Forensic Imaging of MAC OS is always a challenge among forensic investigators. physical access of MAC hdd by taking off it’s back lid is always a challenging task and may lead to it’s warranty issues. as per my experience very few people would like to choose this option. so now tool like ftkimager command line for MAC or unix DD command is the only solution.
Till now forensic imaging of MAC OS version 10.6 was doable task using tools ftk command line. but now days due to security features of latest MAC OS version 10.13 High Sierra has made it complicated task . An investigator may end up with error like “Operation Not Permitted” or it may differ.
A) One of the reasons behind this error is forensic tools has not provided support for this version till today.
B) MAC OS 10.13 (High Sierra) has built in “System integrity protection feature” . this feature designed to help prevent potentially malicious software from modifying protected files and folders on your Mac.
In OS X(previous versions of MAC) , the “root” user account previously had no permission restrictions and could access any system folder or application on your Mac. Software gained root-level access when you entered your administrator name and password to install it and could then modify or overwrite any system file or application.
System Integrity Protection restricts the root account and limits the actions that the root user can perform on protected parts of OS X.
To solve this issue we have to follow below steps:
1 .Disable System integrity Protection:
steps to disable are below:
- Power off your Mac and Restart it
- Open terminal by using command + R key
- Copy and paste or type in the following:
** In few case you may require to take root or Sudo permission for using above commands
2. Run ftkimager command line version:
Use below commands
./ftkimager [source] [dest_file] [options].
a. Source can specify a block device, a supported image file, or ‘-‘ for stdin
b. If dest_file is specified, a proper extension for the image type will be appended. If dest_file is ‘-‘ or not specified, raw data will be written to stdout
for better understanding of this command kindly click on this link
3. Enable System integrity Protection:
This is very crucial step once imaging has been accomplished an investigator is suppose to re-enable integrity protection . if this option remain disable system may become vulnerable.
Note: here we tried our best to give solution of given challenge if still any reader find any possibility to improvement or have any confusion regarding above mentioned steps kindly let us know.