±Your Account
Membership:
New Today: 4
New Yesterday: 10
Overall: 24370
Visitors: 63
±Latest Articles
· Catching the ghost: how to discover ephemeral evidence with Live RAM analysis
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page 1, 2, 3 Next
Macbook Air Acquisition
Macbook Air Acquisition
Posted: Mon Jun 13, 2011 5:08 pm
Hi All,
I just acquired one of these and wanted to share my findings. This was a newer Macbook Air with 2 USB ports:
-Raptor allows you to boot into the machine but does not recognize the SSD drive.
-Paladin allows you to boot into the machine but does not recognize the SSD drive. This one shouldn't have been a surprise but the website clearly states "Boot standard PCs and Intel Macs in a forensically sound manner (including the MacBook Air)" so I was hoping that one would intend to image the mac after booting into it forensically.
-LinEn allows you to boot into the machine but does not recognize the SSD drive.
I ended up using FTK Imager for Mac GUI (http://www.appleexaminer.com/Utils/Downloads.html) to perform a live acquisition. It took about 2 hours to capture/transfer the 128GB drive to a USB2.0 external drive.
I am also told that EncasePortable will do the job (using the boot CD, as it won't boot of USB drive).
Hope this helps some people in the future!
I just acquired one of these and wanted to share my findings. This was a newer Macbook Air with 2 USB ports:
-Raptor allows you to boot into the machine but does not recognize the SSD drive.
-Paladin allows you to boot into the machine but does not recognize the SSD drive. This one shouldn't have been a surprise but the website clearly states "Boot standard PCs and Intel Macs in a forensically sound manner (including the MacBook Air)" so I was hoping that one would intend to image the mac after booting into it forensically.
-LinEn allows you to boot into the machine but does not recognize the SSD drive.
I ended up using FTK Imager for Mac GUI (http://www.appleexaminer.com/Utils/Downloads.html) to perform a live acquisition. It took about 2 hours to capture/transfer the 128GB drive to a USB2.0 external drive.
I am also told that EncasePortable will do the job (using the boot CD, as it won't boot of USB drive).
Hope this helps some people in the future!
-
isth - Senior Member
Re: Macbook Air Acquisition
Posted: Mon Jun 13, 2011 6:19 pm
Here is a write up on imaging a Macbook Air with WinFE as another option that may work:
katanaforensics.com/20...cbook-air/
katanaforensics.com/20...cbook-air/
-
bshavers - Senior Member
Re: Macbook Air Acquisition
Posted: Mon Jun 13, 2011 9:30 pm
All possible solutions. I would recommend MacQuisition from BlackBag as it is a licensed version of OS X from Apple, which has been forensically modified and has been tested on over 200 Apple devices including the Air.
It was also in the review that bshavers mentioned.
Full disclosure I am the VP of Product Development at BlackBag.
It was also in the review that bshavers mentioned.
Full disclosure I am the VP of Product Development at BlackBag.
-
r00ster - Member
Re: Macbook Air Acquisition
Posted: Tue Jun 14, 2011 5:53 am
We have had very good results since we purchased MacQuisition including on a MacBook Air with a SSD. Slow only in the USB/Firewire speed restriction but very efficient and extremely easy to use, not to mention portable! 
_________________
_________________________________________
The only people who find what they are looking for
in life are the fault finders.
_________________
_________________________________________
The only people who find what they are looking for
in life are the fault finders.
-
kiashi - Senior Member
Re: Macbook Air Acquisition
Posted: Tue Jun 14, 2011 9:50 pm
Greetings,
I was unable to get a Mac Air to boot with WinFE. Multiple sources told me that the Air would only boot from an external OS X boot source so WinFE, Raptor, etc all will not work on "recent" Airs. The only surefire option, at the moment, seems to be MacQuisition.
-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA)
I was unable to get a Mac Air to boot with WinFE. Multiple sources told me that the Air would only boot from an external OS X boot source so WinFE, Raptor, etc all will not work on "recent" Airs. The only surefire option, at the moment, seems to be MacQuisition.
-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA)
-
kovar - Senior Member
Re: Macbook Air Acquisition
Posted: Thu Jun 23, 2011 5:32 pm
Sorry for the late reply, but have you heard of Paladin by Sumuri? It's pretty good and at a good price, FREE
Steve Whalen, who created the Raptor Live CD, created Paladin when he left Forward Discovery.
www.sumuri.com/index.p...&Itemid=87
www.sumuri.com/softwar...nload.html
Joe
Steve Whalen, who created the Raptor Live CD, created Paladin when he left Forward Discovery.
www.sumuri.com/index.p...&Itemid=87
www.sumuri.com/softwar...nload.html
Joe
-
jgarcia - Member
Re: Macbook Air Acquisition
Posted: Fri Jul 08, 2011 11:36 am
Another alternative is to install a licensed copy of retail OSX onto a USB and set the permissions on the /Volumes folder on your USB based OSX to prevent auto-mounting during boot. From here you can use FTK imager or dd to image
Ian
Ian
-
imk54831 - Member