Interesting look at forensically examining a MacBook

14 November 2015, 03:56

In the video below forensics expert Scott Moulton provides a fascinating insight into the difficulties of creating a forensically sound image of the contents of a MacBook’s hard drive (that’s one of the new MacBooks, and not a Pro or Air model.)

To create a forensic image you need to ensure there’s no possibility of writing to the target drive, which would contaminate the evidence. Hardware devices called Write Blockers are usually used for this but, as Scott explains, they don’t work with the MacBook at present.

Furthermore, imaging the MacBook’s storage is made difficult (although not impossible!) by the fact there’s only one USB C port, which is also used for charging. It seems charging and data extraction can’t happen at the same time unless under certain hardware configurations (involving Apple’s own MacBook USB adapter, wouldn’t you know). Charging must happen during data extraction because it can take a long time. Additionally, Scott can’t simply remove the hard disk, as he would normally, because storage is soldered onto the MacBook’s motherboard.

He eventually manages to create an image of the 512MB disk using MacQuisition across the space of nearly six hours, and although the drive has FileVault applied, he happens to know the password because it’s his own machine. As he points out, without the password he’d face a roadblock even he couldn’t get past.

Leave a comment...