Solution for Imagin...
 
Notifications
Clear all

Solution for Imaging an Apple Mac system

5 Posts
5 Users
0 Likes
1,936 Views
(@aditya5)
Posts: 11
Active Member
Topic starter
 

Hi All,

I Want to know the better/best possible solution for Forensically Imaging the Apple Mac Systems.

What can be the best solution from following?

1. Imaging a Mac using Paladin ( But paladin doesn't supports Vault encrypted mac systems)
2. Imaging a MAC using Macquisition ( But in this we need to boot it)
3. Imaging a MAC SSD by taking it out and using a Connector and then Image it using Encase/FTK ( But does Encase would be able to Image the Encrypted Mac systems?)

4. Any other solution.

Please suggest,

Regards
Aditya

 
Posted : 01/06/2016 11:41 am
zhaan
(@zhaan)
Posts: 50
Trusted Member
 

We use MacQuisition. I have used Paladin but more often that not we found that MQ covered most if not all Apple computers including Fusion drives, etc. so we stick with MQ.

 
Posted : 01/06/2016 11:51 am
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

+1 for Macquisition. Excellent tool for imaging Macs, for the reasons outlined above.

By the way - given your comment regarding "you have to boot it", are you aware that Macquisition works in a similar way to Paladin, i.e. it comes as a bootable USB stick?

 
Posted : 01/06/2016 12:18 pm
(@mobileforensicswales)
Posts: 274
Reputable Member
 

We use MacQuisition. I have used Paladin but more often that not we found that MQ covered most if not all Apple computers including Fusion drives, etc. so we stick with MQ.

+2 for this as well. I have found Fusion drives a particular nightmare only MQ recovered. Often I had to boot another mac using MQ and thunderbolt the mac with the Fusion drive out into the machine running MQ with a big drive inside it just to see the data properly.

 
Posted : 01/06/2016 1:20 pm
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
 

+3 for MacQuisition

On the occasion it does fail–and it does happen–we've also used target disk mode when connected to a FireWire write blocker, and single user mode with a USB3 hard drive with FTK Imager CLI on it. Single user mode mounts the system volume read-only unless you make it read/write on purpose.

 
Posted : 01/06/2016 11:51 pm
Share: