Forensic Imaging of MAC OS 10.13 -High Sierra

Spread The Knowledge 😌


Forensic Imaging of MAC OS is always a challenge among forensic investigators. physical access of  MAC hdd by  taking off it’s back lid is always a challenging task and may lead to it’s warranty issues. as per my experience very few people would like to choose this option.  so now tool like  ftkimager command line for MAC or unix DD command is the only solution.

Till now forensic imaging of  MAC OS version 10.6 was doable task using tools ftk command line. but now days due to security features of  latest  MAC OS version 10.13  High Sierra has made it complicated task . An investigator  may end up with error like “Operation Not Permitted”  or it may differ.


A)  One of the reasons behind this error is forensic tools has not provided         support for this version till today.

B)   MAC OS 10.13  (High Sierra) has built in “System integrity protection feature” . this feature designed to help prevent potentially malicious software from modifying protected files and folders on your Mac.
              In OS X(previous versions of MAC) , the “root” user account previously  had no permission restrictions and could access any system folder or application on your Mac. Software gained root-level access when you entered your administrator name and password to install it and could then modify or overwrite any system file or application.

System Integrity Protection restricts the root account and limits the actions that the root user can perform on protected parts of OS X.


To solve this issue we have to follow below steps:

1 .Disable System integrity Protection:

steps to disable are below:

  •    Power off your Mac and Restart it
  •    Open terminal by using command + R key
  •    Copy and paste or type in the following:
     csrutil disable
  •    reboot

** In few case you may require to take root or Sudo permission for using above commands

2. Run ftkimager command line version:

Use below commands

./ftkimager  [source] [dest_file] [options]. 

 a.     Source can specify a block device, a supported image file, or ‘-‘ for stdin
b.   If dest_file is specified, a proper extension for the image type will be         appended.  If dest_file is ‘-‘ or not specified, raw data will be written to stdout

for better understanding of this command  kindly click on this link

3. Enable System integrity Protection: 

This is very crucial step once imaging has been accomplished  an investigator is suppose to re-enable  integrity protection . if this option remain disable system may become vulnerable.

Note: here we tried our best to give solution of given challenge if still any reader find any possibility to improvement or have any confusion regarding above mentioned steps  kindly let us  know.


Leave a Reply