killohydro.blogg.se

18 April 2022 - 12:33
Mac os x disc image
Allmänt
Mac os x disc image













mac os x disc image
  1. #MAC OS X DISC IMAGE HOW TO#
  2. #MAC OS X DISC IMAGE PASSWORD#
  3. #MAC OS X DISC IMAGE SERIES#
  4. #MAC OS X DISC IMAGE MAC#

If a Firmware password is set, I have seen times when it it would bypass single user mode boot up directly the system and change a lot of time stamps at boot time Boot using Option key, see if there is no Lock Icon, shutdown and reboot from Single User Mode.

#MAC OS X DISC IMAGE MAC#

It is always good to boot a Mac first holding down the Option key to make sure the system does not have a Firmware Password before trying to boot into Single User Mode. I wanted to pass them on as they are really helpful!Ī few things I thought I would pass on about your post: These are some comments sent to me by Derrick Donnelly. Single user-mode logs in as root, and this can be very dangerous. I also recommend trying this on a test Mac before running these steps on actual evidence. I was limited to one test system, one hard drive and FileVault2 encryption. While these steps worked on my test Mac, examiners should always test and research the model they are encountering.

  • dd if=/dev/rdisk0 bs=4k conv=noerror,sync of=/tmp/usb/rdisk0.dd (HFS USB).
  • dd if=/dev/disk0 bs=4k conv=sync,noerror | split -b 2000m - /tmp/usb/disk0.split.
  • mount -t hfs /dev/disk2s2 /tmp/usb (for HFS).
  • mount -t msdos /dev/disk1s1 /tmp/usb (for FAT32).
  • Use mkdir /tmp/USB to create a mount point.
  • Use mount -uw / to change internal drive to read/write.
  • Use ls /dev/disk* to determine USB drive device.
  • Use ls /dev/disk* to determine the disk(s) to image.
  • Use Command-S to boot into single user mode.
    • So, in summary, here are the steps and commands covered above:

    mac os x disc image

    Since FAT32 has a 4GB file size limit, dd will need to be piped through the split command to keep the file size under 4GB: rdisk provides access to the raw disk which is supposed to be faster then /dev/disk which uses buffering.įor the unencrypted system the image will be of /dev/disk0 to a FAT32 USB mounted drive. If /dev/rdisk is available this can be used instead of /dev/disk.

  • conv=sync,noerror: if there is an error, null fill the rest of the block do not error out.
  • bs=4K : this is the block size used when creating an image.
    • This will be the disk that requires imaging
  • if=/dev/disk0: this stands for input file.
    • The syntax looks something like this:ĭd if=/dev/disk0 bs=4k conv=sync,noerror of=/tmp/usb/mac_image.dd For dd, I use the options recommend on the Forensic Wiki page. To create the image, the dd command can be used. Here I can see "MacEncryptedImage" and "MacImage", the folders I created on the USB drive. If the system is not encrypted a bunch of white text will scroll and finally present a shell with root: At this time, I do not to have the USB drive that will hold the image plugged in. I usually hold down this key combo before I even power on the system so I don't accidentally "miss" it. While the system is booting, select COMMAND-S to enter single-user mode. The first step is to boot into single-user mode. I have had some people in the community provide some great tips and suggestions since this was posted! The high level steps are:ģ) Mount the USB drive that will hold the imageĤ) Run the dd command to create the image For each step I will cover both scenarios. I tested two scenarios, one without encryption and one with encryption (FileVault 2).

    mac os x disc image

    Were created by default during the initial setup: an EFI partition, a MacOSX partition, and a recovery partition. The system I used for testing was a Mac Mini, OS X Version 10.8.5 with one hard drive. Another benefit is that if there is FileVault encryption, the encrypted drive is decrypted after a username and password are supplied. This may be a good option where it is acceptable to get a live image, but the examiner wishes to minimize changes to the hard drive. While not as forensically sound as using a write blocker or booting into a Linux distro, less changes are made than fully booting the operating system to take a live image. In order to mount the USB drive, the internal drive needs to be changed to read/write to create a mount point. Once in single-user mode, a USB drive can be attached and dd can be used to create an image. In single-user mode, the internal hard drive is mounted read only and a limited set of commands are available.

    mac os x disc image

    Single-user mode is a limited shell that a Mac can boot into before fully loading the operating system.

    #MAC OS X DISC IMAGE HOW TO#

    I plan on following up this post with posts on creating a live image and how to mount and work with FileVault encryption after an image is complete. This post will cover another option, creating an image by booting a Mac into single-user mode. My first post was on how to image a Mac with a bootable Linux distro.

    #MAC OS X DISC IMAGE SERIES#

    This is the second post in my series on different ways to image a Mac.















    Mac os x disc image
    0 kommentar(er)
    Om Mig: