If a hard drive is encrypted, a live image will allow you to create a logical image of the partition in an unencrypted state. In my previous posts I covered how to image a Mac using single user mode and a Linux USB boot disk. I've put off doing this blog post because there is a very detailed and well written post by Matt at 505Forensics that covers this topic. In his blog post, Matt walks though step by step how to image a Mac using the FTK Imager command line tool for Mac OS X operating systems. As such, I wanted to cover how to do a live image using the dd command as another option.
Using FTK command line has some distinct advantages over dd. There are options to compress the image, choose e01 format and supply case information. However, if time and speed are an issue, dd may be a better option. For example, I've been onsite when 10 Macs needed to be imaged - dd was nice to use so we could finish up in time for dinner. If you can leave an image running overnight - it's probably not as critical. See below for the test data:
FTK Imager: Total image time 1 hour, 49 min and 04 sec:
dd image with md5: 15 minutes
Please note - this testing is not by any means extensive (unlike the recent testing by Eric Zimmerman on some forensic software). I created several images using both methods and the image times listed above were about the same.
The first step is to run diskutil to see what the disk layout looks like and to determine what to image. I like to do this before I plug in my external USB. This makes it easier to see what drive needs to be imaged.
|No FileVault2/No Encryption
My system has both OS X and Windows (Bootcamp) installed. As you can see /dev/disk0 is my physical drive. Partition 2 is the Machintosh HD and Partition 4 is the Windows aka Bootcamp partition. The logical, active device I want to image is /dev/disk1. As you can see in the screenshot above, it is listed as the logical, unencrypted volume and refers back to disk0s2. (If you do run across a system with Bootcamp you will probably want to grab that partition as well, but for the purpose of this blog post I am focusing on the Mac partition)
Below is a screen shot of what the same system looks like with FileVault2 turned on. Note that it says "Unlocked Encrypted". In this scenario, /dev/disk1 is logical volume I want to image.
Each /dev/disk has a corresponding /dev/rdisk:
rdisk is supposed to be faster than /dev/disk. As such, we are going to use /dev/rdisk1 instead of /dev/disk1 in the dd command.
Now would be a good time to plug in the external drive that will hold the image. On my system it auto mounted under /Volumes/<Device Name>
For dd, I am going to use the syntax suggested by the Forensic Wiki Page. The syntax looks something like this:
sudo dd if=/dev/rdisk1 bs=4k conv=sync,noerror of=/Volumes/MAC-Images/my_image.dd
Lets break down this command:
- sudo: run as super user
- if=/dev/rdisk1: this stands for input file. This will be the disk that requires imaging
- bs=4k : this is the block size used when creating an image. The Forensic Wiki recommends 4k
- conv=sync,noerror: if there is an error, null fill the rest of the block; do not error out
Better yet - let's add in an MD5 so we can have a hash of the image to make it more "forensicky". In order to do this:
dd if=/dev/rdisk1 bs=4k conv=sync,noerror | tee /Volumes/MAC-Images/my-image.dd | md5 > /Volumes/MAC-Images/my-image-md5.txt
According to the forensic wiki:
"The above alternate imaging command uses dd to read the hard-drive being imaged and outputs the data to tee. tee saves a copy of the data as your image file and also outputs a copy of the data to md5sum. md5sum calculates the hash which gets saved in mybgifile.md"
That's it! Happy imaging whichever tool you use.