This post is intended to cover 2 methods, 1 hardware based and 1 software based, for forensically imaging the Late 2010 Model A1370 Macbook Air.
Method 1 = Hardware Based Imaging
The first method involves removing the internal Solid State Harddrive (SSD) from the Macbook Air. This is the only way to directly access the SSD, as there is no ThunderBolt Port on the A1370 to use Target Disk Mode. You will need an Apple Pentalobe Screwdriver to remove the bottom cover, and a T5 Torx Screwdriver to remove the actual harddrive from the chassis. Once you have removed the harddrive from the chassis, you will need to connect it to a SATA Write-Blocker. For more information on how to properly remove the SSD, you can visit the following link to iFixit’s teardown for more info and images on how to remove the drive.
Since the Macbook Air’s SSD uses an mSATA Connector, you may need to purchase an adapter similar to this one:
Once connected through the Write-Blocker, feel free to use whatever imaging software you like to image the harddrive. If you are using a Linux Distro, we recommend dc3dd as it hashes the data on the fly to ensure a proper image.
Method 2 = Software Based Imaging
Update: When we attmpted to image the Macbook Air’s SSD using a Linux Live-CD, we used 3 different popular Forensics Linux Distros. Helix and Raptor would not see the internal SSD. Paladine wouldn’t boot. At this point, we assumed either Linux Live-CDs would not see the internal drive, or there was some driver issue that we did not have time to troubleshoot. However, we were pointed by Marco Alvise De Stefani, a Digital Forensics Consultant from Italy, to a new Forensic Distro called DEFT 7.
I wish we had known about this distro earlier, as it is an incredible piece of software. Developed in Italy, DEFT 7 utilizes the new Linux 3.0 Kernel, combined with what the developers call DART (Digital Advanced Response Toolkit). Also thrown in are a number of Windows based forensic toolkits, intended to be utilized through wine. Whether it’s the new kernel, or the updated toolkits, this Live-CD immediately saw the internal Macbook Air SSD. The drive was unmounted, so we were able to successfully image the drive using dc3dd in a forensically sound manner. For more information, please visit DEFT’s site and give the OS a spin. Part of the site is in Italian, but it is fairly easy to navigate to the ISO download. The US mirrors were down when we downloaded, but we still got 3+ MBs from the Italian Mirror.
Original Post: On a personal note, if you decide to go this route because you either don’t have the tools, or you just want to give this method a go, I apologize in advance. This method can be very confusing, time consuming, and not 100% forensically sound. You are going to need the following items:
- A Second Mac computer
- An Spare External Harddrive
- A Mac C-Compiler, i.e. an X-Code license – Optional
First, let’s cover what you can’t do. Normally, to perform a software based imaging, you would create a Linux Bootable Live-CD, and boot the Macbook Air in question off the Live-CD. The first issue is the Macbook Air’s lack of a disc-drive. A USB disc-drive, like the Apple SuperDrive or any other USB Disc-Drive, solves this problem. Once you have a drive, you need to choose a Live-CD to load off of. For our testing, we attempted to use Helix, Raptor 2.0 and Paladine 2.0. Helix an Raptor loaded into the Linux OS just fine, whereas we could never get Paladine to pass the splash screen. Now Helix and Paladine are intended to not mount any attached drive at all or as read-only to prevent write changes. What we noticed in our testing is that the CDs didn’t see the Macbook Air SSD at all. We did some research and discovered that due to Apple Firmware, the Linux Live-CDs are unable to actual see, and thus image, the internal SSD. They will see USB attached drive just fine, but that’s not what we needed in this case. That’s why using a Live-CD to image will not work. With that out of the way, we can move to what will work.
So how do we accomplish imaging the Macbook Air? First thing we have to do is take an External Harddrive and install Mac OSX on it. A bootable version of Mac OSX is the only OS that will see the internal SSD properly. I warned you that this was going to be time consuming. You can use an internal HD if you like, but keep in mind that the end result requires the drive to be connected to the Macbook Air via a USB Cable. We used Mac OSX Lion in our case, because we were able to load into Recovery on one of our internal comupters and reinstall the OS on the External Drive. If you have a 10.6 install disc, that will work as well.
Hopefully, you already have X-Code installed on your second Mac. You need X-Code for the C-Compiler. You need the C-Compiler in order to complie dc3dd for Mac OSX.. If you just want to stick with dd for the imaging, then don’t worry about the C-Compiler. We use dc3dd because of its hashing ability to ensure a sound forensic capture. If you decide to use dc3dd, copy the compiled code to a thumbdrive. Once you get the OS installed on the External Drive, you will need to use a seperate Mac to boot off the the External, because we need to make some modifications before we connect it to the Macbook Air in question. One is copying dc3dd somewhere on the external Mac.
Now that we have reliable imaging software, we need to ensure that when we boot off this External from the Macbook Air, that Auto-Mount is disabled.
Bad News. We were unable to find a reliable method for disabling auto-mount. We attempted to turn off disk arbitration. The problem is that this did not hold across restarts. Next we tried removing the disk arbitration plist file that controls auto-mounting. DON’T DO THIS. That killed the OS. We had to reinstall the OS Because of it. Once we had the External up and running again, we tried using a Disk Arbitration Program.
Again, like the manual edits earlier, the changes didn’t hold across restarts. It’s important to note that our chief concern was Spotlight at this point. We did not want Mac OSX to start indexing attached drives automatically for fear of altering various timestamps. So, with disk arbitration out of the way, we had to focus on a way to disable Spotlight. First, we attempted to disable Spotlight with the following command:
sudo mdutil -a -i off
This worked on existing volumes, but not for new ones. Finally, we decided to remove the service altogether. You can’t uninstall Spotlight, but you can move it’s refernce code. Found in:
There is a file called MDS. Move this file to your Desktop for safe keeping. This will disable Spotlight for good. This will notably slow down your system, so be prepared for it. With that done, we can finally boot off this External Drive from the Macbook Air in question. Holding the “Option” Key to ensure we enter the boot Menu, load into the External Drive’s OS. As soon as possible, open a terminal window and enter the following command.
sudo diskutil unmountDisk /dev/rdisk0
This will unmount the Macbook Ari’s internal SSD. With Spotlight disabled and the drive now unmounted, you can use whatever imaging software you like to image the internal harddrive. For our research, it ws very trying, but ultimately rewarding to develop this method.
Hope you all enjoyed the read.