Before I continue my on how to image Mac systems, I wanted to cover how to mount and work with FileVault2 encrypted Mac images. By 'work with', I mean decrypt it and create an image of the decrypted volume in either raw (dd) or E01 format to pull into X-Ways, EnCase etc. To do this three things are needed: 1) A full disk image of the encrypted system in raw format (dd) 2) The - it has all the (free!) tools needed already installed 3) The password or recovery key for the volume.

For this example, I am going to use the encrypted disk image of a Mac I created from this. Below is what the encrypted image looks like in FTK Imager. Note that the second partition, MacOSX, is showing as an Unrecognized file system. This is because it is encrypted with FileVault2.

This is the second post in my series on different ways to image a Mac. My was on how to image a Mac with a bootable Linux distro. This post will cover another option, creating an image by booting a Mac into single-user mode. I plan on following up this post with posts on creating a live image and how to mount and work with FileVault encryption after an image is complete. Single-user mode is a limited shell that a Mac can boot into before fully loading the operating system.

In single-user mode, the internal hard drive is mounted read only and a limited set of commands are available. Once in single-user mode, a USB drive can be attached and dd can be used to create an image. In order to mount the USB drive, the internal drive needs to be changed to read/write to create a mount point. While not as forensically sound as using a write blocker or booting into a Linux distro, less changes are made than fully booting the operating system to take a live image. This may be a good option where it is acceptable to get a live image, but the examiner wishes to minimize changes to the hard drive.

Another benefit is that if there is FileVault encryption, the encrypted drive is decrypted after a username and password are supplied. The system I used for testing was a Mac Mini, OS X Version 10.8.5 with one hard drive. Three partitions were created by default during the initial setup: an EFI partition, a MacOSX partition, and a recovery partition. I tested two scenarios, one without encryption and one with encryption (FileVault 2). For each step I will cover both scenarios. The high level steps are: 1) Boot into single-user mode 2) Determine the disk to image 3) Mount the USB drive that will hold the image 4) Run the dd command to create the image Edit 8/1/2016 Please read the comments as well. I have had some people in the community provide some great tips and suggestions since this was posted! How-to: boot commands for mac.

Step 1 - Boot into single-user mode The first step is to boot into single-user mode. While the system is booting, select COMMAND-S to enter single-user mode. I usually hold down this key combo before I even power on the system so I don't accidentally 'miss' it. At this time, I do not to have the USB drive that will hold the image plugged in. Unencrypted If the system is not encrypted a bunch of white text will scroll and finally present a shell with root. After the username and password are entered, the single-user boot process continues and drops into a shell similar to the unencrypted system.

Step 2 - Determine what to image The next step is to determine what block device to copy for the dd command. In order to determine this, use the ls command to get a list of the available disks under the /dev directory. As I mentioned before, I prefer to do this before I plug the USB drive in so I don't have to try and guess which is the internal hard drive and which is the USB drive. (OS X has a disk utility called diskutil that presents more verbose information about the disks, however, it is not available in single-user mode). From these results I can tell that disk0s1 is the EFI partition, and disk0s3 is an HFS partition.

Ftk Imager Download Windows

Free Ftk Imager 2.9 For Mac

Disk0s2 is showing as 'data'. This happens when the file command can't tell what the file is, it just gives a generic 'data' in response - which makes sense if the partition is encrypted. Some quick math give us the partition sizes: EFI disk0s1 size = 409600 sectors X 512 bytes per sector = 209715200 bytes = 210 MB HFS disk0s3 size = 4096 bytes per block X 158692 blocks = 650002432 bytes = 650 MB Next, I want to see what size disk0s2 is.

I can use fdisk /dev/disk0s2 for this. Rdisk1 size = 4096 bytes per block X 243898823 blocks = 08 bytes = 999 GB /dev/disk0s2 and /dev/disk1 are about the same size, 999GB, and /dev/disk1 is a readable HFS partition. Based on my experience and the outputs above, it appears /dev/disk1 is the OS X partition (disk0s2) in a decrypted state. For imaging, either /dev/disk0 or /dev/disk1 can be used. If /dev/disk0 is used, all three partitions will be captured, but the data in the MacOSX partition - /dev/disk0s2 will remain in the encrypted state.

If /dev/disk1 is imaged, it will have the MacOSX data in an decrypted state,but will not have partition 1 (EFI partition) and partition 3 (Recovery partition). I like to grab both /dev/disk0 and /dev/disk1.

Step 3 - Mount the external USB Drive The next step is to mount the external USB drive so the image can be saved onto it. The USB drive can be formatted in FAT32 or HFS.

