One thing I've learned when it's comes to imaging Macs is it's good to have options. When encountering Macs, its seems like there is always a challenge. No firewire ports for target disk mode, no easy way to remove the hard drive, or if the the hard drive is removed, you don't have the specific adapter needed to connect your write blocker to the drive.

And of course, encryption. I am planning on doing several blog posts about different ways to image a Mac.

Depending on the situation, some may work, some may not, but I just wanted to throw some options out in the Google soup mix. The first option I am going to go walk through is imaging a Mac with a Live Linux bootable USB.

Triple boot on a Mac with OSX, Windows 10 and Ubuntu Linux 16.04 Abstract As a network and security architect, I sometimes need to test security and network policies using different OS. This is the Mac Linux USB Loader, a tool allowing you to take an ISO of a Linux distribution and make it boot using EFI. It requires a single USB drive formatted as FAT with at least 2 GB free recommended. The application is available in English and is partially translated into Spanish and Traditional Chinese.

Many times cracking open something like a MacBook Air to grab a hard drive requires special tools and adapters which may not be readily available. If the Mac is already powered off, booting the Mac with a live Linux distro may be a good option. Once booted into Linux, an imaging tool with a GUI, like Guymager, can be used to create an image in E01 or dd format. For this post, I have selected the distro. Chrome for mac shortcuts. CAINE stands for Computer Aided Investigated Environment. This distro was made specifically for computer forensics. Upon boot, CAINE 'blocks all the block devices (e.g.

/dev/sda), in Read-Only mode.' The examiner must take active steps, which includes nice big warnings, to turn off this feature. While I did get Kali to work, it did not seem to offer the extra protection that CAINE did to keep the examiner for inadvertently mounting the wrong drive. If you are interested in making a Kali bootable USB drive for the Mac, I have included some brief instructions at the bottom of the post. This method was tested with CAINE 7.0, Rufus 2.9, and a MacBook Air Early 2015 model Create the Bootable USB The first step is to create a bootable USB drive on a Windows machine.

Download the. Rufus is the Windows program that will create a bootable USB drive from the iso.

Simply launch Rufus and select the CAINE iso as well as a blank USB drive bigger than 4GB. (NOTE - I tried various other tools to create the bootable USB drive, and not all of them worked when it came time to boot the Mac. Thanks to @APFMarc for the tip on Rufus). Below is a screen shot with the settings I used. From the CAINE website documentation: This new write-blocking method assures all disks are really preserved from accidentally writing operations, because they are locked in Read-Only mode. If you need to write a disk, you can unlock it with BlockOn/Off or using 'Mounter' changing the policy in writable mode. I personally prefer this extra layer of protection.

Mount the USB drive that will hold the image Next, an external USB drive is needed to dump the image on. This external device needs to be mounted writable so the image can be placed on it.

To do this, Read only mode needs to be turned off for any newly attached devices by using the Mounter program. Right clicking the Mounter icon in the task bar brings up the following dialog box. Now the drive can be accessed to create folders, dump the image to etc. Note - if I try and do the same with the other devices on the host drive (e.g. BOOTCAMP and Macintosh HD), it will give me an error, thereby preventing me from accidentally mounting them. Use Guymager to create the image Now that the external USB drive is mounted, Guymager can be started to to create the image. Guymager is found on the Desktop, or under Menu>Forensic Tools>Guymager.

Once launched, select the device that needs to be imaged by right clicking it. In this example, the drive I want is the 'ATA Apple SSD SM0256G'. Once started, the previous table will show a status on the imaging process. When the image is complete Guymager will create a log file in the same directory as the image. An interesting tidbit - a while back, Eric Zimmerman did some on various imaging tools, and Guymager was one of the fastest:) Kali live Linux bootable USB for Mac So far, I've only found one method that works consistently to boot into Kali Linux on a Mac (at least on my test Mac). That method is to use the on a Mac to create the bootable USB.

There is a video here that has step by step instructions for the Mac Linux USB Loader, but it's pretty straight forward to use. The basic steps are 1) Download 2) Using Disk Utilities on Mac to format a USB drive with Fat32 and MBR; 3) Run Mac Linux USB Loader and select the Kali Iso; 4) Choose Kali from the distro type You can now boot into Kali and use Guymager on a Mac using the same steps I detailed in the sections above. One very important thing to note - using this method will automatically boot you into the Kali Live environment and you will not be given the choice for the Kali Linux Forensics Mode. In my limited testing it does not appear to mount the host drive, or make any changes to the drive. It also does not have the additional steps and warnings when it comes to inadvertently mounting drives that CAINE does. The Live version will also auto-mount plugged in USB devices.