Device Block Size of 4096 bytes, and this will be adopted by all Macs in the near future. It has to do with data speed, and storage optimization, and it means they are completely unreadable by computers that have a Device Block Size of 512 bytes. If you forensically image a 4096 byte computer with a 512 byte computer, you will NOT be able to open the image. You will need another 4096 byte computer to mount the image. The only forensically sound method if not using a 4096 byte computer (as of the time of this writing) is to use a tool called MacQuisition (not cheap, but incredible), and image the logical volume. So before we waste a bunch of time creating a useless forensic image, let’s see what the Block size is.
38. This instruction is also great for seeing what is inside a /dev/disk if you lose track.
39. Type “hdiutil partition /dev/disk<?>”, where the <?> is the number of the disk you want information on. You will get a warning message asking for your control password, as shown below.

40. Once you enter it, you will get the following screen. For /dev/disk3, we see the below.

41. You can now see that /dev/disk3 is the MBR, and not the /dev/disk that we want to image. Let’s look at /dev/disk5 with the same instruction.

42. We now see that this is “whole disk”. This is the disk we want to image. We also see “block size”, and in this case, it is 512.
43. Another indicator that you may be looking at a 4096 byte block size computer, is that when you run the command to see all the /dev/disks, a 4096 byte block size will not show anything other than /dev/disk0. So if you don’t see all of the disks that you were expecting, this may be why.
44. It is imperative that you understand that Target Disk Mode will NOT show all drives in the subject computer. It will only show the Master drive(s), and no Slave drives. You must check the computer physically to determine if there are more drives.
45. Now, type “date” (yes, again), press Enter, and take a picture. Don’t waste any time from this point forward, as any time unaccounted for will be difficult to explain in court.
46. Type the instruction to start the imaging, as seen below. The line to type is sudo dd if=/dev/rdisk3 of=/Volumes/<name of your destination Volume>/<name of your image file>.dd bs=64k conv=noerror,sync

47. Let’s break down what is happening in that line. “sudo” means “SuperUser Do”. In other words, run the following command as “Root”. “dd” is the name of the program we are using to perform the forensic image. “if=” means “Input File equals”. In other words, what are you imaging? This is the file path to the subject drive. You will note that we have used “rdisk3” instead of “disk3”. Why? Google it. Biggest reason that matters is it speeds up imaging by 20-30%. Next command is “of=”, or “Output File equals”. This is the file that will be created on the destination drive, so we have typed the path to the destination drive, and given our acquisition a name, and .dd on the end. Next is “bs=64k”. This is the block size that the program will use as it is imaging. In other words, in this case, it will process the data in 64 kb chunks. Why does this matter? When the chunk of data is being read, if there is a problem with the subject media, it will just fill the rest of the block with zeros. If the block size is small, you will not have lost much data, but if the block size is large, you may very well lose vast amounts of data that you otherwise would have gotten. So you might think that making it really small is better. Block size will also dictate how long the imaging process will take. The same drive that takes 1 hour with a 64k block size will take a dozen hours or more at 4k. So we need a happy medium. 64k is that happy medium. Next in line is conv=noerror,sync. This means that if, when reading a block, there is a problem, don’t stop the imaging process. Just skip over the rest of the block to the next one, and pad the space on the destination drive with zeros. It is also worth noting that if there are any issues during the imaging process, you will be notified at the end, of any blocks that had problems.
48. Back to the process. Once you type the instruction and press Enter, you will be prompted for the password of the control machine. Enter it here and press Enter, and the imaging will start. It will look like nothing is happening. Nothing will appear on the next line until the image is complete, at which time you will see something like the picture below. Depending on the size of the subject drive, this could be hours.

49. Again, type “date”, and immediately take a photo. The reason you have done this is to show that you have not had time to alter data in the dump. You can see that the total time for the image is listed above in seconds. Immediately hash the RAM dump by typing md5 /Volumes/<name of your destination>/<name you called your image file>.dump”. This process will take some time.
50. Once done, the hash of the file will be shown as below. It goes without saying that you should record this.

51. If you would rather hash using other processes like SHA, refer to the document outlining the different commands at HERE.
52. You are now done. Close the terminal window, and navigate to your destination drive. Right click on the .dd file you just created, and select “Get Info”. In the screen that appears, click in the box beside the word “Locked”, as seen below. This will lock the file and protect from inadvertent writing later.

53. Now power down the control computer. Because you previously turned off DiskArbitration, you cannot properly eject the destination drive.
54. Once the control computer is powered down, unplug the subject computer, and the destination drive. Power down the subject computer by holding down the Power button for 4 seconds. You are now done.