Allįorensic tools should always be validated to ensure that you know how they will behave in any circumstance in which you are going to be using themĮchoing these same sediments, although I have walked though a method of imaging a Mac from a live Linux distro, please test and validate before using either of these methods in the the real world. Cependant, si vous rencontrez des erreurs lors du démarrge, vous pouvez à nouveau essayer décrire cette image en mode image DD. Recommend that you don’t just take our word for any of this. Rufus recommande dutiliser le mode image ISO, de manière à ce que vous conserviez laccès à votre périphérique après écriture. If you plan on using Kali for real world forensics of any type, we Proceed at your own risk, and as they state on the Kali website: The Live version will also auto-mount plugged in USB devices. It also does not have the additional steps and warnings when it comes to inadvertently mounting drives that CAINE does. In my limited testing it does not appear to mount the host drive, or make any changes to the drive. One very important thing to note - using this method will automatically boot you into the Kali Live environment and you will not be given the choice for the Kali Linux Forensics Mode.
On a Mac using the same steps I detailed in the sections above. You can now boot into Kali and use Guymager With Fat32 and MBR 3) Run Mac Linux USB Loader and select the Kali Iso
The basic steps areġ) Download Kali Linux 2) Using Disk Utilities on Mac to format a USB drive There is a video here that has step by step instructions for the Mac Linux USB Loader, but it's pretty straight forward to use.
That method is to use the Mac Linux USB Loader on a Mac to create the bootable USB. So far, I've only found one method that works consistently to boot into Kali Linux on a Mac (at least on my test Mac). An interesting tidbit - a while back, Eric Zimmerman did some testing on various imaging tools, and Guymager was one of the fastest :) When the image is complete Guymager will create a log file in the same directory as the image. Once started, the previous table will show a status on the imaging process. Your USB stick isn't the problem though so don't worry about it. Below is a screen shot with the settings I used: Older versions of Rufus may not be able to handle them correctly in ISO mode and if it does, the installer may not work properly when booted. (NOTE - I tried various other tools to create the bootable USB drive, and not all of them worked when it came time to boot the Mac. Simply launch Rufus and select the CAINE iso as well as a blank USB drive bigger than 4GB.
Rufus is the Windows program that will create a bootable USB drive from the iso. The first step is to create a bootable USB drive on a Windows machine. This method was tested with CAINE 7.0, Rufus 2.9, and a MacBook Air Early 2015 model If you are interested in making a Kali bootable USB drive for the Mac, I have included some brief instructions at the bottom of the post. While I did get Kali to work, it did not seem to offer the extra protection that CAINE did to keep the examiner for inadvertently mounting the wrong drive. dev/sda), in Read-Only mode." The examiner must take active steps, which includes nice Made specifically for computer forensics. CAINE stands for Computer Aided Investigated Environment. Once booted into Linux, an imaging tool with a GUI, like Guymager, can be used to create an image in E01 or dd format.įor this post, I have selected the CAINE distro. If the Mac is already powered off, booting the Mac with a live Linux distro may be a good option. Many times cracking open something like a MacBook Air to grab a hard drive requires special tools and adapters which may not be readily available.
Now, the bootable USB is ready to use.The first option I am going to go walk through is imaging a Mac with a Live Linux bootable USB. So it would be something like this for me: $ sudo dd bs=4M if=/root/media/archlinux-2017.11.01-x86_64.iso of=/dev/sdb $ sudo dd bs=4M if=input.iso of=pathToYourUsbDriveįor example, I have the image in /root/media/archlinux-2017.11.01-x86_64.iso and the path of my USB is /dev/sdb Type the following command, having 'input.iso' as the path where the image is located, and 'pathToYourUsbDrive' as the path to your USB drive. Now format it: $ sudo mkfs.vfat /dev/sdb 1.3 Write the. Unmount the drive: $ sudo umount /dev/sdb We need to use the path found in Step 1, in my case it's /dev/sdb To format the drive, we have to unmount it. Type in a terminal: $ sudo pacman -S dosfstools First of all, we'll need to have dosfstools installed.