Notifications
Clear all

New Macbook Air

36 Posts
15 Users
0 Likes
2,187 Views
Beetle
(@beetle)
Posts: 318
Reputable Member
Topic starter
 

Looks like a new technique for imaging Macbook Airs may be warranted. They are now using flash memory directly attached to the MB for storage.

 
Posted : 21/10/2010 1:14 am
(@xennith)
Posts: 177
Estimable Member
 

One of the standard techniques we use is a linux boot and network acquisition. Unless mac OS boot time interupt keys have changed that should be just as applicable.

 
Posted : 21/10/2010 1:47 am
Beetle
(@beetle)
Posts: 318
Reputable Member
Topic starter
 

No optical drive, no ethernet…
And there is no hard disk to take out.

 
Posted : 21/10/2010 1:59 am
(@xennith)
Posts: 177
Estimable Member
 

USB boot?
edit Or removable optical device.
http//unetbootin.sourceforge.net/ Allows you to burn an ISO to a usb device as a bootable device. Could then use a local HDD connected via a USB bridge to take the image.

Unless of course its not got USBs either ;P

 
Posted : 21/10/2010 2:03 am
Beetle
(@beetle)
Posts: 318
Reputable Member
Topic starter
 

USB boot?
edit Or removable optical device.
http//unetbootin.sourceforge.net/ Allows you to burn an ISO to a usb device as a bootable device. Could then use a local HDD connected via a USB bridge to take the image.

Unless of course its not got USBs either ;P

We had tried USB boots using Helix (Pro) last year around this time and found that it was crushing the custom firmware that Apple used for it's USB port that could only be reset by removing the battery (diagnosed and confirmed by Apple engineering). Other boot disks work (Raptor comes to mind) but I am wondering what Apple may have done to the USB firmware this time. BTW there are now two USB ports on the Airs.

 
Posted : 21/10/2010 2:11 am
(@xennith)
Posts: 177
Estimable Member
 

Backtrack springs to mind as a possible alternative to helix as it has a forensic boot option which loads everything into ram, I think ubuntu has the same capacity out of the box as well and IIRC both have DD as standard.

Backtrack of course is more fun (and has some forensic tools integrated). )

If USB presents problems you could try a compact flash boot (if the macbook has such a magical device). I've not heard of this particular USB issue until now but I'm glad you've brought it up, Linux based bootable USB devices are becoming almost standard issue in my place and I'd hate to be caught out on that.

(wonder if thats exploitable….)

edit Interwebs shows that the macbook air is massively over expensive even for a mac, but does come with an SD card slot, so that is an option. Unetbootin can be used to create a bootable SD card in the same way that you create a bootable USB.

 
Posted : 21/10/2010 2:25 am
 96hz
(@96hz)
Posts: 143
Estimable Member
 

I've had similar experiences to Beetle.
My understanding is that it is 'pseudo-usb', meaning that I would be suprised if there actually is a linux boot disk that supports it (off the bat), perhaps Raptor has a specific Mac centric driver that understands it is dealing with a super port (or whatever it is dubbed) not a bog standard USB.

 
Posted : 21/10/2010 2:42 am
Beetle
(@beetle)
Posts: 318
Reputable Member
Topic starter
 

I've had similar experiences to Beetle.
My understanding is that it is 'pseudo-usb', meaning that I would be suprised if there actually is a linux boot disk that supports it (off the bat), perhaps Raptor has a specific Mac centric driver that understands it is dealing with a super port (or whatever it is dubbed) not a bog standard USB.

This is why we recommended to field staff to remove the SSD or HD and image using a Tableau and the appropriate ZIF adapter. Our experience with Raptor has been good on the regular Macbooks but we never tried it with the Air (if you end up taking it apart to reset the USB port you might as well take it apart right off the bat). Apple called it an "intelligent USB" when we talked to them about it. As far as the comment about the SD slot on the Air, there was never one on the previous models nor the new one - per Apple's specs (and see everymac.com) and I have never seen one equipped with one. The new ones do eliminate the problem of using a powered hub (hooray!) with the addition of the second USB port. The price, considering the engineering in the new model doesn't look that bad, starts at under a grand.

 
Posted : 21/10/2010 3:03 am
Beetle
(@beetle)
Posts: 318
Reputable Member
Topic starter
 

Backtrack springs to mind as a possible alternative to helix as it has a forensic boot option which loads everything into ram, I think ubuntu has the same capacity out of the box as well and IIRC both have DD as standard.

Backtrack of course is more fun (and has some forensic tools integrated). )

If USB presents problems you could try a compact flash boot (if the macbook has such a magical device). I've not heard of this particular USB issue until now but I'm glad you've brought it up, Linux based bootable USB devices are becoming almost standard issue in my place and I'd hate to be caught out on that.

(wonder if thats exploitable….)

edit Interwebs shows that the macbook air is massively over expensive even for a mac, but does come with an SD card slot, so that is an option. Unetbootin can be used to create a bootable SD card in the same way that you create a bootable USB.

It isn't an issue of loading into ram, it is about automatically mounting detected partitions as read-only. Most distros such as Ubuntu automount read-write when they boot from CD. You need to use a boot disk that is specifically designed to not automount partitions as writable. Helix, SPADA, Raptor, iLook imager and so on are designed this way. I have never tried Backtrack to see if it was able to mount read only so I can't comment on it's suitability for "previewing" or imaging in a forensically sound manner.

 
Posted : 21/10/2010 3:12 am
(@xennith)
Posts: 177
Estimable Member
 

The 13 inch model does have an SD card http//www.apple.com/uk/macbookair/features.html#connectivity but sadly the 11 inch version doesnt.

As far as read only mounts go, I have to admit that I'm not sure that backtrack does that by default, however it is a very customisable toolkit and tweaking the mount options to read only should be fairly straightforward for anyone with any *nix experience. The latest R1 release may already do this in its dedicated forensic boot mode for all I know.

 
Posted : 21/10/2010 3:45 am
Page 1 / 4
Share: