To create the image, the dd command can be used. Here I can see "MacEncryptedImage" and "MacImage", the folders I created on the USB drive. If the system is not encrypted a bunch of white text will scroll and finally present a shell with root: At this time, I do not to have the USB drive that will hold the image plugged in. I usually hold down this key combo before I even power on the system so I don't accidentally "miss" it. While the system is booting, select COMMAND-S to enter single-user mode. The first step is to boot into single-user mode. I have had some people in the community provide some great tips and suggestions since this was posted! The high level steps are:ģ) Mount the USB drive that will hold the imageĤ) Run the dd command to create the image For each step I will cover both scenarios. I tested two scenarios, one without encryption and one with encryption (FileVault 2). Were created by default during the initial setup: an EFI partition, a MacOSX partition, and a recovery partition. The system I used for testing was a Mac Mini, OS X Version 10.8.5 with one hard drive.
Putting a mac disk image on a usb password#
Another benefit is that if there is FileVault encryption, the encrypted drive is decrypted after a username and password are supplied. This may be a good option where it is acceptable to get a live image, but the examiner wishes to minimize changes to the hard drive.
While not as forensically sound as using a write blocker or booting into a Linux distro, less changes are made than fully booting the operating system to take a live image. In order to mount the USB drive, the internal drive needs to be changed to read/write to create a mount point. Once in single-user mode, a USB drive can be attached and dd can be used to create an image. In single-user mode, the internal hard drive is mounted read only and a limited set of commands are available. Single-user mode is a limited shell that a Mac can boot into before fully loading the operating system.
Putting a mac disk image on a usb how to#
I plan on following up this post with posts on creating a live image and how to mount and work with FileVault encryption after an image is complete. This post will cover another option, creating an image by booting a Mac into single-user mode.
My first post was on how to image a Mac with a bootable Linux distro. This is the second post in my series on different ways to image a Mac.