Forensic Imaging of...
 
Notifications
Clear all

Forensic Imaging of MacBook Mini w/ FTK CLI...

3 Posts
3 Users
0 Likes
961 Views
Samuel1
(@samuel1)
Posts: 63
Trusted Member
Topic starter
 

Howdy,

I'm imaging a MacBook Mini with CLI, and I've done this many times before, but this time I am getting the error message Resource Busy (16), and I have no idea what to do about that.

Disk util shows /dev/disk1 as the logical partition for the "Core Storage" which is Disk0s2, which as I understand it is encrypted and therefore would do no good to image.

So, has anyone here successfully figured out how to get around the "Resource Busy (16)" error message? I am sure my commands are correct as I've done it many, many times before.

Thanks everyone for your help!

 
Posted : 06/11/2015 11:45 am
(@mrmoo28)
Posts: 16
Active Member
 

Image the physical disk /dev/disk1, convert it to a raw image with a .dmg extension, mount this on another mac box which will request decryption passphrase, you can then image the decrypted logical volume as DD, then convert to E01 if you wish.

Useful link

http//www.forensicon.com/forensics-blotter/capture-image-of-filevault2-encrypted-media-with-recovery-key/

 
Posted : 12/11/2015 9:35 pm
(@shep47)
Posts: 51
Trusted Member
 

Slightly delayed repsonse but I have spoken via PM to Samuel. Posted here for reference for future Mac imaging issues.

Firstly run 'diskutil list' from Terminal and note the /dev/disk reference of the OS mounted decrypted drive ie 'disk2'.

In terminal, substitute '/dev/disk2' for '/dev/rdisk2'

of=output path on target media

sudo dd if=/dev/rdisk2 of=/Volumes/Path/Image.dmg bs=4096 conv=noerror,sync

Rgds

 
Posted : 19/11/2015 4:11 pm
Share: