Depending on the digital forensic imaging tool you have available, creating a forensic image of a Mac computer can be either an anxiety-creating situation, or as easy as “1-2-3-START”. There are several things you must identify ahead of attempting a full disk image of the system. Below are some things to consider:
1. Type of Mac computer: Identify the serial number / model number; identify if the Mac is installed with a T2 security chip. Are SecureBoot settings enabled to prevent booting from external media?
2. What file system (HFS+ vs APFS) is currently running on the source Mac?
3. Is FileVault2 enabled on the source Mac? Do you have the password or Recovery Key available?
4. Do you need a logical or physical acquisition of the Mac?
5. Has the owner of the Mac enabled a firmware password on the system?
6. Is the Mac installed with a fusion drive?
7. Do you need a RAM image?
Having the answers to the above questions is imperative.