Another alternative is to install a licensed copy of retail OSX onto a USB and set the permissions on the /Volumes folder on your USB based OSX to prevent auto-mounting during boot. From here you can use FTK imager or dd to image
Ian
This is not a permissions issue but disk arbitration that auto mounts detected mass storage devices. You need to look into disabling disk arbitration in the launchctl routines.
Greetings,
The issue seemed to be only with booting from a thumb drive or external USB drive. Booting from a CD and an external CD drive seems to work, though more testing is required.
-David
I recall looking into this back before I retired a couple of years ago and we were told by Apple engineers the Airs look for the Apple external drive or a network boot from another Mac. It was something that was built into the drive firmware that was required and was part of the EFI implementation for the Air specifically. We had managed to boot from external hdds we had Leopard installed on but there may have been changes between the Air revisions and that may only have been unique to our testing machine at the time. As result the procedure adopted was to pull the drive and image it that way.
Interesting, was there a difference if you were using the "magical" Apple external Air DVD drive or were your results using something else for a boot device? Was there any indication from your sources as to what was different between the different generations? Is it something to do with SSDs?
I am curious if there has been some change in the hardware.
Our testing with the newer SSD MBA and an Apple MBA Superdrive allowed us to boot into Raptor, Paladin, Helix and WinFE. However, none of these live CDs detected the SSD drive.
So if there is only one USB port how the aquisition can be done if DVD for booting is connected?
Sorry if I have missed something
USB hub…
Ah ok )
So obvious
Thx
How are you booting this FTK Gui on macbook air? Some sort of boot CD? A specific booting method like target mode, etc.
Any details please.
Thank you.
Hi All,
I just acquired one of these and wanted to share my findings. This was a newer Macbook Air with 2 USB ports
-Raptor allows you to boot into the machine but does not recognize the SSD drive.
-Paladin allows you to boot into the machine but does not recognize the SSD drive. This one shouldn't have been a surprise but the website clearly states "Boot standard PCs and Intel Macs in a forensically sound manner (including the MacBook Air)" so I was hoping that one would intend to image the mac after booting into it forensically.
-LinEn allows you to boot into the machine but does not recognize the SSD drive.I ended up using FTK Imager for Mac GUI (http//
www.appleexaminer.com/Utils/Downloads.html) to perform a live acquisition. It took about 2 hours to capture/transfer the 128GB drive to a USB2.0 external drive. I am also told that EncasePortable will do the job (using the boot CD, as it won't boot of USB drive).
Hope this helps some people in the future!
You could remove the SSD Board and use a USB bridge to acquire the contents.
You can get a device suitable for the 2010/2011 MacBook Airs from
You will also need a pentalobe screwdriver to open the case, which you can get from
Hope this helps
How are you booting this FTK Gui on macbook air? Some sort of boot CD? A specific booting method like target mode, etc.
Any details please.
Thank you.
Sorry for the incredibly delayed response. The FTK GUI was run from a USB drive (also used as destination) after logging into the machine with the user's credentials. The collection was for discovery purposes.
Thanks.
has anyone tried to use thunderbolt in target disk mode? my understanding is that it should work the same way as firewire.