Join Us!

Solution for Imagin...
 
Notifications
Clear all

Solution for Imaging an Apple Mac system  

  RSS
aditya5
(@aditya5)
New Member

Hi All,

I Want to know the better/best possible solution for Forensically Imaging the Apple Mac Systems.

What can be the best solution from following?

1. Imaging a Mac using Paladin ( But paladin doesn't supports Vault encrypted mac systems)
2. Imaging a MAC using Macquisition ( But in this we need to boot it)
3. Imaging a MAC SSD by taking it out and using a Connector and then Image it using Encase/FTK ( But does Encase would be able to Image the Encrypted Mac systems?)

4. Any other solution.

Please suggest,

Regards
Aditya

Quote
Posted : 01/06/2016 12:41 pm
zhaan
(@zhaan)
Member

We use MacQuisition. I have used Paladin but more often that not we found that MQ covered most if not all Apple computers including Fusion drives, etc. so we stick with MQ.

ReplyQuote
Posted : 01/06/2016 12:51 pm
Chris_Ed
(@chris_ed)
Active Member

+1 for Macquisition. Excellent tool for imaging Macs, for the reasons outlined above.

By the way - given your comment regarding "you have to boot it", are you aware that Macquisition works in a similar way to Paladin, i.e. it comes as a bootable USB stick?

ReplyQuote
Posted : 01/06/2016 1:18 pm
mobileforensicswales
(@mobileforensicswales)
Active Member

We use MacQuisition. I have used Paladin but more often that not we found that MQ covered most if not all Apple computers including Fusion drives, etc. so we stick with MQ.

+2 for this as well. I have found Fusion drives a particular nightmare only MQ recovered. Often I had to boot another mac using MQ and thunderbolt the mac with the Fusion drive out into the machine running MQ with a big drive inside it just to see the data properly.

ReplyQuote
Posted : 01/06/2016 2:20 pm
Bulldawg
(@bulldawg)
Active Member

+3 for MacQuisition

On the occasion it does fail–and it does happen–we've also used target disk mode when connected to a FireWire write blocker, and single user mode with a USB3 hard drive with FTK Imager CLI on it. Single user mode mounts the system volume read-only unless you make it read/write on purpose.

ReplyQuote
Posted : 02/06/2016 12:51 am
Share: