How to image Fusion Drive from iMac?
Are there any instructions on how to go about imaging a Fusion drive in an iMac? Is there a reason I cannot find the "User" directory and other common directories (Documents, Downloads, etc.)? Is there a certain way these drives must be imaged? I have acquired an image using Target Disk Mode, but the image does not seem to contain the details I need. After loading the image into FTK, I see 4 partitions…
Partition 1 (EFI FAT32) - root/unallocated space
Partition 2 - unrecognized file system
Partition 3 (Recovery HD HFS+) - unallocated space/Recovery HD
Partition 4 (SourceVol HFS+) - unallocated space/SourceVol
Blackbag Macquistion will see it properly..
The fusion drive is a combination of both drives. So you need something to rebuild the drive, think Raid array here..
If you convert the image to a dmg, a mac machine will rebuild it for you as well I was told.
Check out http//www.appleexaminer.com/ As it might have info on this..
Gonna ask Ryan again. I should have taken notes, I thought I would commit it to memory, but didn't..
If you find out anything else, please let me know. In the meantime I will look into converting this to a DMG.
Straight from the Guru's mouth, Ryan..
They have to be converted to DD or Raw and then add the extension of DMG.. You need Mac OSX 10.7 or higher and it will see it as a special device and rebuild it for you for you reimage.
Basically there nothing on the market beyond blackbag Macquistion that I know of that will image the fusion drive properly..
Also remember to LOCK the DMG so you can't accidentally alter it.
Also learned that Blacklight, which is their forensic tool for Mac will give you the full 6 dates that Mac has. Encase and FTK will only show you the 4 because they do not parse the Plist properly. Nice to have an extra 2 dates sometimes.. Basically if you are doing Apple device forensics, it might be a place to look as this is their niche.
I wish this stuff where much easier sometimes as well.
I Assume the guru is Ryan K?
I use Macquisition and i have not found any other tool that is 'aware' of Apple CoreStorage ( the Apple-proprietary LVM used to create the Fusion drive).
FWIW MacQuisition is worth every penny when you have to image macbook air, iMac, file vault encrypted disks, and fusion drives. Nothing comes close.
FWIW I have not actually tried this myself, however I understand that if you put the iMac with the fusion drive into TDM and then connect it to another Mac running Mountain Lion or later then that Mac will recognise the Fusion logical volume. If you are write blocking in some way (hardware or Mac Disk Arbitration) then you should be able to obtain a dd or dmg for loading into your Forensic tool of choice.
Confirmed. I just did this and it worked. Make sure, however, that either you're mounting the original drive(s) as read-only or attaching them without mounting them.
Do not know if this app will help, but SubRosa's DD Converter tool is $35 and can convert DD images to DMG images as well as convert DMG images to DD format
You can use DD but you will need to image the 'complete' set of discs (ie the small drive and larger as one).
In terminal using 'diskutil list' it should be listed against a /dev and have a descriptor containing 'Apple_HFX Macintosh HD - Logical Volume Unencrypted Fusion Drive'. Note the /dev reference for this drive and use it with the dd command to image this unencrypted volume
sudo dd if=/dev/rdisk2 of=/Volumes/path/image.dmg bs=4096 conv=noerror,sync
In the above example the Fusion drive was showing as /dev/disk2 but it's important to use 'rdisk' in place of 'disk' otherwise you will get a 'resource busy' message.
Note to monitor progress of the write you may not see 'finder' automatically updating the increasing file size if you leave the screen open so you may have to close and reopen to see it growing (and sometimes it takes a few minutes to reflect growth).
Tested on OSX