New iMac (A1418) Im...
 
Notifications
Clear all

New iMac (A1418) Imaging Issues

16 Posts
8 Users
0 Likes
1,292 Views
(@brevs11)
Posts: 19
Active Member
Topic starter
 

Anyone having any luck imaging these without disassembly or imaging live? Having no joy with Paladin v4 or v5 or MacQuisition.

Thanks.

 
Posted : 14/10/2013 1:15 pm
4n6art
(@4n6art)
Posts: 208
Reputable Member
 

When you say no joy… do you mean that none of those boot CDs work or they work and image but you get nothing?

Are you able to boot the imac with those CDs?
Are you pressing the OPTION key to get the boot menu and do you see the boot cd as an bootable option?

-=Art=-

 
Posted : 15/10/2013 2:03 am
(@clownboy)
Posts: 46
Eminent Member
 

Try Kali-Linux. It has a forensic mode. Very easy to work with.

 
Posted : 15/10/2013 6:18 am
(@brevs11)
Posts: 19
Active Member
Topic starter
 

I mean that all boot CD's we have tried thus far hang at some point during the boot process.

I'm not that keen to take a heat gun to the screen and start taking them to bits. Last time I did that I had enough parts left over to make an iPhone 5.

The plan for today is to boot the suspect iMac in TDM.

Boot a second Mac (with Thunderbolt) with Paladin v5. Attach a target disk to this for the image files to go on.

Then, attach the suspect iMac to the second Mac via Thunderbolt. With any luck the suspect Mac will be seen as an external attached device in the second Mac and can then be imaged.

 
Posted : 15/10/2013 1:12 pm
(@brevs11)
Posts: 19
Active Member
Topic starter
 

Above did not work as the Thunderbolt connected suspect iMac was not recognised as an external storage device on the host Mac (

 
Posted : 15/10/2013 4:01 pm
(@john_smith)
Posts: 13
Active Member
 

The last one we did had the Fusion drive in it, which is a separate SSD linked to the hard drive, installed in very separate locations.

We found this out after disassembly and trying to image the hard drive alone. The image from the hard drive alone was unrecognized by EnCase,, FTK and Blackbag.

BlackBags MacQuisition worked when we put it together, imaging from thumbdrive. It would not see the external hdd until we formatted it properly. oops

 
Posted : 16/10/2013 12:38 am
(@sgware)
Posts: 42
Eminent Member
 

Having read through the post here I did some playing around and a bit of research. Did you try the TDM with firewire?

Forgive me if I offer advice that you already know. You could do this.

1. Analysis machine is the same Mac, but, not booted from a forensic disk
2. In Terminal disable disk arbitration on the analysis machine using .. sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist
After disabling disk arbitration you will not be able to mount or eject a disk.
3. in Terminal, type mount and note the results, then, type ls -l /dev/disk* noting the result
4. Next, connect the firewire cable to the target device and the analysis firewire port
5. Boot the target device while holding the "T" on the keyboard.
6. With the device booted, verify that it didn't mount on the analysis machine by repeating step 3. You should see the same mount information as before connecting the target device. However, when listing /dev/disk* you will see the target device, /dev/diskn
7. You can then acquire the target disk using dd or similar utility to a forensically sterile device attached to the analysis machine.

I tested this to make sure it worked.

To make it forensically sound, you run a firewire write-block inline to the target. And, using the dcfldd or similar command include hash verification of the target and image to ensure they match.

One more thing. I found this in an Apple support blog, "…Note FireWire Target Disk Mode works on internal PATA or SATA drives only. Target Disk Mode only connects to the master PATA drive on the Ultra ATA bus. It will not connect to Slave ATA, ATAPI, or SCSI drives…"

I didn't see where TDM supports Thunderbolt and I haven't tested it yet. So, if you have the fusion HD configuration and/or Thunderbolt connection for the TDM, I am not sure if you will be successful.

Good Luck,

Scott

 
Posted : 16/10/2013 2:18 am
(@brevs11)
Posts: 19
Active Member
Topic starter
 

Some really useful info there.

We have however managed to get a working image using DEFT v7.

Thanks.

 
Posted : 16/10/2013 2:40 am
(@sgware)
Posts: 42
Eminent Member
 

Happy to hear you have a solution! Just curious, does the device have the fusion configuration?

 
Posted : 16/10/2013 2:44 am
(@pdsmith)
Posts: 3
New Member
 

I had a similar problem this week imaging a Macbook Air purchased late this year. All bootable CD tools failed and of course there was no luck extracting a HDD as the new laptops sport the integrated modules. However, with a quick upgrade to the latest version of Macquisition, I quickly overcame the problem and performed a preservation with rediculous ease (250GBs in 45 mins - not including verification) to an attached USB, thanks to Apple's decision to integrate 3.0 ports into their chassis.

With the latest changes in the Mac OS older tools will fail until they have made the necessary updates to account for the changes. Blackbag obtains the latest distributions from Apple and performs the necessary adjustments to their tools accordingly. There are always multiple tools that you should keep in your toolbox, but Blackbag's tools have never let me down when dealing with Macs.

 
Posted : 16/10/2013 4:33 pm
Page 1 / 2
Share: