MacImager

Spread the love

1: Introduction – About MacImager

What is MacImager?

MacImager is a powerful Macintosh application for securing and acquiring forensics data. MacImager is device and file system independent, which means that the investigator can secure data from a normal Mac OS hard drive, USB key, PC disk, Linux disk, FAT32 disk, FLASH card, and almost any other media or file system that can be recognized in Mac OS X.

Even with its advanced features and performance, MacImager is extremely straightforward to handle. The easy-to-use interface is designed with any level of OS X investigator in mind and is highly accessible to all, with the completion of the whole acquisition process in just a few clicks.

MacImager Features

Written specifically for Mac OS X, MacImager includes powerful features that give the investigator greater control and flexibility in securing and acquiring data:

Works on faulty hardware – MacImager can recover data from mechanically unsound devices. The software uses several tried and tested methods, which in addition SubRosaSoft has improved upon, to read the same piece of information and to automatically skip of areas of the file system that are fully unreadable. By employing these methods, MacImager is able to recover data from sources that may have appeared to other software to be too physically broken to use. Even if the drive has been partially mechanically compromised, MacImager has the best chance at recovering evidence for further data retrieval and analysis.

2: Getting Started – The Basics of MacImager

MacImager is programmed to run on the following minimum specification:

  • Intel based Dual Core Apple Macintosh CPU
  • Mac OS X (version 10.6 or above)
  • 1 GB of RAM
  • Hard Disk (with 30 mb of space free for installation)
  • Second hard disk with sufficient disk space
  • Write blocker hardware strongly recommended
Quick Tip: Write blocker hardware strongly recommended
Connecting a suspect drive without a write blocker can compromise the integrity of the evidence.

Initial Setup

End User License Agreement

The first time the application is launched the user will be asked to accept the End User License Agreement and then to enter a valid registration number.

Enter Serial Number

Having done entering the serial number the user will be asked the administrator user password for the installation of files to the host computer. Once correctly entered, the necessary files will be added to the system, the user will then be taken to the Main Window.

The password is your administrator password, and not something assigned by us. If you don’t have a password (blank), you will need to assign one to the system to use MacImager.

To add a password, open your System Preferences… under the Apple menu. Click on Account
Then click on Change Password…and enter a new password. The user will be taken to the Main Window.

MacImager main window

Finding Help & Technical Support

Should the investigator need assistance working with MacImager there are a number of sources through which to get help:

Help within MacImager

The investigator can find from the Help drop menu, which offers the option to “Show Help”, taking the investigator other relevant web pages on the SubRosaSoft web site.

Technical Support

Our technical support is free via email and can be accessed at the following address: support@subrosasoft.com. The support hours are 10am to 6pm Pacific Standard Time Monday to Friday.

In addition to any support question(s), the investigator must include ALL of the following pieces of information:

  • Purchase information.
  • System configuration(s) – hard drive make, model etc.
  • System OS version.

System related information can be found by using the “System Profiler” application in the /Applications/Utilities folder.

3: Using MacImager – Navigating the Windows & Using the Functions

The Main Window

Immediately after start-up, the investigator will be presented with the MacImager splash screen. Once this has disappeared, he or she will then be taken to the ‘Main Window’.

MacImager main window

The Layout

The main window layout can be effectively divided into two sections: a panel for selecting device to be acquired and a Start button at the bottom.

Rescanning for a Device

If a device has been attached to the host computer after MacImager has been started and the Main Window reached, it may or may not appear automatically in the available drop down menus alongside each task in the Main Window. If this is the case, then simply select Rescan from the File drop menu and MacImager will be forced to search for all available Devices and Volumes, including Devices that cannot be mounted. Alternatively one can use the keyboard shortcut: [apple key] + [r].

Quick Tip: Mounting a Device
It should be noted that mounting a device may affect evidence and unless a write blocker is used, an investigator should not mount a device that he or she wishes to perform a MacImager upon.

Acquisition of Source Drive

MacImager main window

When acquiring forensics data by creating a disk image, the forensics investigator can only do so directly from the list of device list of the main window. Once the desired source is selected from the list, simply press the Start button and this will bring up a Save file dialog box. By default the file name appears as “Disk Image”, select and edit this to a preferred name and then chose a location into which to save the disk image.

MacImager save as window

Note: always save the disk image to a location other than that which one is creating an image of. Also, make sure that the device one is saving the new disk image to has enough storage space. The acquisition of a 1 TB hard drive will require the destination disk to have more than 1 TB of free capacity. Trying to generate a disk image of the workstation’s start-up disk will also yield an error.

For the mounted device that has been selected for acquisition, MacImager will first attempt to unmount it. A status bar then marks the progress of the acquisition, along with a variety of other information. This information includes: total data remaining to be copied; total data copied; total capacity; approximate current data transfer rate; and total time remaining till acquisition completed.

MacImager in progress

During the process of acquisition a text file is created in the same location as the image file, and contains a report for the disk image. The report contains the hash data (MD5)of the acquired drive.

MacImager Image And Hash Icons

After the acquisition process is completed, a dialog window will notify the forensics investigator as such and will provide him or her with a final error count. Close the dialog window by clicking the OK button.

MacImager Complete Dialog

The disk image can then be found in the previously specified location. You may want to lock the image so as to avoid the forensics investigator accidentally writing to it or deleting it.

You can easily prevent changes being made on any files or folders in Mac OS X by locking the file or folder in question.

  1. Select the file or folder you want locked
  2. Go to File > Get Info (or hit Command+i)
  3. Under ‘General’ click the ‘Locked’ checkbox
Quick Tip: Recovery Possibilities
MacImager will help in acquiring drives with bad blocks, drives with corrupted information, or intermittent errors in read/write. It can copy a disk corruption, but not fix it. It cannot recover drives with severe mechanical problems, or a failed circuit board.

The Acquistion Log

The log lists the date and time of an acquisition process, a description of it and the exact block details (offset, length, and MD5 hash sum). The hash data are generated every 4 MB and the last entry (row) corresponds the hash value of the entire device.

MacImager Hash Snippet

Quick Tip: What is MD5?
A checksum method with which to check the integrity of packets during the acquisition process. The checksums are used in the software world to provide assurance that the original and copied packets are identical.

4: Appendices – Getting Help and Technical Support

Finding Help within MacImager

Help can be found both via the standard help menu at the top of the screen.

On the Web

We provide over 100 links to forensic resources, manuals, a complete knowledge base and a plethora of additional information on our website. For updates, resources and additional information please visit: https://www.subrosasoft.com

Technical Support

We provide free technical support both via email or phone during the hours 10am to 6pm Pacific Standard Time (GMT -8) Monday to Friday. By email, we can be reached at the following address: support@subrosasoft.com. By phone, we can be reached at: +1 (510) 870 7883, or by fax on +1 (510) 868 3407.

In addition to any support question(s), the examiner must include ALL of the following pieces of information:

  • Valid purchase information.
  • System configuration(s) – hard drive make, model etc.
  • System OS version.
  • System related information can be found by using the “System Profiler” application in the -/Applications/Utilities folder.

Comments and Questions

If you have comments, problems, or questions about this product, or if you are interested in a site license, please contact us via email: info@subrosasoft.com

Company Address:

SubRosaSoft.com Inc.M
5387 Diana Common
Fremont, California 94555