By Kevin J. Ripa
PI, GSEC, GCFE, GCFA, EnCE, BAI, CDRP, CEH
Mar 10, 2016
This paper outlines various destination drives and connection methods, while conducting forensic imaging of a MacBook Air Solid State Drive.
Details of Subject Machine
MacBook Air 11”
128 GB SSD
4 GB RAM
Brand new as of February 28, 2016
Imaging took place on February 29 and March 1, 2016
Imaging Process
Imaging was performed by booting to a MacQuisition USB drive and using MacQuisition to control the imaging process.
Destination media was plugged directly into the subject machine in various ways as outlined below. Hashing was not performed on any images except as indicated to show the time tax due to hashing.
Destination media interface was SATA unless otherwise noted.
Benchmark Times
Drive Connection Hashed Time
HDD 5400 RPM Thunderbolt No 27 minutes
HDD 7200 RPM Thunderbolt No 24 minutes
SSD Thunderbolt No 7.5 minutes
SSD (m-SATA) USB 3 No 7.5 minutes
SSD USB 3 No 8.2 minutes
HDD 7200 RPM USB 3 No 20 minutes
HDD 7200 RPM (FVE) USB 3 No 16 minutes
HDD 7200 RPM USB 3 MD5 21 minutes
HDD 7200 RPM USB 3 SHA1 21 minutes
HDD 7200 RPM USB 3 SHA256 32 minutes
Image performed Target Disk Mode to SSD at 64KB Block Size, No Hash, 53 minutes
Image performed Target Disk Mode to SSD at 512KB Block Size, No Hash, 20 minutes
Observations
Surprisingly, USB 3 performed better than Thunderbolt.
FileVault imaged faster than no encryption.
Clearly, block size has considerable impact on Target Disk Mode acquisition.