±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36077
New Yesterday: 0 Visitors: 108

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Solution for Imaging an Apple Mac system

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

aditya5
Member
 

Solution for Imaging an Apple Mac system

Post Posted: Jun 01, 16 11:41

Hi All,

I Want to know the better/best possible solution for Forensically Imaging the Apple Mac Systems.

What can be the best solution from following?

1. Imaging a Mac using Paladin ( But paladin doesn't supports Vault encrypted mac systems)
2. Imaging a MAC using Macquisition ( But in this we need to boot it)
3. Imaging a MAC SSD by taking it out and using a Connector and then Image it using Encase/FTK ( But does Encase would be able to Image the Encrypted Mac systems?)

4. Any other solution.


Please suggest,


Regards
Aditya  
 
  

zhaan
Senior Member
 

Re: Solution for Imaging an Apple Mac system

Post Posted: Jun 01, 16 11:51

We use MacQuisition. I have used Paladin but more often that not we found that MQ covered most if not all Apple computers including Fusion drives, etc. so we stick with MQ.  
 
  

Chris_Ed
Senior Member
 

Re: Solution for Imaging an Apple Mac system

Post Posted: Jun 01, 16 12:18

+1 for Macquisition. Excellent tool for imaging Macs, for the reasons outlined above.

By the way - given your comment regarding "you have to boot it", are you aware that Macquisition works in a similar way to Paladin, i.e. it comes as a bootable USB stick?  
 
  

mobileforensicswales
Senior Member
 

Re: Solution for Imaging an Apple Mac system

Post Posted: Jun 01, 16 13:20

- zhaan
We use MacQuisition. I have used Paladin but more often that not we found that MQ covered most if not all Apple computers including Fusion drives, etc. so we stick with MQ.


+2 for this as well. I have found Fusion drives a particular nightmare only MQ recovered. Often I had to boot another mac using MQ and thunderbolt the mac with the Fusion drive out into the machine running MQ with a big drive inside it just to see the data properly.  
 
  

Bulldawg
Senior Member
 

Re: Solution for Imaging an Apple Mac system

Post Posted: Jun 01, 16 23:51

+3 for MacQuisition

On the occasion it does fail--and it does happen--we've also used target disk mode when connected to a FireWire write blocker, and single user mode with a USB3 hard drive with FTK Imager CLI on it. Single user mode mounts the system volume read-only unless you make it read/write on purpose.  
 

Page 1 of 1