FAT32 has the benefit of both Windows and Mac being able to access it, but it has a 4GB file size limit. While HFS does not have the 4GB limit, Windows is not able to see it by default (if you have a Mac with bootcamp your Windows OS should be able to read HFS if the bootcamp drivers are installed). For my tests I used a FAT32 USB drive for the unencrypted system, and an HFS USB drive for the encrypted system so I could demonstrate the syntax for both. After plugging in the USB drive, run ls /dev/disk. again. Compare the outputs to determine which /dev device belongs to the USB drive. Here I can see 'MacEncryptedImage' and 'MacImage', the folders I created on the USB drive.

Everything looks good to go. Step 4 - Create the image To create the image, the dd command can be used. For dd, I use the options recommend on the The syntax looks something like this: dd if=/dev/disk0 bs=4k conv=sync,noerror of=/tmp/usb/macimage.dd Lets break down this command:. if=/dev/disk0: this stands for input file. This will be the disk that requires imaging. bs=4K: this is the block size used when creating an image. The Forensic Wiki recommends 4K.

conv=sync,noerror: if there is an error, null fill the rest of the block; do not error out If /dev/rdisk is available this can be used instead of /dev/disk. Rdisk provides access to the raw disk which is then /dev/disk which uses buffering. Unencrypted system For the unencrypted system the image will be of /dev/disk0 to a FAT32 USB mounted drive.

Since FAT32 has a 4GB file size limit, dd will need to be piped through the split command to keep the file size under 4GB. So, in summary, here are the steps and commands covered above:. Use Command-S to boot into single user mode. Use ls /dev/disk. to determine the disk(s) to image. Plug in the USB Drive.

Use ls /dev/disk. to determine USB drive device. Use mount -uw / to change internal drive to read/write. Use mkdir /tmp/USB to create a mount point. Use mount to mount the USB Drive. mount -t msdos /dev/disk1s1 /tmp/usb (for FAT32). mount -t hfs /dev/disk2s2 /tmp/usb (for HFS).

Create disk image using dd. dd if=/dev/disk0 bs=4k conv=sync,noerror split -b 2000m - /tmp/usb/disk0.split. (FAT32 USB). dd if=/dev/rdisk0 bs=4k conv=noerror,sync of=/tmp/usb/rdisk0.dd (HFS USB) While these steps worked on my test Mac, examiners should always test and research the model they are encountering.

I was limited to one test system, one hard drive and FileVault2 encryption. I also recommend trying this on a test Mac before running these steps on actual evidence.

Single user-mode logs in as root, and this can be very dangerous. Remember - Trust but Verify!:). These are some comments sent to me by Derrick Donnelly. I wanted to pass them on as they are really helpful!

Imager

A few things I thought I would pass on about your post: It is always good to boot a Mac first holding down the Option key to make sure the system does not have a Firmware Password before trying to boot into Single User Mode. Boot using Option key, see if there is no Lock Icon, shutdown and reboot from Single User Mode. If a Firmware password is set, I have seen times when it it would bypass single user mode boot up directly the system and change a lot of time stamps at boot time You can also try to boot from the recovery partition then from Single User Mode from the recovery partition. It can be tricky to get it right but there is less chance of the user trying to do something to disable single user mode in the recovery partition. To be more forensically sound, you could avoid doing the mount -uw and instead of imaging to a file, you could image directly to another device (basically clone the internal drive to an external drive because you do not mount anything).

The destination device has to be the same size or larger (usually easier to just have a larger drive). You might also want to wipe the destination drive before imaging. When you do the mount -uw you will change the last modified date and time for the volume at a minimum. Suppose you have disk0 (internal drive) and disk2 (external usb drive) When using a disk in Mac OS X as a source or destination, you should always you the rdisk entry for that disk entry (it will make for faster imaging).

I know you talked about the raw disk in your blog but I can tell you for sure that the risk will be faster when using dd. Dd if=/dev/rdisk0 bs=65536 conv=noerror,sync of=/dev/rdisk2 Input = /dev/rdisk0 Output = /dev/rdisk1 (going directly to a device instead of a file) I also tend to use a big block size of bs=65536 but if you run into media errors, you can lose more data if you have the media errors. If you do image to a single file, you could use the.dmg extension instead of.dd if you plan to mount it as an image file in Mac OS X using hdiutil later. If you do split the image into segments, you can use this naming convention for Mac OS X hdiutil Macrdisk1.dmg Macrdisk1.001.dmgpart Macrdisk1.002.dmgpart Macrdisk1.003.dmgpart Macrdisk1.004.dmgpart.

Free Ftk Imager 2.9 For Mac

Macrdisk1.xxx.dmgpart Always make sure the image or all the segments are locked before attempting to mount.dmg files. If you image to a device (or clone to it), once the imaging is complete you have to put the clone drive on a Write-Blocker or time stamps again will change. Later you could image from that clone drive to files or a single.dmg file. Hope this helps.