Not really, but some days it sure seems like it.
We currently have a project where everyone in the case uses Apple computers. These computers are nice, no question. They are beautiful machines and scream quality. I love Apple products, make no mistake, but I’m now getting to the point where my frustration is boiling over.
iMacs are interesting. We made the universal decision not to attempt drive removal because it is simply a nightmare to suction the screen out to get to the innards of the machine. We use a boot disc instead. We’ve found that DEFT is a good fit for Macs.
For MacBook Pros we remove the drive and image. Pretty straight forward.
MacBook Airs are a slightly different story. These have always been a challenge for Forensicators. First they had the LIF (Low Insertion Force) connectors, then the ZIF (Zero Insertion Force) connectors, then the strange SSDs that look like a stick of RAM.
The LIF drives weren’t a problem as adapters for many write-blockers were freely available. ZIF was a nightmare because those adapters were so hard to find and purchase that I still don’t believe they exist. I believe I’d have more chance of seeing Santa come down the chimney than finding a ZIF connector. Finally on to the SSD sticks.
At first these were problematic but, thanks to Ovie Carroll, I was able to find a SATA to Apple SSD adapter at Other World Computing. This was perfect and so easy for acquiring these tricky devices. That is until Apple went ahead and started using yet ANOTHER proprietary drive connector.
This new connector even looks, at first sight, like the most recent connector. It isn’t until you try to connect it to the trusty adapter that you find that this new connector is actually fractionally too large to fit.
I did some googling and found this:
It appears as if the extra 2 pins is so that the SSDs can run at 6Gbps as opposed to the older 3Gbps.
No big deal right? I mean, all we have to do is grab a copy of DEFT and start going to town right? WRONG! the current version of DEFT (7.2 at the time of writing) does not support the retina displays in the new Airs and Pros so you can’t see what you’re doing.
Thankfully Paladin Linux does! We used that to acquire the tricky new drives found in both the MacBook Air and MacBook Pro. It worked fine but not before we wasted time with other solutions.
Apple does a lot for our field, and we always find new things that mean we have to adapt and learn. It keeps things fun and interesting. I just wish we had the right equipment (or that it even existed) BEFORE these things rolled into the office.
2 responses to “Apple Hates Forensicators”
Hey Lee! One great way to do acquisitions of the new Macs is Target Disk mode. Place the “new” Mac into Target Disk Mode, connect it to your analysis Mac using a Thunderbolt cable, and image away at 10Gb/s!
If you don’t have Thunderbolt on your analysis Mac yet, then use Apple’s TB to Firewire 800 adapter and you can acquire at FW800 speeds.
The Target Disk Mode (Thunderbolt or Firewire) is not write blocked in any way, so one must take usual precautions.
Thanks Ryan. Until recently I didn’t know that you could use TB for target disk mode. That is pretty awesome.