Join Us!

Kali linux on MAC I...
 
Notifications
Clear all

Kali linux on MAC Issues  

  RSS
DevilBurner13
(@devilburner13)
New Member

Dear all on forums…

First off apologies if this has been placed into the wrong section and or this has been raised before.

I have an apple iMac that needs imaging. would prefer to not have to dismantle it to remove the HDD as the chances of it reassembling correctly look to be slim.
It is a very recent model (slim line, curved back, the screen has an adhesive behind it hence not wanting to dismantle it) which I believe is running the OS X v10.11. I have looked up the serial number and EMC number and it comes back as a
iMac "Core i5" 3.3 27-Inch (5K, Late 2015)

The 'Macquisition' USB stick can be 'seen' when booted but it will not run on it…it throws up a big red cross after the blackbag logo disappears. According to their site, Macquisition does not work on late 2015 iMAcs.

So, i attempted Kali linux, in the hope of using guymager to image and then run blacklight across it. The Kali linux bootable USB will not even be 'seen' by the machine when booted?

I cant seem to find a mac dedicated iso for Kali anywhere?

Has anyone had this issue before or know of any workarounds?

many thanks in advance for any help )

Quote
Posted : 24/08/2016 6:46 pm
wookieshaver
(@wookieshaver)
Junior Member

I have had great luck with iMacs of this sort using Paladin Linux 32 bit. https://sumuri.com/product/paladin-edge-32-bit-version-6-08/ Note The suggested price is just that - you don't have to pay to download the tool - though you do need to create an account.

ReplyQuote
Posted : 24/08/2016 8:04 pm
Rampage
(@rampage)
Active Member

try deft zero

ReplyQuote
Posted : 24/08/2016 8:12 pm
tito
 tito
(@tito)
New Member

Hello. To create a bootable USB drive from Kali Linux helped me 'Mac Linux USB Loader'. I managed to boot mode and using forensic dd image to perform mass media. But I do not know whether this method to work on OS X v10.11.

ReplyQuote
Posted : 25/08/2016 3:28 am
Chris_Ed
(@chris_ed)
Active Member

Is Kali forensically sound? I'm not sure. Maybe try CAINE instead - it has guymager.

One problem you're probably going to come across after imaging is Apple CoreStorage/fusion drives. I think MacQuisitions biggest strength is that it presents these sort of setups as a unified volume for imaging - no need for any further steps. However as that isn't an option, have a look through this thread and it has some good suggestions for reconstruction.

Good luck! And please update us with any success stories. )

ReplyQuote
Posted : 25/08/2016 1:07 pm
DevilBurner13
(@devilburner13)
New Member

We have put the machine that would not boot macquisition (the exhibit) into Target disk mode, and then connected that by firewire to a mac that will run macquisition.
This has allowed to see all the drives in the exhibit… so far so good.

Macquisition does show that the drives in the exhibit are 'fusion drives' but it still represents them as 2 separate drives. When it is imaged, if macquisiton cannot stitch them as one drive, apparently Xways will?

I originally thought that the reason why macquisition or Kali would not run is because of encryption, but macquistion has shown no traces of it on the drives… or at least 'Filevault' anyway. So maybe third party encryption?

kali linux has a 'Forensic' mode which stops all drives being mounted, and testing showed that it dosent alter any data. Whereas I have found that the latest CAINE writes to the USB storage registries (unless I'm doing something completely wrong here?)

Anyway big thanks to all for the replies so far and keep them coming )

ReplyQuote
Posted : 25/08/2016 3:37 pm
Chris_Ed
(@chris_ed)
Active Member

Macquisition does show that the drives in the exhibit are 'fusion drives' but it still represents them as 2 separate drives. When it is imaged, if macquisiton cannot stitch them as one drive, apparently Xways will?

How interssting! That hasn't been my experience with MacQuisition. Also; X-Ways can do that now? Tremendous.

I originally thought that the reason why macquisition or Kali would not run is because of encryption, but macquistion has shown no traces of it on the drives… or at least 'Filevault' anyway. So maybe third party encryption?

Software-based HDD encryption like FileVault 2 shouldn't stop you from booting to Linux. I don't know of any hardware-based encryption method (akin to SecureBoot) used by Apple in it's devices, but to be honest it might only be a matter of time.

kali linux has a 'Forensic' mode which stops all drives being mounted, and testing showed that it dosent alter any data. Whereas I have found that the latest CAINE writes to the USB storage registries (unless I'm doing something completely wrong here?)

Again, interesting! I feel like the limitations of forensic Linux environments might be a worthwhile thing to look into sometime. Issues with CAINE (and Paladin) do get mentioned from time to time.

Please report back on whether XWF is successful at stitching the partitions back together; I can't find anything in the Help but that doesn't mean it can't do it wink

ReplyQuote
Posted : 25/08/2016 6:52 pm
DevilBurner13
(@devilburner13)
New Member

so after reviewing the progress with macquisition, it turns that it shows 3 'drives' where the first two are the physical internal drives, and as correctly stated before in this thread, the last one is the 'fused' logical of the two…
so in short, my error in not viewing the options correctly! still, learning curve and all that wink

still, we have imaged all three disks, to test if macquisition has correctly fused the two (might aswell use multiple software to validate each other as you never know). So i'm waiting to hear from Xways for a '101 guide on mac drive stitching' and will post any results (good or bad of course).

I still have the problem though as to why Kali linux would not run on the exhibit in the first place? Macquisition would boot and run to logo screen but then abort, and this is expected behavior as blackbag website states it will not run on this particular mac. Macquisition (when used through the TDM method) shows no signs of encryption.

I have the latest Kali ISO from their site (which has legacy and UEFI booting capability) and have tried different USB ports, different burning software, tried converting the ISO to a DMG, tried
RUFUS/disk utility/Transmac to prepare the usb stick…. still nothing? but yet it runs fine on our 'non-exhibit' iMac which is password protected anyway?

cheers again to all.

ReplyQuote
Posted : 26/08/2016 5:01 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Maybe you should do the harder, but the good way! On a forensic job like this, normally it should be allowed to dismantle, crack, brake, or even totally destroy the device, just get the needed data.

There been previous posts on how to deal the right way with in a similar situation as your, I quickly found this

www.forensicfocus.com/Forums/viewtopic/t=14364/

Also I remember there was a nice howto for this by Igor Mikhaylov and Oleg Skulkin

www.weare4n6.com/imaging-apple-filevault2-encrypted-drives/

ReplyQuote
Posted : 04/09/2016 5:47 pm
Share: