1.Introduction #

RECON Imager was developed by SUMURI to provide the digital forensic practitioner with a bootable imaging utility which supports all modern Macintosh computers with Intel processors.  This is accomplished via two macOS based boot environments which have been modified to ensure that there are no writes to internal or externally attached media.

Additionally, RECON Imager helps the practitioner to easily identify Apple File System (APFS) container disks and volumes, FileVault, Fusion and other Core Storage volumes.  

In addition to creating forensic images of physical disks or volumes, RECON Imager can also image a Mac’s RAM without the need for an administrator password within RECON Imager’s boot environment.

2.Version Comparisons #

There are two versions of RECON IMAGER – Standard and PRO.  

RECON IMAGER (Standard)

RECON IMAGER (standard) is based on macOS.  Since it is based on macOS it can natively boot Intel Macs.  It also supports Apple proprietary technology such as Apple File System (APFS) container disks and volumes, FileVault, Fusion and other Core Storage volumes.  RECON Imager includes the option to image logically which allows an examiner to import Apple data into forensic tools that do not native support proprietary Apple file systems. 

RECON IMAGER PRO

RECON IMAGER PRO is also based on macOS and includes all the features of RECON IMAGER (standard).  Additionally, RECON IMAGER PRO includes a new enhanced Logical Imager.  The enhanced Logical Imager functions allow the user to capture and preserve a variety of artifacts automatically.  The collected artifacts can be processed manually or automatically using RECON LAB.

The enhanced Logical imager also allows the user to create an image or logical copy of selected individual files or directories.  For example, if you are limited to accessing data from a single user it is possible to only select that user’s directory for imaging.

3.Supported Hardware #

RECON IMAGER works with Intel based Macs and has three boot options installed to support the the largest numbers of Macs.  For specific models supported please see below.

3.1.MODE A (DEFAULT) BOOT SUPPORTED HARDWARE #

  • MacBook (Early 2015)
  • MacBook (Late 2008 Aluminum, or Early 2009 or newer)
  • MacBook Pro (Mid/Late 2007 or newer)
  • MacBook Air (Late 2008 or newer)
  • Mac mini (Early 2009 or newer)
  • iMac (Mid 2007 or newer)
  • Mac Pro (Early 2008 or newer)
  • Xserve (Early 2009)

3.2.MODE B (NEWER MACS) BOOT SUPPORTED HARDWARE #

  • MacBook (Late 2009 or newer)
  • MacBook Pro (Mid 2010 or newer)
  • MacBook Air (Late 2010 or newer)
  • Mac mini (Mid 2010 or newer)
  • iMac (Late 2009 or newer)
  • Mac Pro (Mid 2010 or newer)

3.3.MODE C BOOT SUPPORTED HARDWARE #

  • MacBook (Early 2015 or newer)
  • MacBook Air (Mid 2012 or newer)
  • MacBook Pro (Mid 2012 or newer)
  • Mac mini (Late 2012 or newer)
  • iMac (Late 2012 or newer)
  • iMac Pro (2017)
  • Mac Pro (Late 2013; Mid 2010 and Mid 2012 models with recommended Metal-capable graphics cards)

4.Before You Start #

Imaging a disk or volume is not as straightforward as imaging other file systems.  We highly recommend that you read the following sections before you begin as it will save you creating an unusable image.

4.1.How Will You Process The Image? #

Before you begin you need to ask yourself in what tool will you use to process the image that is created with RECON IMAGER?  

Other than RECON LAB, there are very few forensic tools that support some or all of Apple’s proprietary file systems and/or technologies.  RECON LAB was designed to process a Mac on a Mac so it natively supports Mac images and it’s data.

If you are going to process your image with any other tool you are most likely going to have to be careful in choosing your image format.  Choosing to process your image with RECON LAB (a Mac-based tool) versus any other tool will dictate your image format.

4.2.What To Image? #

Once you have decided on the forensic tool that you will be using you next need to decide what to image.

RECON IMAGER will show you all of you options be it a traditional physical disk, virtualized Core Storage disk or synthesized APFS disk and volumes.  There are a lot of choices and what may seem like the right choice may be the wrong one leading to an unusable image.

This manual will include a guide on what to image based on what forensic tool that you choose.

4.3.What Image Format Should I Use? #

Selecting the correct image format is crucial if you want a image that will work with your forensic tool of choice.  RECON IMAGER has multiple imaging options to cover all possible scenarios.

What you need to understand is that not all forensic tools can interpret proprietary Apple file system and/or volumes.  SUMURI’s RECON LAB is one of the only tools that can mount all Apple file systems and also interpret it’s data properly.

In order to obtain data that can be used with other tools that do not support proprietary Apple file systems or volumes you must use one of RECON IMAGER logical imaging options which will be explained later in this manual.

5.Key Concepts To Understand #

Before using RECON Imager it is important that you understand some key concepts about imaging Mac computers.

5.1.Apple File System (APFS) #

Apple File System (APFS)

Apple File System (APFS) is a proprietary file system from Apple and utilized for macOS, iOS, watchOS and tvOS.  APFS is natively and fully supported on macOS High Sierra (10.13) and above. APFS has limited support in macOS Sierra (10.12).  APFS has no support on Windows operating systems or with Windows Forensic tools.

RECON IMAGER can create forensic images which can be processed and analyzed with RECON for macOS.

RECON IMAGER can also create “logical” copies of an APFS drive.  RECON IMAGER’s “logical” image can be imported by any forensic tool that supports adding directories or files (including Windows forensic tools).

5.2.Fusion Drives #

Some Macs utilize Fusion Drives which are a “marriage” of two or more physical disks which are then seen as a single drive.  Originally, the smaller disk was an SSD (for speed) and the larger disk was typically a traditional spinning platter drive (for low-cost long term storage).  Keep in mind that both disks in a Fusion Drive can be SSDs.

Forensic examiners are traditionally taught to image the physical disks.  This would be true if you are using most other imaging utilities (such as PALADIN).  In order to properly see the directory structure of the Fusion “disk” when utilizing other imaging utilities to use in traditional forensic tools you would have to manually mount both images on a Mac and then re-image.  However, this is not necessary when using RECON IMAGER.

In RECON IMAGER a process known as Core Storage “marries” the two disks of the Fusion drive into a “single” disk.  Imaging the “single” disk created by Core Storage will allow you to obtain a forensic image where the files and its directories can easily be seen by most forensic tools.

5.3.Core Storage #

Core Storage is the macOS version of Logical Volume Management (LVM).  Core Storage (or LVM) is used by the Mac as a way of allowing one or more physical disks to be seen as a single new disk.  This was first utilized by Apple to support Fusion drives. However, Core Storage is used by the macOS even if there is only a single disk in the system.

RECON IMAGER will allow you to see traditional physical disks  and Core Storage “virtualized” disks.  In most situations you will want to image the Core Storage “virtualized” disk “derived from” a Core Storage volume or volumes.

5.4.Apple Boot Camp #

Apple Boot Camp is a technology that assists a Mac user with installing a Windows operating system on a Mac.  Forensic images of the Boot Camp volumes can be created with RECON IMAGER.

5.5.FileVault #

FileVault (version 2) is macOS full volume encryption of which there are no backdoors.  FileVault is mounted and decrypted with the user’s login password or the Recovery Key which is created when FileVault was originally enabled.  RECON IMAGER can create a decrypted forensic image of a FileVault volume by providing the user’s login password or the Recovery Key. If you do not have the password or the Recovery Key the disk or volume can still be imaged in its encrypted state.  The created image can be processed later with RECON LAB if the password or Recovery Key is discovered.

6.Booting RECON IMAGER #

As with any new forensic tool, please test and validate RECON IMAGER before using on real evidence.

Additionally, please read all instructions and information included in this manual.  If you should have any questions or concerns please contact us.

6.1.Instant On - Portable Macs #

Be aware that newer MacBooks have an instant on feature.

Newer MacBooks will automatically boot when the lid is opened or if the lid is already opened and power is connected.

Make sure that you are prepared to interrupt the boot process by holding down the ALT/OPTION key if you are opening the lid or supplying power.

6.2.Firmware Password #

Mac has the ability to set a boot level password to prevent booting to any source other than the installed macOS.  This is known as a Firmware Password which can be enabled or disabled by the user in the Mac’s Recovery Mode.

Before booting a Mac please familiarize yourself with the macOS Firmware Password option.

If a user has set the Firmware Password no startup commands other than the ALT/OPTION key will work.  If you encounter anything that looks like a “lock” when starting with the ALT/OPTION key then the Firmware Password is set.  

You must enter the Firmware Password PIN  or passcode in order to see the boot options (this includes RECON IMAGER if it is attached).

Apple Certified Technicians have the ability to disable a Firmware Password which is unknown.

6.3.Connecting RECON IMAGER #

  • Make sure that you start with the Mac powered off.  
  • Identify how many ports and what type of ports that you have available on the Mac before you start.  
  • If there is only one port make sure you use a high quality hub to add additional ports.  Keep in mind that it is know that using low quality or non-Apple certified adapters can damage the Mac.
  • If any of your drives have traditional spinning platters make sure that the hub you use has power connected or that your drive has its own power supply.  
  • RECON IMAGER can be inserted into any open port on the Mac itself or via a hub.

6.4.Connecting Your Destination Drive #

See the notes listing in “Connecting RECON IMAGER” regarding adapters, hubs and power.

It is recommended that you format or initialize your destination drive using RECON IMAGER if possible.

Once you have prepared the destination drive using RECON IMAGER you should then remove the destination drive and make sure that it mounts on your examination system.  This step is recommended as formatting with one tool or environment may be different from another.  Some operating systems may not recognize or work well with the partitioning scheme created with a different operating system.

Once you have verified that your drive can be seen properly on your examination system then reconnect it to the system to be imaged.

6.5.Starting RECON IMAGER #

With the Mac off, connect RECON IMAGER to an open port, press the power key and then immediately hold down the OPTION/ALT key.  

You should see all boot options including two from RECON IMAGER.  Please review the supported hardware documented in this manual for assisting in choosing the correct version of RECON IMAGER.

Select the boot option that supports the Mac that is being booted:

  • RECON IMAGER – Default Macs
  • RECON IMAGER – Newer Macs

The Mac will start to boot after your selection.  Be patient as this may take a couple of minutes to boot.

After RECON IMAGER has completed booting you will see the window below.  Select the RECON IMAGER application and click the “Continue” button.

7.Using RECON Imager #

When RECON IMAGER starts you will have either five (5) options that you can select.  If you have RECON IMAGER PRO you will have one additional option for a total of six (6).

  • Disk Manager  – Displays the disks and partitions recognized by RECON Imager
  • Disk Imager  – The disk imaging interface of RECON Imager
  • RAM Imager  – The RAM imaging interface of RECON Imager
  • Logical Imager (RECON IMAGER PRO only) – The interface for automated imaging of macOS artifacts or selective imaging of files and folders
  • Shut Down  – Powers down the Mac
  • License Agreement  – Displays SUMURI’s License Agreement

7.1.Disk Manager #

The Disk Manager allows you to see all connected devices to the Mac in a software write-blocked environment.   Each system can vary but the screen will identify the following for each identified partition/slice:

  • Device  (the disk/partition identifier according to RECON Imager)
  • Model (description of the storage medium)
  • Size (the physical size of the disk/partition)
  • Type (the disk or volume type)
  • Name (volume name or description)
  • File System (the file system of the partition and/or FileVault encryption status)
  • Derived From (describes the parent volumes for virtualized or synthesized disks)
  • Mode (identifies whether the partition is mounted read/write or read-only)
  • Mount Path (identifies the mount path for the partition)

RECON IMAGER Disk Manager attempts to categorize disks and volumes by color for quick identification.

  • Physical Disks (i.e. “disk0”)  – dark grey
  • Logical Volumes (i.e. “disk0s1, disk3s2”)  – white or light grey
  • Apple Core Storage Logical Volume Family (i.e. “disk0s2” and “disk1s2”)  – orange
  • Apple Core Storage Logical Volumes (Fusion drive) – yellow
  • APFS Volumes (i.e. “disk4s1”, “disk4s2”, “disk4s3”, and “disk4s4”)  – light orange

7.1.1.Read-Write Status #

While RECON Imager is booted, all disks will be write-protected until imaging is initiated and a destination drive is selected.  

Within the Disk Manager display, drives that have a red background are mounted read-write while a green background is mounted read-only.

  • Volumes mounted read/write – red
  • Volumes mounted read-only – green

7.1.2.Refresh To Detect Changes #

If a drive is attached or disconnected anytime after RECON IMAGER has been started you must click the “Refresh” button to poll for new drives or remove drives that were previously detected.

7.1.3.Formatting a Source #

RECON IMAGER allows you to initialize your destination drive.  Make sure you select the correct drive to format.  RECON IMAGER will do what you tell it to do so use caution.

Select the drive you would like to initialize and choose “Format”.

You will have the option to format with the APFS, macOS Extended (HFS+) or ExFAT file system.

Once you have formatted your destination drive it is always good practice to attach the destination drive to your examination system to see if it will be detected.  Although, the file system is correct your examination system may not recognize the partition scheme.  This is especially true of older operating systems.

Once you have confirmed that the destination drive is viewable by your examination system you can proceed with imaging.

We highly recommend using HFS+ (macOS Extended Journaled) or APFS for your destination drive file system as those systems are native to macOS and preserve Apple Extended Metadata.

To mount Apple native file systems within Windows consider using applications such as HFS+ for Windows by Paragon.

7.1.4.Decrypting A FileVault Volume #

RECON IMAGER can decrypt a FileVault 2 encrypted volume if you know the passcode or have the Recovery Key.  From the Disk Manager, highlight the FileVault volume and select “Decrypt”.

You be presented with a window where you can enter either the user’s password or the Recovery Key.  Once the password or key is entered select “Decrypt” and the decrypted FileVault volume will display in the Disk Manager screen.

If the FileVault volume was on a macOS Extended file system (HFS+) a new decrypted volume will mount with a new disk number.

If the FileVault volume was on an APFS file system no new volumes will mount.

7.2.Disk Imager #

The RECON IMAGER Disk Imager allows the imaging of any internal disk(s) or any attached storage media including Macs in Target Disk Mode.  The options presented in the Disk Imager will change depending on what Image Type (output format) is selected.

7.2.1.Source #

The Source field allows you to select the source device (i.e. the suspect’s hard drive) to be imaged. 

If the drive was recently attached, select Refresh so RECON IMAGER has an opportunity to identify any newly connected disks.

WARNING – Please familiarize yourself with imaging Apple file systems.  There are a lot of factors which will affect your selection in the source and your choice of an output option.  An incorrect choice will lead to an unusable image.  Please follow the best practices suggested in this manual for different imaging scenarios.

7.2.2.Image Type #

RECON IMAGER supports a variety of image output formats in order to allow the data to be imported into any modern forensic tool.  Before selecting your Image Type be sure to check that forensic tool of your choice for processing can support the output that you are generating.  Most forensic tools do not natively support Apple’s proprietary file systems.  SUMURI’s RECON LAB can process all Apple file systems without conversion and without losing important artifacts such as Apple Extended Metadata.

RECON IMAGER can produce output in the following formats:

  • dd (RAW) :  Bit-for-bit forensic copy of the source medium also known as a raw image.
  • EWF (E01) : Expert Witness Format – Version 1.
  • EWF2 (Ex01) : Expert Witness Format Version 2.
  • SMART (S01) : ASR Data’s version of EWF bitstream image.
  • DMG (dmg) : The native disk image format for macOS and what is highly recommend for an image output.  This image output is also a raw image that can be imported into any modern forensic tool.
  • Logical Image (Folder) :  A logical data extraction consisting of the readily present file system which is able to be used in both Mac or Windows forensic tools.
  • Logical Image (Tar) :  A logical compressed data image which maintains native timestamps.  This output is able to be used in most forensic tools.
  • Logical Image (Sparseimage) :  A logical compressed data image that can only be used within the Mac environment.

7.2.3.Compression Options #

Compression options are available for the Expert Witness formats (.E01, .Ex01) and ASR Data’s SMART image format (.S01).

  • none :  No compression (fastest)
  • fast :    Compression is minimal while imaging speed is maximized (fast).
  • best :   Compression is the most efficient, however, the imaging process will be prolonged (slowest).

7.2.4.Destination #

RECON IMAGER supports imaging to the following three file systems:

  • macOS Extended Journaled (HFS+)
  • Apple File System (APFS)
  • ExFAT

NTFS was not forgotten; it was intentionally excluded.

Use the drop down to select the destination device (i.e. the practitioner’s hard drive that will store the image output).

If the drive was recently attached, select Refresh to allow RECON IMAGER to identify any newly connected disks.  

We strongly recommend imaging to an HFS+ (macOS Extended – Journaled) formated destination drive if you intend to process macOS data.

An HFS+ drive can be utilized within Windows using HFS+ for Windows by Paragon Software.

7.2.5.Label #

Use the “Label” field to provide a unique name for your image output.  The label provided will be the name for the parent folder containing the image output and any logs.

Other than the Logical Image (Folder) option the name provided in the “Label” field will also be used for the image output files.

7.2.6.Segment Size #

RECON IMAGER allows for the certain image outputs to be segmented if necessary.  If the image output selected supports segmenting within RECON IMAGER the “Segment Size” checkbox will be active. 

To segment the image type output check the box next to “Segment Size” and enter the size in MBs.

Segmenting is not available for the .dmg image output or any of the logical imaging formats.

7.2.7.Evidence Descriptor Fields #

Before imaging, optional identifying information about your source may be entered in Disk Imager.

  • Case Number – Enter a relevant case number.
  • Evidence Number – Enter a unique evidence/log number.
  • Examiner – Individual creating the image.
  • Description – Description of the media being imaged.
  • Machine Info – Enter any identifying information such as Make, Model, Serial Number, Color, etc. of the source being imaged.
  • Note – Any additional information relevant to the investigation.

7.2.8.Hashing and Verification #

Traditional Image Types

A MD5 and SHA-1 hash of the SOURCE will be calculated for the following image types:

  • dd (RAW)
  • EWF (E01)
  • EWF2 (Ex01)
  • SMART (S01)
  • DMG (dmg)

For the traditional image types listed above you have the option of selecting “Verify after creation” within Disk Imager.

If selected a MD5 and SHA-1 will be calculated for the OUTPUT

A summary of the hashing will be displayed in a pop-up window at the completion of the imaging and can also be found in the logs within the image output folder.

Logical Image (Folder)

For the Logical Image – Folder option a hash can be calculated for both the “Source” files and of the files copied to the “Destination”.

Logical Image (Tar)

For the Logical Image – Tar option a hash can be calculated for both the “Source” files and of the .tar image created on the “Destination”.

Logical Image (Sparseimage)

For the Logical Image – Sparseimage option a hash can be calculated for both the “Source” files and of the files copied to the “Destination”.

Be advised that the hashing of every individual file during a “Logical” image WILL TAKE TIME.

8.APFS Imaging #

Most forensic tools do not native support APFS and therefore if you create a “traditional” image your forensic tool will not see the data.  Common forensic tools are starting to make some progress with mounting APFS non-FileVault images.  However, FileVault is usually enabled by default.

Additionally, if you could mount an APFS volume in common forensic tools you have:

  • no access to Apple Extended Metadata
  • limited access to Apple Extended Metadata
  • limited parsing of Apple Extended Metadata

RECON LAB from SUMURI is the only tool that can identify and properly parse all Apple Extended Metadata.

Apple Extended Metadata is extremely important in macOS investigations.  Not looking at the Apple Extended Metadata is like a doctor performing surgery after only seeing half of the test results and scans.

There are two ways of imaging APFS.  One, is when you process with RECON LAB so you can see ALL the data.  The second is for importing into traditional forensic tools.

8.1.APFS Imaging to Process with RECON LAB #

APFS  – PROCESS IN RECON LAB

Source – Select the physical disk containing the APFS Container and volumes.  On a single internal drive this is usually “disk0”.  Be careful not to select the APFS synthesized container disk.

Image Type – DMG

Another benefit of processing with RECON LAB is that you do not have to decrypt before imaging.  

8.2.APFS Imaging to Process in Other Tools #

APFS – NO FILEVAULT – PROCESS IN OTHER TOOLS

Source – Select the volume containing the user data within the APFS synthesized container disk.  

Typically, there are four volumes (user volume, Preboot, Recovery, VM).  Select the user volume and be aware the name can be different.  The default is “Macintosh HD”.

Image Type – You have two options.

Option-1: Logical Image (Folder) – this is a logical copy of the files from the source to the destination.  The “Date Added” timestamp will change as you are adding data to a new volume.

Option-2: Logical Image (Tar) – this is a logical copy of the files from the source placed into a compressed .tar archive to preserve timestamps.  This option will take longer then Option-1.  Make sure your forensic tool supports adding a .tar archive file.

APFS – WITH FILEVAULT – PROCESS IN OTHER TOOLS

Use the Disk Manager to select the APFS container volume with the user data as described above and select the “Decrypt” button.  Use the password or Recovery Key option to decrypt the FileVault volume.

Once decrypted follow the steps listed above for imaging.

9.Core Storage Imaging - Single Disk #

CORE STORAGE – SINGLE DISK – NO FILEVAULT

Source – Select the physical disk which is usually “disk0”.  This can be identified in the Disk Manager.

Image Type – DMG (remember, this is also a raw image and can be imported into other tools).

CORE STORAGE – SINGLE DISK – WITH FILEVAULT

Use the Disk Manager to select the physical disk as described above and select the “Decrypt” button.  Use the password or Recovery Key option to decrypt the FileVault volume.

Once decrypted a new disk will mount.  In Disk Imager select the newly mounted decrypted disk to image.

Source – Select the newly decrypted mounted disk.

Image Type – DMG (remember, this is also a raw image and can be imported into other tools).

10.Fusion Drive Imaging #

FUSION DRIVE – NO FILEVAULT

Source – Select the virtualized physical disk which is usually derived from disk0s2 and disk1s2.  This can be identified in the Disk Manager.

Image Type – DMG (remember, this is also a raw image and can be imported into other tools).

FUSION DRIVE – WITH FILEVAULT

Use the Disk Manager to select the virtualized physical disk with the user data as described above and select the “Decrypt” button.  Use the password or Recovery Key option to decrypt the FileVault volume.

