Safely and efficiently imaging a MacBook Air
I was reviewing some training material I put together today related to imaging MacBook Pro and MacBook Air laptops. I wanted to create a simple decision tree for the common scenarios when encountering Mac laptops. The basic breakdown was this:
- Remote imaging (really only used in corporate environment)
- Using SSH/SCP to load and start agent
- Locally imaging
- Target Disk Mode (easiest)
- Booting to external OS (CDROM or external hard drive) Used when device does not support TDM.
The simplest solution seems to be a large external drive that has a bootable OS on a small partition, but then a large second partition (FAT32 or NTFS) that can be used to hold the image.
Boot the MacBook Air by holding down the "option" key and selecting the listed bootable external drive. Once booted, you could use an imaging tool for that OS (OSX or linux) to image the internal drive to the external drive.
This solution only requires a single USB port and seems to be the simplest method. Although I would recommend using a powered external drive, this should work with a bus powered USB external laptop drive as well.
Aside from pulling out the internal drive, I would be interested in hearing what other people are doing or have found to be the quickest/safest/most efficient way?
ShareThis
Posts
9 comments:
I agree on early model Airs that only have one USB port creating a secondary USB boot drive with storage space is clutch. Not sure if you have seen it but I documented this process last year in detail on my blog. Would love to know if you do anything different or have any suggestions to improve my method - davnads.blogspot.com
Oh yeah, FTK imager cmd line works great for live images.
Hey Lance, I was under the impression that Mac laptops won't boot to drives connected via USB...only firewire. Blackbag has their Macquisition tool that connects via firewire, and I thought they used firewire because of this limitation with the Apple hardware.
I just tried to boot to a USB flashdrive with Raptor and it won't see it...Although I have booted a MacBook Air with a USB CD drive just like you describe above (I used a cheap USB hub to connect my destination drive and it worked great). So, I guess I'm confused as to what will work via USB and what won't...?
@Matt-
Mac laptops will boot to USB devices with no problem. You cannot rely on firewire as the single solution becauser the Mac Air does not have firewire, that is why I was advocating a USB solution that could be used on any Mac laptop device.
Raptor will not boot a Mac from USB because Macs require a GUID based disk to boot, not a traditional MBR based disk (Raptor). However you can boot a Mac with Raptor from CDROM because the drive (CDROM) is handled differently.
The simplest solution I have found is to take a blank external USB disk, connect it to a "forensic" or clean install of a Mac, then use a tool such as Carbon Copy cloner to copy the internal OSX disk to the external disk. You can then boot any Mac to that external disk via USB as long as you meet a few requirements:
1. The OS on the external is a version that is supported by the hardware you are trying to boot. i.e. the hardware has enough RAM and the processor architecture is correct.
2. Hold down the "Options" key when you boot and you will get a list of bootable devices and can select the external.
3. Turn off disk arbitration in the OS loaded on the external drive so it does not automatically mount the internal disk.
4. Load some type of imaging software on the external OS. You can use the internal version of DD, although I would recommend getting a more robust forensic version or using FTK imager for Mac.
This solution literally takes about 30 minutes to setup and get ready for use.
I once run into problems imaging an iMac. Not as hard as a macbook air, but it was still a nut to crack.
I wrote: http://translate.google.nl/translate?hl=nl&sl=nl&tl=en&u=http%3A%2F%2Fwww.digirec.nl%2Ftechnieken%2Fimagen%2Fimac-imagen (translated for you to English)about this.
I was in the lucky circumstance that I could boot the original Mac OS and image the live running drive then. Not the most forensic way of imaging, but sometimes you have not much of a choice and it worked fine for me that time.
"3. Turn off disk arbitration in the OS loaded on the external drive so it does not automatically mount the internal disk."
How did you achieve this? I am only able to unload disk arbitration which works until a reboot. If I remove the plist file from its source folder as some sites mention, the boot process hangs after selecting my external device.
*Using OSX 10.7.3
EnCase Portable or MacQuisition. Never leave home without 'em.
@Matt
Raptor will absolutely boot Macbook Air using USB
To boot a (recent) MacBook Air:
1. Download Linux Live USB Creator (http://www.linuxliveusb.com/) to make a 4GB USB bootable with RAPTOR
2. Boot MacBook Air holding down OPTION - booted to USB
3. At RAPTOR bootscreen, press TAB
4. At the bottom of the screen add "nomodeset" before the last --, use a USB drive created with LiLi.
If you have any questions contact us at: raptor@forwarddiscovery.com
Ryan
Post a Comment