Matt Barnett walks you through creating a forensic copy of an APFS drive.

The Video

The Commands

Creating a forensic image, while following a forensically-sound process is a bit of a tightrope act on macOS. By default, the OS wants to auto-mount every device that gets plugged in. In order to stop this from happening we need to disable a core system daemon (DiskArbitrationd) and this is going to put the OS in a precarious spot. Disabling DiskArbitrationd will stop the automatic mounting of drives, but it also reduces stability of the OS and disables helpful utilities like diskutil.

So I’m going to show you a workaround process for completing a forensically-sound copy without a write blocker. That said, obviously a hardware write blocker is the gold standard for forensic analysis but, if you don’t have one handy or you don’t have one that supports USB-C, this is what you can do.

First baseline your connected devices:

ls /dev/disk*

Then, find your disk arbitration process and pause it:

sudo launchctl list | grep diskarbitrationd

sudo kill -SIGSTOP pid

Now, connect your device in Target Disk mode (power on and hold 'T') via USB C cable not via Thunderbolt and run ls again:

ls /dev/disk*

Locate your newly-visible disks. If you see 2 new disks, you’re on the right track. The first is the APFS container and the second is the synthesized file system. The second one is the one we want to image. Break out caffeinate to keep the computer from sleeping and dd to create the image using the second added disk number:

caffeinate -i sudo dd if=/dev/diskn+1 of=/target/location/evidence.img.dd bs = 1m

Go get more coffee

When it finishes, hash the drive and the disk with MD5:

md5 /dev/diskn+1

md5 /target/location/evidence.img.dd

Disconnect the USB cable

Re-enable DiskArbitrationd

sudo kill -SIGCONT pid

The Tools

Here are a few helpful tools that may assist you with the acquisition process.
Disclaimer: SEVN-X may earn a small commission from some or all of the provided links.

Docking Station
https://amzn.to/3Axz69j
Disk Drive Reader
https://amzn.to/3hJzitx
1Tb Western Digital Hard Drive
https://amzn.to/2SS9oeu
USB-C Cable
https://amzn.to/3htK8VH

Happy Hacking!
-Matt


About the Author

Matt Barnett, CISSP, GFCA
Chief Strategist & Cofounder

After years in IT, performing network and system administration, software development, and architecting cloud migrations, Matt began to focus his efforts in cybersecurity. Matt draws on his technical competency and law enforcement background to assist clients, in both proactive and incident response capacities. In addition, Matt has developed an arsenal of applications, strategies, policies, and procedures to assist clients in achieving better cybersecurity.