Live Acquisition from a Mac running Mavericks

What You Need

1. Prevent Sleep

Connect to power

Apple, System Preferences, Energy Saver

Move Computer sleep to Never

Move Display sleep to Never

2. Allow Software from Unknown Developers

In System Preferences, click Show All, Security and Privacy.

Click the padlock in the lower left and enter password.

On the "General" tab, click the button to "Allow apps downloaded from: Anywhere".

In the pop-up box, click the "Allow From Anywhere" button.

Close "Security and Privacy".

3. Opening a Terminal

In Finder, from the menu bar, click "Go", "Utilities", and double-click "Terminal".

When I did it, the Terminal window was unusable--it just showed a "process completed" message.

If that happens, do this:

If Terminal shows "Process completed", use the Terminal menu bar and click Shell, "New Command...".

Enter this command:

/bin/bash
That opens a Terminal you can use.

4. Capture RAM

This is the only RAM capture technique I was able to find that works on Mavericks.

To capture RAM, in Finder, plug in the USB hard drive.

Double-click its icon to open a Finder window showing the contents of the USB hard drive.

Drag OSXPMem-RC1.tar.gz from the USB disk to the evidence Mac's desktop.

In the Terminal window, execute these commands:

cd

pwd

Make a note of the current directory; in my case it was /Users/cnit

In a Terminal, execute this command:

sudo su -

When prompted, enter the password of cnit

In a Terminal, execute these commands:

cd /Users/cnit/Desktop

tar xzf OSXPmem-RC1.tar.gz

cd OSXPMem

./osxpmem /Volumes/SAMFOR1/MAC-08-RAM-030614.dump

A box pops up warning "Kernel extension is not from an identified developer", as shown below. Click OK.

Lines start appearing on the screen showing sections of RAM as they are copied, as shown below.

When the process finishes, you will see the "Successfully wrote elf image" message shown below.

5. Image the Hard Drive (or SSD)

In the Terminal, execute this command:
diskutil list
Look at the list to find the evidence drive number--it is probably disk0 as shown below. The best way to use the evidence drive is with this path:
/dev/rdisk0
You could use /dev/disk0 but that was about 20% slower in my tests.

Look at the desktop icon to see the name of the USB drive. In my case it was named "SAMFOR1".

The path to it will be /Volumes/SAMFOR1.

In the Terminal, execute this command:

dd if=/dev/rdisk0 bs=64k of=/Volumes/SAMFOR1/MAC08-HD-030614.dd
It will take a long time. When I did it, it took 12,500 seconds (3.4 hours), as shown below.

Real image started at 5:54 am.

At 6:26 I noticed the screen saver was on and moved the mouse to look at the desktop; the copy was proceeding.

At 8:40, the screen saver was on, I moved the mouse to see the message. The image was done!

I saw that the image was larger than I expected, and finished sooner. So I took these two screenshots, from the evidence computer:

I copied those images to the USB hard drive.

6. Eject the USB Drive

In the Terminal, execute this command
exit
On the evidence Mac's desktop, right-click the USB drive's icon and click Eject.

Appendix: My Speed Tests

Tests:

/dev/disk0 > USB, bs=64k : 22 MBps
/dev/disk0 | md5, bs=64k : 23 MBps

/dev/rdisk0 > USB, bs=1k : 6 MBps
/dev/rdisk0 | md5, bs=1k : 6 MBps

/dev/rdisk0 > USB, bs=64k : 27 MBps
/dev/rdisk0 | md5, bs=64k : 69 MBps

/dev/rdisk0 > USB, bs=1m : 25 MBps
/dev/rdisk0 | md5, bs=1m : 55 MBps

Whole disk is 320 GB = 320*1024 MB, so it will take
320*1024/27 sec = 12,100 sec = 3.4 hrs.


Posted 3-5-14 5:24 PM by Sam Bowne
Updated with details of my real acquisition 3-6-14 8:41 am.