Got a new Mac I need to image. I would prefer to do it manually rather than buy a tool. Is it *really* as simple as just following these steps?
https://
I suspect not, but I'd like to know if you all have any experience before I begin.
Many thanks!
usually with mac, I boot the system with caine in a USB
That question depends on what tool you have to analyse the dump.
Although many tools are catching up, taking a logical image with a paid tool may be a better option than taking a free image, finding a Mac, creating a dmg, copying the files across from your image preserving metadata, and loading it onto a windows tool (and potentially not examining extended attributes)
However, if you have one for the tools that can interpret apfs (currently blacklight, xways, belkasoft evidence centre, and encase….YMMV, some support better than others. Some don't support encryption) then you can probably image fine with a free tool (ie paladin)
Thanks for your prompt replies!
So, when using Caine Live USB, on a new APFS system, is there any need to disable SIP or anything else prior to imagine or is it as easy as booting up and beginning to image?
I dont think you need to disable anything
But email Steve Whalen at Sumuri about the process with the free version of Paladin (it would be the same as with Caine)
If this is a new MAC, there is a reasonable chance it has a M2 NVMe SSD drive in it.
Some of the older USB bootable solutions will not support M2 NVME drives. Only know this as our own tool, OSFClone, didn't support this until recently.