Once decrypted a new disk will mount.  In Disk Imager select the newly mounted decrypted disk to image.

Source – Select the newly decrypted mounted disk.

Image Type – DMG (remember, this is also a raw image and can be imported into other tools).

FUSION DRIVE – APFS macOS Mojave

Use the Disk Manager to identify the logical volume of the APFS Fusion drive.  The logical volume will be displayed underneath the APFS Synthesized Volume (disk2 in the image below).  The examiner will have to decrypt the volume (disk2s1in the image below) if the Mac has FileVault enabled.  A physical image of macOS Mojave Fusion drives at this time are not mountable, only logical images are mountable.

Source – Select Fusion virtualized logical disk (it will be in the company of the Preboot, Recovery, and VM volumes).

Image Type – Logical Folder/Sparseimage/TAR; Sparseimage format is best with Mac-Based Forensic tools such as RECON Lab while TAR format is best for usage in Windows-Based Forensic tools.

11.Imaging A Mac With A T2 Chipset #

Newer Apple MacBooks and the iMac Pro have been shipping with proprietary T2 chipsets which adds extra layers of security.  One of these new security features prevents booting to external media.  This “secure boot” is enabled by default and can only be turned off in Recovery Mode and with an admin password.  At this time, even turning this feature on does not allow you to boot from a USB.  We strongly recommend that you take your forensic Mac with you to incident response scenes.

Research has shown that the T2 Chipset is functioning similar to a Trusted Platform Module (TPM) and when a full physical forensic image is obtained, you will not be able to enter the passcode to mount that forensic image.  The examiner must obtain a logical data extraction from a T2 Chipset Mac.

In the event that that the examiner has attempted to boot a T2 Chipset Mac with RECON Imager, the following screen might appear:

You need to have the password to image a Mac with the T2 chipset.  Ensure you perform the following actions:

  1. Place the Mac with the T2 chipset into Target Disk Mode (TDM) by holding down the “T” key when starting the computer.  You should see symbols for the connection interfaces available displayed on the screen.
  2. Connect the T2 chipset Mac in TDM to your powered-down Mac that is capable of supporting High Sierra or above with a Thunderbolt cable.  This is the Mac that will be used for imaging.
  3. Connect a destination drive for the image output and the RECON IMAGER USB.
  4. Boot your Mac with RECON IMAGER connected by holding down the ALT/OPTION key.
  5. Once RECON IMAGER has booted you should see the disks and volumes of the Mac in TDM within RECON IMAGER’s Disk Manager.
  6. Follow the instructions in this manual to create a logical image of the T2 chipset Mac in question.

12.Imaging Mac RAM #

RECON IMAGER allows you to image Mac RAM can without the need for an admin password.  The RAM Imager only works within the RECON IMAGER boot environment.

To image Mac RAM on a live running system please use RECON TRIAGE which can be found on our website at SUMURI.com.

There are a lot of factors to obtaining a successful image of Mac RAM.  Typically, when the power is turned off RAM will begin to dissipate.  However, in our testing if you are able to “restart” a running Mac, boot immediately to RECON IMAGER and then immediately image the RAM using the RAM Imager you will most likely obtain usable data.

If the Mac has been powered down you may or may not be able to obtain a usable image of Mac RAM from the previous session.  In our testing we have been able to recover a usable image from desktop Macs that are still plugged in.  For portable Macs it appears that once it has been powered off, irregardless if it is still plugged in, no usable RAM image is obtained.

We will describe the steps for imaging Mac RAM given the best case scenario below.

Mac is on and you have access to the Desktop

  1. Plug in your RECON IMAGER drive and your destination drive.
  2. Use the Apple Menu (upper left) to select “Restart”.
  3. Hold down the Alt/Option key during the restart to display boot options.
  4. Select the RECON IMAGER option which supports the Mac that you are booting.
  5. Use the RAM Imager to immediately image the RAM.

The RAM image that is created can be processed using RECON LAB or another tool of your choice.

Mac is on and you do not have access to the Desktop

Some older Macs can be restarted by force.  This does not work with Macs that have a Touch Bar.

  • Command + Control + Power Button – Forces a restart your Mac.
  • Command Control + Media Eject button – Quits all apps and restarts the Mac.

12.1.RAM Imager Interface #

  1. To image the RAM from within RECON IMAGER select the RECON IMAGER tab.
  2. Click “Refresh” to repoll any attached devices.
  3. Choose your “Destination” drive.
  4. Provide your image with a name in the “Label” field.
  5. Optional – Fill out the case information.
  6. Click “Start”.

