Join Us!

Macbook Air Acquisi...
 
Notifications
Clear all

Macbook Air Acquisition  

Page 1 / 2
  RSS
isth
 isth
(@isth)
Member

Hi All,

I just acquired one of these and wanted to share my findings. This was a newer Macbook Air with 2 USB ports

-Raptor allows you to boot into the machine but does not recognize the SSD drive.
-Paladin allows you to boot into the machine but does not recognize the SSD drive. This one shouldn't have been a surprise but the website clearly states "Boot standard PCs and Intel Macs in a forensically sound manner (including the MacBook Air)" so I was hoping that one would intend to image the mac after booting into it forensically.
-LinEn allows you to boot into the machine but does not recognize the SSD drive.

I ended up using FTK Imager for Mac GUI (http//www.appleexaminer.com/Utils/Downloads.html) to perform a live acquisition. It took about 2 hours to capture/transfer the 128GB drive to a USB2.0 external drive.

I am also told that EncasePortable will do the job (using the boot CD, as it won't boot of USB drive).

Hope this helps some people in the future!

Quote
Posted : 14/06/2011 5:08 am
bshavers
(@bshavers)
Active Member

Here is a write up on imaging a Macbook Air with WinFE as another option that may work
http//katanaforensics.com/2011/05/imaging-a-macbook-air/

ReplyQuote
Posted : 14/06/2011 6:19 am
r00ster
(@r00ster)
New Member

All possible solutions. I would recommend MacQuisition from BlackBag as it is a licensed version of OS X from Apple, which has been forensically modified and has been tested on over 200 Apple devices including the Air.
It was also in the review that bshavers mentioned.

Full disclosure I am the VP of Product Development at BlackBag.

ReplyQuote
Posted : 14/06/2011 9:30 am
kiashi
(@kiashi)
Member

We have had very good results since we purchased MacQuisition including on a MacBook Air with a SSD. Slow only in the USB/Firewire speed restriction but very efficient and extremely easy to use, not to mention portable! )

ReplyQuote
Posted : 14/06/2011 5:53 pm
kovar
(@kovar)
Senior Member

Greetings,

I was unable to get a Mac Air to boot with WinFE. Multiple sources told me that the Air would only boot from an external OS X boot source so WinFE, Raptor, etc all will not work on "recent" Airs. The only surefire option, at the moment, seems to be MacQuisition.

-David

ReplyQuote
Posted : 15/06/2011 9:50 am
jgarcia
(@jgarcia)
Junior Member

Sorry for the late reply, but have you heard of Paladin by Sumuri? It's pretty good and at a good price, FREE -)

Steve Whalen, who created the Raptor Live CD, created Paladin when he left Forward Discovery.

http//www.sumuri.com/index.php?option=com_content&view=article&id=93&Itemid=87

http//www.sumuri.com/software/paladin-download.html

Joe

ReplyQuote
Posted : 24/06/2011 5:32 am
imk54831
(@imk54831)
New Member

Another alternative is to install a licensed copy of retail OSX onto a USB and set the permissions on the /Volumes folder on your USB based OSX to prevent auto-mounting during boot. From here you can use FTK imager or dd to image

Ian

ReplyQuote
Posted : 08/07/2011 11:36 pm
kovar
(@kovar)
Senior Member

Greetings,

I've been meaning to build one of these, but haven't gotten motivated yet ….

-David

ReplyQuote
Posted : 09/07/2011 4:26 am
Beetle
(@beetle)
Active Member

Greetings,

I was unable to get a Mac Air to boot with WinFE. Multiple sources told me that the Air would only boot from an external OS X boot source so WinFE, Raptor, etc all will not work on "recent" Airs. The only surefire option, at the moment, seems to be MacQuisition.

-David

Interesting, was there a difference if you were using the "magical" Apple external Air DVD drive or were your results using something else for a boot device? Was there any indication from your sources as to what was different between the different generations? Is it something to do with SSDs?

I am curious if there has been some change in the hardware.

ReplyQuote
Posted : 09/07/2011 5:32 am
kovar
(@kovar)
Senior Member

Greetings,

The issue seemed to be only with booting from a thumb drive or external USB drive. Booting from a CD and an external CD drive seems to work, though more testing is required.

-David

ReplyQuote
Posted : 09/07/2011 11:55 am
Beetle
(@beetle)
Active Member

Another alternative is to install a licensed copy of retail OSX onto a USB and set the permissions on the /Volumes folder on your USB based OSX to prevent auto-mounting during boot. From here you can use FTK imager or dd to image

Ian

This is not a permissions issue but disk arbitration that auto mounts detected mass storage devices. You need to look into disabling disk arbitration in the launchctl routines.

ReplyQuote
Posted : 09/07/2011 6:31 pm
Beetle
(@beetle)
Active Member

Greetings,

The issue seemed to be only with booting from a thumb drive or external USB drive. Booting from a CD and an external CD drive seems to work, though more testing is required.

-David

I recall looking into this back before I retired a couple of years ago and we were told by Apple engineers the Airs look for the Apple external drive or a network boot from another Mac. It was something that was built into the drive firmware that was required and was part of the EFI implementation for the Air specifically. We had managed to boot from external hdds we had Leopard installed on but there may have been changes between the Air revisions and that may only have been unique to our testing machine at the time. As result the procedure adopted was to pull the drive and image it that way.

ReplyQuote
Posted : 09/07/2011 6:41 pm
imk54831
(@imk54831)
New Member

Interesting, was there a difference if you were using the "magical" Apple external Air DVD drive or were your results using something else for a boot device? Was there any indication from your sources as to what was different between the different generations? Is it something to do with SSDs?

I am curious if there has been some change in the hardware.

Our testing with the newer SSD MBA and an Apple MBA Superdrive allowed us to boot into Raptor, Paladin, Helix and WinFE. However, none of these live CDs detected the SSD drive.

ReplyQuote
Posted : 10/07/2011 11:28 pm
Ricco
(@ricco)
Member

So if there is only one USB port how the aquisition can be done if DVD for booting is connected?
Sorry if I have missed something

ReplyQuote
Posted : 07/08/2011 6:34 pm
ThePM
(@thepm)
Active Member

USB hub…

ReplyQuote
Posted : 07/08/2011 7:04 pm
Page 1 / 2
Share: