Remote Forensic Disk Imaging: MacBook Pro


I had the time to do some testing on a new Windows-based digital acquisitions computer last week. With word that there is a "MacBook" in the collection that needed to have a disk image created, I thought I would take the opportunity to do some testing on our own early 2011 MacBook Pro before the other device was taken out of storage for me to have a look at.

I was fortunate enough to complete advanced digital forensics training back in June this year and set out to work out the logistics of the task at hand - how can I create a forensic disk image of an Apple Mac computer using a PC running Windows?

My research led me to the discovery of Target Disk Mode (TDM) on Mac computers, which provides the ability to connect two computers using FireWire, Thunderbolt 2, USB-C, or Thunderbolt 3. While this is designed to connect two Mac computers, it also provides the ability to mount the drive on any other computer that has the ability to both connect to and read it. The challenge with a Windows-based machine is the ability to read Mac HFS file systems.

Hardware and Software


In my case, the digital acquisitions PC is running Windows 7, utilising FTK Imager to create the disk image. FTK Imager can detect and image Mac file systems without installing any additional software. If you want to mount and read the disk image, this requires the installation of drivers or other software. 

It is possible to download the HFS+ drivers for Windows, which will provide read-only access to the disk image or any HFS formatted storage media on a Windows machine. It is important to note that if you do this, you need to remove any other programs you might have installed to read HFS formatted drives.

Hardware based write-blockers are always recommended for any digital preservation/digital forensic work where possible. This is because hardware is more reliable than software when it comes to ensuring no data is being written to the target drive. I used a Tableau Forensic FireWire Bridge T9 to connect the Macbook to the PC.

You need a Mac computer with the ability to boot in TDM. It is also critical that FileVault is not turned on, otherwise the filesystem will be encrypted. If the disk is encrypted and you have the login details you can turn FileVault off, otherwise you will need to look into decryption. It is important to have these things in mind when laptops are acquired as part of a collection.

Disk Imaging

Once I had everything connected, and the MacBook booted in TDM, I used FTK Imager to create a physical disk image. With a 500GB hard drive on the Mac, I left the default image fragment size of 1.5GB which divides the image into a series of sequentially numbered files all 1.5 GB in size. You can set it to create one single file, but with restrictions on file sizes on various file systems it is best to break it down into smaller chunks.

The disk imaging process was roughly four hours, and due to the fact that I only had a couple of 256 solid state drives on the PC, I needed to split the output of files across the drives by adding an overflow image destination.

Results

I tried mounting the disk image through FTK Imager before I had installed the HFS+ drivers. This meant that Windows could not read it, and asked if I wanted to format the disk when trying to access it through the Windows file browser. After installing the drivers and re-mounting the disk image I had no problem browsing through the files and folders.

Once you have created the forensic disk image, you now have the ability to analyse it using software such as Forensic Toolkit (FTK) or BitCurator. Unfortunately I did not select a good target machine for analysis as the MacBook Pro had been reformatted and not used in a while so it did not contain enough content to warrant analysis.

Future Challenge

After successfully testing this method for remotely disk imaging a Mac computer, the aforementioned "MacBook" in the collection was located in storage and found its way to me. It turns out that it is actually an Apple iBook G3/366 SE (Original/Clamshell) that does not have a FireWire port or the ability to use TDM. On top of that, it also has no power supply and the battery has previously been removed because it was expanding and had damaged the laptop body.


The first step will be sourcing a power supply and determining whether the machine will turn on as well as what operating system it is running. Then it will be a matter of determining the best way to create a disk image. The last resort will be removing the hard drive if it is determined that the laptop is just a physical carrier and the content is considered the collection item. If anyone has experience with this, I would love to hear from you!






Further reading and resources:



Image credits: MacBook icon designed by D3Images / Freepik, Tableau forensic bridge icon designed by Matthew Burgess, PC computer icon from yED Graph Editor