Keep in mind that Mac RAM is protected by design which can sometimes lead to unsucessful imaging.

13.RECON IMAGER PRO #

RECON IMAGER PRO is an enhanced version of RECON IMAGER which provides the following extra features:

Selective Logical Imaging – Ability to select an image specific user accounts, folders and/or files.  This is useful if the scope of your data collection has been limited or to save time by grabbing only  the data you need.

Automatic Artifact Extraction – RECON IMAGER PRO will automatically recover files and data related to a variety of macOS artifacts.

For example, if you want to extract Safari artifacts there is no need to manually locate the data.  RECON IMAGER PRO will automatically find files containing Safari artifacts and place them into the image to be processed later.

13.1.RECON IMAGER PRO Interface #

To start using Logical Imager select the volume where the files of interest are stored in the “Source” dropdown.  Fill in any of the optional case information and click “Select” to open the full Logical Imager interface.

Complete Checkbox – Select this option if you want to create a logical copy of the entire drive with one click.

  • Plugin Selection – Selecting any or all of these plugins will automatically recover the files containing information related to the plugin during the logical imaging.  Once created the resulting image can be added to RECON LAB for automated processing or you can process manually.
  • Users – Allows for the selection of individual users or all users on the volume selected.  Selected plugin artifacts will be captured for the users selected.
  • Select Files or Directories to Add – Use this to select as many files and directories to be included in the logical image.  Once a file or directory is selected click “Add” to include it in the logical image. Use “Remove” to remove a file or directory from the list.
  • Destination – Use this dropdown box to select your destination drive.  If you are using the “Logical” image type you should use a destination drive formatted as macOS Extended or APFS to preserve the Apple Extended Metadata which is important for your investigation.
  • Type (Image) – This is the format you would like to use to create your logical image.  
  • Sparse Image will put your selected files into a .sparseimage file.  This file can be natively mounted on a Mac and can be processed by RECON LAB depending on what was selected for imaging. 
  • Logical copies selected plugins artifacts, directories and files to the destination logically.  If you want to preserve Apple Extended Attributes make sure the destination drive is formatted APFS or macOS Extended.  Choosing the “Logical” image type will allow you to import the data collected into most forensic tools.
  • TAR is a compressed logical data image that maintains native timestamps; able to be used in Mac or Windows forensic tools.
  • Label – Name for your forensic image.
  • Hash Files – This option will conduct a “pre-hash” of the files selected before the imaging.
  • Hash Image – This option will hash the image output.
  • Start – begins the imaging process.

Keep in mind hashing will extend the imaging time greatly.

14.Shutdown #

To shutdown RECON IMAGER just select the “Shutdown” button in the menu.

You will be presented with a confirmation before shutdown begins.

15.Updating RECON IMAGER #

RECON IMAGER comes with one full year of updates. After your license has expired you will be required to purchase an additional year in order to continue to receive updates. RECON IMAGER will not “lock” if you license expires.

You can find your expiration date by clicking on the “License Agreement” button.

RECON IMAGER updates and this documentation can be found here:

https://goo.gl/7pcy25

Please ensure that you verify the downloaded files by hash value (i.e. MD5 and/or SHA1 Hash Values).  This can be done from the terminal running the md5 or shasum command:

Please follow the instructions below EXACTLY in order to properly update RECON IMAGER.

  1. You must have a Mac running macOS 10.10 or higher in order to perform the update.
  2. You also must be an Admin user and know your login password to perform the update. If you are a single user on a Mac you are an Admin. When RECON IMAGER prompts you for the password please enter your Mac login password to give the updater permission to run.
  3. To update RECON Imager download the latest dmg file from the above link.  You can find archive versions of RECON Imager in the “VERSIONS” folder.
  4. Double-click on the dmg file to mount the volume.  A window will open up that contains the RECON_Imager_Updater.app file. Drag the RECON_Imager_Updater.app to your desktop.
  5. Open the Terminal application on your Mac (/Applications/Utilities).
  6. Run the following command to prevent GateKeeper from interfering with the update: xattr -c ~/Desktop/RECON_Imager_Updater.app; You can type out the xattr -c in the terminal.app, then drag the RECON_Imager_Updater.app icon into the terminal window if you prefer not to type out the file path.  Then hit return on your keyboard.
  7. Connect the RECON Imager USB to be updated to your Mac.
  8. Double-click on the RECON_Imager_Updater.app and follow the instructions provided by the applicaiton.

In the event that a license is renewed, a SUMURI representative will email the updated license file to the examiner.  The examiner simply has to delete the old license file(s) from the RECON Imager partitions (Mode A, B, C or RECON Imager Newer Macs & RECON Imager Default); the license file(s) are located at the root of the partitions.  The new license file(s) will then be added to the root of the RECON Imager partitions.

