Hi All,

I just acquired one of these and wanted to share my findings. This was a newer Macbook Air with 2 USB ports:

-Raptor allows you to boot into the machine but does not recognize the SSD drive.
-Paladin allows you to boot into the machine but does not recognize the SSD drive. This one shouldn't have been a surprise but the website clearly states "Boot standard PCs and Intel Macs in a forensically sound manner (including the MacBook Air)" so I was hoping that one would intend to image the mac after booting into it forensically.
-LinEn allows you to boot into the machine but does not recognize the SSD drive.

I ended up using FTK Imager for Mac GUI (http://www.appleexaminer.com/Utils/Downloads.html) to perform a live acquisition. It took about 2 hours to capture/transfer the 128GB drive to a USB2.0 external drive.

I am also told that EncasePortable will do the job (using the boot CD, as it won't boot of USB drive).

Hope this helps some people in the future!  

Here is a write up on imaging a Macbook Air with WinFE as another option that may work:
katanaforensics.com/20...cbook-air/  

All possible solutions. I would recommend MacQuisition from BlackBag as it is a licensed version of OS X from Apple, which has been forensically modified and has been tested on over 200 Apple devices including the Air.
It was also in the review that bshavers mentioned.

Full disclosure I am the VP of Product Development at BlackBag.  

We have had very good results since we purchased MacQuisition including on a MacBook Air with a SSD. Slow only in the USB/Firewire speed restriction but very efficient and extremely easy to use, not to mention portable!
_________________
_________________________________________
The only people who find what they are looking for
in life are the fault finders. 

Greetings,

I was unable to get a Mac Air to boot with WinFE. Multiple sources told me that the Air would only boot from an external OS X boot source so WinFE, Raptor, etc all will not work on "recent" Airs. The only surefire option, at the moment, seems to be MacQuisition.

-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 

Sorry for the late reply, but have you heard of Paladin by Sumuri? It's pretty good and at a good price, FREE

Steve Whalen, who created the Raptor Live CD, created Paladin when he left Forward Discovery.

www.sumuri.com/index.p...&Itemid=87

www.sumuri.com/softwar...nload.html

Joe  

Another alternative is to install a licensed copy of retail OSX onto a USB and set the permissions on the /Volumes folder on your USB based OSX to prevent auto-mounting during boot. From here you can use FTK imager or dd to image

Ian