Over the years, MacForensicsLab.com have had many chances to tinkle with various Mac hardware. We have included some of our support crews’ experience below. However, ever since we stumbled on the iFixIt web sites, we believe there is no more reason for us to reinvent the wheel. We have been recommending customers to visit iFixit site for step-by-step instructions on opening up Macs and accessing the disk drives (HDDs or SSDs). If you job includes accessing the data in a forensic manner, I would strongly recommend you to visit iFixit at https://www.ifixit.com/ when the need arises.
Removing a Mac Hard Drive
With the smaller and more compact design of computers these days, it’s becoming increasingly difficult to take them apart to get access to the hard drive for forensic acquisition and examination. Should you choose to take the Mac apart to access the hard drive for forensic investigation, Apple has created service manuals that outline the procedures necessary to remove the hard drive from Apple computers. Mac laptops are very difficult to take apart to access the hard drive because of the compact size and placement of the drive. A much easier option to taking the Mac apart to access the hard drive for forensic acquisition is to use Target Disk Mode. This mounts the suspect Mac as a FireWire device to allow for acquisition without removing the hard drive from the Mac. You can find information on acquiring via Target Disk Mode here on the MacForensicsLab.com web site. Make sure you disable Disk Arbitration using MacForensicsLab before connecting a suspect drive using Target Disk Mode to prevent writing to the device.
MacBook Air Take Apart Guide
Apple’s MacBook Air is a small light-weight laptop for users on the go. It packs lots of features into a small package. The small and compact size means that all the components are tightly squeezed into the MacBook Air. Take apart can be difficult but pictures can be helpful should you choose to venture inside. You can find a detailed take apart of the MacBook Air with lots of pictures here.
Mac mini Take Apart Guide
The Mac mini is a small, low cost Mac that offers a lot of features in a small package. It’s a nice entry level machine for new and old Mac users. The low price along with it’s rich feature set make it an ideal machine for general users.
Although a forensic examiner can connect the Mac mini to their forensic workstation via Target Disk Mode and use software write blocking, the ideal way to image the suspect drive and examine it is to remove the hard drive and connect it with a hardware write blocker. Because of the Mac mini’s small size the internal components are tightly packed inside.
To remove the hard drive you will need a small computer screw driver (Phillips head) and a thin 1.5 inch putty knife. You may want to sharpen the edge using some fie grit sand paper first to make it easier to slide into the Mac mini case.
Place the Mac mini upside down on a cloth or towel.
Slide your putty knife in the seam of the Mac mini as shown. Pull back on the putty knife until the white plastic pops up. Do the same on the other side.
Pull the main unit up and out of the case.
To remove the wireless antenna there are two tabs under it that you can gentely squeeze together. You may want to hold the antenna down a bit as it has a spring below it and the spring may shoot off.
Remove the screws in all four corners of the CD/DVD drive.
Lift the CD/DVD unit and hard drive from the motherboard below. Be careful as the hard drive is still attached to the motherboard via a thin ribbon cable and the Airport antenna is still connected too.
Remove the 2 screws on each side of the hard drive. Then slide the drive out.
You can now connect the 2.5″ SATA drive (IDE in the older Mac mini G4 models) to a hardware write blocker to make a forensically sound aquisition of the suspect drive.