Hey folks,
I would like to image a Macbook air 2015 model which has SSD. Is there anyway i can image the macbook while its open live, with free software?
or what is my best bet here?
Thanks.
Imaging while it runs isn't a forensic way to make an exact copy, since there are many live changing files. Boot from an external media with pre-installed imaging tools (Paladin Edge, Kali Linux, etc.) and create the image that way.
If the drive is encrypted, this might be useful
http//
Good luck )
Hey folks,
I would like to image a Macbook air 2015 model which has SSD. Is there anyway i can image the macbook while its open live, with free software?
or what is my best bet here?
Thanks.
I would always use MacQuisition if I can. Sumuri just came out with a cheap Mac acquisition tool as well. These would be best as they natively support CoreStoraghe volumes and can mount unencrypted for imaging.
If not an option, I would use something like Paladin to boot the Mac and image the CoreStorage volume to RAW/DD format. If it's encrypted, you can then take this to a Mac and mount the file system on another Mac using the password from the imaged Mac.
You can use FTK Command Line Imager while the system is running.
Thanks everyone,
So the problem was…. i was trying to boot a valid paladin bootable cd and USB but the Macbook will never show those drives on boot options. For reasons i don't know why, so i burnt another bootable (DEFT) and it worked absolutely fine.
I am currently using blacklight 2016 for analysis, it is great so far, any recommendations that i can test and compare results?
Thanks.
I personnally use Paladin (7). It's always worked perfectly on the latest Macs for me!!!
You tried the latest version? My colleague was using an older version, and he couldn't get it to work when mine always did!