Macbook Air Acquisi...
 
Notifications
Clear all

Macbook Air Acquisition

21 Posts
14 Users
0 Likes
2,858 Views
 isth
(@isth)
Posts: 65
Trusted Member
Topic starter
 

Hi All,

I just acquired one of these and wanted to share my findings. This was a newer Macbook Air with 2 USB ports

-Raptor allows you to boot into the machine but does not recognize the SSD drive.
-Paladin allows you to boot into the machine but does not recognize the SSD drive. This one shouldn't have been a surprise but the website clearly states "Boot standard PCs and Intel Macs in a forensically sound manner (including the MacBook Air)" so I was hoping that one would intend to image the mac after booting into it forensically.
-LinEn allows you to boot into the machine but does not recognize the SSD drive.

I ended up using FTK Imager for Mac GUI (http//www.appleexaminer.com/Utils/Downloads.html) to perform a live acquisition. It took about 2 hours to capture/transfer the 128GB drive to a USB2.0 external drive.

I am also told that EncasePortable will do the job (using the boot CD, as it won't boot of USB drive).

Hope this helps some people in the future!

 
Posted : 14/06/2011 4:08 am
bshavers
(@bshavers)
Posts: 210
Estimable Member
 

Here is a write up on imaging a Macbook Air with WinFE as another option that may work
http//katanaforensics.com/2011/05/imaging-a-macbook-air/

 
Posted : 14/06/2011 5:19 am
(@r00ster)
Posts: 12
Active Member
 

All possible solutions. I would recommend MacQuisition from BlackBag as it is a licensed version of OS X from Apple, which has been forensically modified and has been tested on over 200 Apple devices including the Air.
It was also in the review that bshavers mentioned.

Full disclosure I am the VP of Product Development at BlackBag.

 
Posted : 14/06/2011 8:30 am
kiashi
(@kiashi)
Posts: 99
Trusted Member
 

We have had very good results since we purchased MacQuisition including on a MacBook Air with a SSD. Slow only in the USB/Firewire speed restriction but very efficient and extremely easy to use, not to mention portable! )

 
Posted : 14/06/2011 4:53 pm
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

I was unable to get a Mac Air to boot with WinFE. Multiple sources told me that the Air would only boot from an external OS X boot source so WinFE, Raptor, etc all will not work on "recent" Airs. The only surefire option, at the moment, seems to be MacQuisition.

-David

 
Posted : 15/06/2011 8:50 am
(@jgarcia)
Posts: 25
Eminent Member
 

Sorry for the late reply, but have you heard of Paladin by Sumuri? It's pretty good and at a good price, FREE -)

Steve Whalen, who created the Raptor Live CD, created Paladin when he left Forward Discovery.

http//www.sumuri.com/index.php?option=com_content&view=article&id=93&Itemid=87

http//www.sumuri.com/software/paladin-download.html

Joe

 
Posted : 24/06/2011 4:32 am
imk54831
(@imk54831)
Posts: 17
Active Member
 

Another alternative is to install a licensed copy of retail OSX onto a USB and set the permissions on the /Volumes folder on your USB based OSX to prevent auto-mounting during boot. From here you can use FTK imager or dd to image

Ian

 
Posted : 08/07/2011 10:36 pm
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

I've been meaning to build one of these, but haven't gotten motivated yet ….

-David

 
Posted : 09/07/2011 3:26 am
Beetle
(@beetle)
Posts: 318
Reputable Member
 

Greetings,

I was unable to get a Mac Air to boot with WinFE. Multiple sources told me that the Air would only boot from an external OS X boot source so WinFE, Raptor, etc all will not work on "recent" Airs. The only surefire option, at the moment, seems to be MacQuisition.

-David

Interesting, was there a difference if you were using the "magical" Apple external Air DVD drive or were your results using something else for a boot device? Was there any indication from your sources as to what was different between the different generations? Is it something to do with SSDs?

I am curious if there has been some change in the hardware.

 
Posted : 09/07/2011 4:32 am
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

The issue seemed to be only with booting from a thumb drive or external USB drive. Booting from a CD and an external CD drive seems to work, though more testing is required.

-David

 
Posted : 09/07/2011 10:55 am
Page 1 / 3
Share: