mac boo air forensics

I'm not familiar with wiebetech products. Can they write block a firewire connection?

If so, you should be able to do it by booting into target disk mode (TDM) and using a firewire cable to directly access the hard drive. You've probably already got the directions, but in case you don't http//support.apple.com/kb/HT1661

I have not tried this method, and I wouldn't do it without testing it on a Mac that you're not supposed to be imaging. If you screw it up even a little, you could end up starting to boot the OS.

What software are you using? You say you don't want to buy anything, but does that mean you don't have any commercial software at all? Maybe use FastBloc SE through EnCase if you have access to that.

I'm not sure which MacBook Air model you're dealing with, but they often have proprietary connectors. The standard assortment of ZIF adapters and micro-SATA cables that ships with Tableau write blockers didn't fit the SSD in the Air we had. Even if you get it open, you may still not be able to connect the SSD card to your Wiebetech write blocker.

There's a fairly good, if dated, presentation on Mac forensics here http//www.slideshare.net/ctin/mac-forensics-presentation. If I remember correctly, the author uses BlackBag Macquisition, which does violate your no commercial software stipulation.

thank you very much for your kind answer.
i have got a wiebetech USB write blocker and the wiebetech sata/ide write blocker. i am waiting for an answer from a firm. i opened the mac air book and there is a samsung hard drive. I hope to find the correct adaptor. I work with xways forensic. Usually I use FTK imager to obtain the copy. i don't want to buy macquisition or other tools.
Luckly, I have a Mac,so I can do a few test for TDM.

Thanks

I'm not familiar with wiebetech products. Can they write block a firewire connection?

If so, you should be able to do it by booting into target disk mode (TDM) and using a firewire cable to directly access the hard drive. You've probably already got the directions, but in case you don't http//support.apple.com/kb/HT1661

I have not tried this method, and I wouldn't do it without testing it on a Mac that you're not supposed to be imaging. If you screw it up even a little, you could end up starting to boot the OS.

What software are you using? You say you don't want to buy anything, but does that mean you don't have any commercial software at all? Maybe use FastBloc SE through EnCase if you have access to that.

I'm not sure which MacBook Air model you're dealing with, but they often have proprietary connectors. The standard assortment of ZIF adapters and micro-SATA cables that ships with Tableau write blockers didn't fit the SSD in the Air we had. Even if you get it open, you may still not be able to connect the SSD card to your Wiebetech write blocker.

There's a fairly good, if dated, presentation on Mac forensics here http//www.slideshare.net/ctin/mac-forensics-presentation. If I remember correctly, the author uses BlackBag Macquisition, which does violate your no commercial software stipulation.

Hi,

Apparently with the SSD drives and their architecture, you should only use TDM mode as a last resort. TDM mode is NOT write protected and can alter the state of the drive. If the examiner were to boot a MAC into TDM and attach it to a Windows System , the bootcamp partition would be written to, thus destroying and/or altering evidence.

In fact with an SSD - as soon as it receives power it automatically starts to rearrange files on the disk.

Software such as PALADIN from Sumuri.com will image the drive and other software is available.

Just for your info.

Hokay….

First off, there's no firewire port on a macbook air, so target disk mode simply isn't an option. (you need a 1394controller for this to be an option)

The SSD drive (or card, really) is connected to the macbook air in a proprietary physical configuration that looks *very* similar to mini PCI express…but isn't.

At this stage there are no adapters for sale by anyone I'm aware of - so even after you gain access to the drive physically, there isn't anything you can really do. (take photos, but that's about it)

To complicate things, there's only one usb port..)

So, to access a macbook air (november 2010 onwards models), here's what we're currently doing

for imaging, you'll need

1 x usb 2.0 powered hub.
1 x usb external dvd drive
1 x usb external hard drive (or connect a sata/usb bridge of some type) for collection
1 x blank dvd (for burning an image…see below)

Now, we'll need a bootable environment that's both 'forensic' (TEST THINGS BEFORE YOU TRUST THEM) and aware of the controller for the SSD inside the macbook air.

We're currently using DEFT (an italian forensic distro - http//www.deftlinux.net/), but there are possibly others. (I haven't tested if the latest version of Paladin for sumuri works, for example.)

(note - this assumes you're happy/comfortable to boot the macbook air, with the suspect SSD *live*. I wouldn't worry about queued changes occurring on the SSD when power is applied, as that's going to happen with any method short of a chip-off…)

(note There are quite a few issues to be aware of when booting a mac (or any other computer) for live acquisition - which I'm not going in to, as this is long enough of a post already…)

So
Download and the DEFT iso(currently v7.1) and burn to the blank DVD.
Connect the hub to the USB port on the MBA suspect machine
Connect the usb cdrom drive to the hub,
Connect the USB hard drive (your master copy drive)
Holding down the 'Option' key on the keyboard, power on the MBA. (yes, you can hold down 'C', but I prefer this option)
*Note* it is possible for the machine to boot to the OS at this point. highly unlikely, but possible in some rare instances where EFI passwords have been set. Don't turn it on if you're not prepared for a live examination of a machine as a possibility.

In the osx boot screen, A bootable CD should display as an option, use cursor/enter to select.

DEFT should boot.
At this point, you should have a forensic examination environment that allows you to see the suspect drive and your 'evidence' drive as read only.
Use mount manager to make your evidence drive writable (make sure to pick the right one, eh?)
use Guymager (FTK imager type app) or DD, or whatever method you prefer to image the SSD to the evidence drive, if you're imaging - if you're previewing, go for a browse/search etc.
Do any other tasks you have in mind (note the system time, for example)
Power down the system, disconnect.
(make working copy of master image, paperwork, etc.)

That's a rough idea. Obviously, use DEFT on some test systems to get comfortable with the tools and options they provide - and verify to your requirements that the write blocking is actually working….We have, but don't take my word or anyone else's that it's acceptable for your workplace.

Drive reference for MacBook Airs

Macbook Air (model A) early 2008 = 1.8 IDE HDD - ZIF connector. (Tableau have a nice connector set that includes the ribbon connectors for these)

Macbook Air (model B) late 2008 + mid 2009 = 1.8 SATA HDD/SSD - LIF connector. (still a ribbon, but ZIF adaptors don't work, as they're IDE/PATA cables…hey Tableau! Update the connector kits, eh?) Some adaptors exist on market to bridge to USB.

Macbook Air (current) Nov 2010+ = Proprietary SSD connector. SOL for direct connection currently, use Live CD.

With all due respect to Saladin,

"First off, there's no firewire port on a macbook air, so target disk mode simply isn't an option. (you need a 1394controller for this to be an option)"

This is not entirely accurate. You can boot a new Macbook Air into target disk mode by holding down the "T" key - same as before. The difference is, now it will use Thunderbolt for the target disk connection instead of Firewire.

If you happen to have a Mac with Thunderbolt available, you certainly have some options. Just last week I was able to image a Macbook Air this way. I used Disk Arbitrator on my Macbook Pro to set the mode to "Block mounts" and then connected the suspect machine via Thunderbolt. After that, I just used the terminal to acquire a DD image of the physical disk.

It should be noted that, as I was unsure of how well this process would work, I did test it on one of our own systems first.

Your mileage may vary.

I hope this helps somebody out there.

- Nate

Macbook Air (current) Nov 2010+ = Proprietary SSD connector. SOL for direct connection currently, use Live CD.

Other World Computing (OWC) sell an external enclosure for the latest SSDs found in the Air - you can take the adaptor out of the enclosure and use it to connect the SSD to a regular SATA cable.

Link http//eshop.macsales.com/item/OWC/SSDAPOTGU3/

Hope I'm not the only one who finds "mac boo air forensics" funny …. wink

When I first saw this I thought "they aren't THAT scary…"

Whooops!

Yep, Nat4n6 is spot on - I confess I don't have a thunderbolt capable system to connect it to, so it hasn't been possible to explore that as an acquisition option yet. (that's what I get for not reading up on the latest models!)

And rjo86, thank you *very* much for pointing out that OWC have a compatible enclosure! Last I'd heard they had given up on it, so I haven't checked there for ages. (ack. That's been available since late last year! Now I'm just slack…<grin>)

Which just goes to show you can't trust anything anyone says.

Well…except for Nat4n6 and rjo86, that is.

😉

Cheers!