Hi All,
I Want to know the better/best possible solution for Forensically Imaging the Apple Mac Systems.
What can be the best solution from following?
1. Imaging a Mac using Paladin ( But paladin doesn't supports Vault encrypted mac systems)
2. Imaging a MAC using Macquisition ( But in this we need to boot it)
3. Imaging a MAC SSD by taking it out and using a Connector and then Image it using Encase/FTK ( But does Encase would be able to Image the Encrypted Mac systems?)
4. Any other solution.
Please suggest,
Regards
Aditya
We use MacQuisition. I have used Paladin but more often that not we found that MQ covered most if not all Apple computers including Fusion drives, etc. so we stick with MQ.
+1 for Macquisition. Excellent tool for imaging Macs, for the reasons outlined above.
By the way - given your comment regarding "you have to boot it", are you aware that Macquisition works in a similar way to Paladin, i.e. it comes as a bootable USB stick?
We use MacQuisition. I have used Paladin but more often that not we found that MQ covered most if not all Apple computers including Fusion drives, etc. so we stick with MQ.
+2 for this as well. I have found Fusion drives a particular nightmare only MQ recovered. Often I had to boot another mac using MQ and thunderbolt the mac with the Fusion drive out into the machine running MQ with a big drive inside it just to see the data properly.
+3 for MacQuisition
On the occasion it does fail–and it does happen–we've also used target disk mode when connected to a FireWire write blocker, and single user mode with a USB3 hard drive with FTK Imager CLI on it. Single user mode mounts the system volume read-only unless you make it read/write on purpose.