Matt Barnett walks you through creating a forensic copy of an APFS drive.
Creating a forensic image, while following a forensically-sound process is a bit of a tightrope act on macOS. By default, the OS wants to auto-mount every device that gets plugged in. In order to stop this from happening we need to disable a core system daemon (DiskArbitrationd) and this is going to put the OS in a precarious spot. Disabling DiskArbitrationd will stop the automatic mounting of drives, but it also reduces stability of the OS and disables helpful utilities like
So I’m going to show you a workaround process for completing a forensically-sound copy without a write blocker. That said, obviously a hardware write blocker is the gold standard for forensic analysis but, if you don’t have one handy or you don’t have one that supports USB-C, this is what you can do.
First baseline your connected devices:
Then, find your disk arbitration process and pause it:
sudo launchctl list | grep diskarbitrationd
sudo kill -SIGSTOP pid
Now, connect your device in Target Disk mode (power on and hold 'T') via USB C cable not via Thunderbolt and run
Locate your newly-visible disks. If you see 2 new disks, you’re on the right track. The first is the APFS container and the second is the synthesized file system. The second one is the one we want to image. Break out
caffeinate to keep the computer from sleeping and
dd to create the image using the second added disk number:
caffeinate -i sudo dd if=/dev/diskn+1 of=/target/location/evidence.img.dd bs = 1m
Go get more coffee
When it finishes, hash the drive and the disk with MD5:
Disconnect the USB cable
sudo kill -SIGCONT pid
Here are a few helpful tools that may assist you with the acquisition process.
Disclaimer: SEVN-X may earn a small commission from some or all of the provided links.
Disk Drive Reader
1Tb Western Digital Hard Drive
About the Author
Matt Barnett, CISSP, GFCA
Chief Strategist & Cofounder
After years in IT, performing network and system administration, software development, and architecting cloud migrations, Matt began to focus his efforts in cybersecurity. Matt draws on his technical competency and law enforcement background to assist clients, in both proactive and incident response capacities. In addition, Matt has developed an arsenal of applications, strategies, policies, and procedures to assist clients in achieving better cybersecurity.