16.Support - Getting Help #

For support and troubleshooting please fill out a support ticket at SUMURI’s Help Desk:

sumuri.freshdesk.com

SUMURI is located in Delaware, USA and our offices are open 0900 – 1700 EST (9AM – 5 PM).  SUMURI offices are closed during US Federal Holidays.

Help Tickets are typically handled during regularly scheduled business hours.

For comments or feature requests please email us at:

hello@sumuri.com

17.Terms and Conditions #

RECON IMAGER

Copyright 2018 – SUMURI LLC

www.sumuri.com

IMPORTANT, PLEASE READ CAREFULLY. THIS IS A LICENSE AGREEMENT

This RECON IMAGER is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. This RECON IMAGER  is licensed, not sold.

End User License Agreement

This End User License Agreement (‘EULA‘) is a legal agreement between you (either an individual or a single entity) and SUMURI LLC with regard to the copyrighted software (herein referred to as RECON IMAGER  or ‘software’) provided with this EULA.   The RECON IMAGER  includes computer software, the associated media, any printed materials, and any ‘online’ or electronic documentation. Use of any software and related documentation (‘software’) provided to you by RECON IMAGER  in whatever form or media, will constitute your acceptance of these terms, unless separate terms are provided by the software supplier, in which case certain additional or different terms may apply. If you do not agree with the terms of this EULA, do not download, install, copy or use the software. By installing, copying or otherwise using the RECON IMAGER, you agree to be bound by the terms of this EULA.  If you do not agree to the terms of this EULA, SUMURI LLC is unwilling to license the RECON IMAGER  to you. 

Eligible License – This software is available for license solely to software owners, with no right of duplication or further distribution, licensing, or sub-licensing.

License Grant – SUMURI LLC grants to you a personal, non-transferable and non-exclusive right to use the copy of the software provided with this EULA. You agree you will not copy or duplicate the software. You agree that you may not copy the written materials accompanying the software. Modifying, translating, renting, copying, transferring or assigning all or part of the software, or any rights granted hereunder, to any other persons and removing any proprietary notices, labels or marks from the software is strictly prohibited.  Furthermore, you hereby agree not to create derivative works based on the software.  You may not transfer this software.

Copyright –  The software is licensed, not sold.  You acknowledge that no title to the intellectual property in the software is transferred to you. You further acknowledge that title and full ownership rights to the software will remain the exclusive property of SUMURI LLC and/or its suppliers, and you will not acquire any rights to the software, except as expressly set forth above. All copies of the software will contain the same proprietary notices as contained in or on the software. All title and copyrights in and to the RECON IMAGER  (including but not limited to any images, photographs, animations, video, audio, music, text and ”applets,” incorporated into the RECON IMAGER), the accompanying printed materials, and any copies of the RECON IMAGER, are owned by SUMURI LLC.  The RECON IMAGER is protected by copyright laws and international treaty provisions.  You may not copy the printed materials accompanying the RECON IMAGER.

Reverse Engineering – You agree that you will not attempt, and if you are a corporation, you will use your best efforts to prevent your employees and contractors from attempting to reverse compile, modify, translate or disassemble the software in whole or in part. Any failure to comply with the above or any other terms and conditions contained herein will result in the automatic termination of this license and the reversion of the rights granted hereunder to SUMURI LLC.

Disclaimer of Warranty – The software is provided ‘AS IS‘ without warranty of any kind. SUMURI LLC and its suppliers disclaim and make no express or implied warranties and specifically disclaim the warranties of merchantability, fitness for a particular purpose and non-infringement of third-party rights. The entire risk as to the quality and performance of the software is with you. Neither SUMURI LLC nor its suppliers warrant that the functions contained in the software will meet your requirements or that the operation of the software will be uninterrupted or error-free. SUMURI LLC is not obligated to provide any updates to the software for any user who does not have a software maintenance subscription.

Limitation of Liability – SUMURI LLC’s entire liability and your exclusive remedy under this EULA shall not exceed the price paid for the software, if any.  In no event shall SUMURI LLC or its suppliers be liable to you for any consequential, special, incidental or indirect damages of any kind arising out of the use or inability to use the software, even if SUMURI LLC or its supplier has been advised of the possibility of such damages, or any claim by a third party.

Rental – You may not loan, rent, or lease the software.

Transfer – You may not transfer the software to a third party, without written consent from SUMURI LLC and written acceptance of the terms of this Agreement by the transferee. Your license is automatically terminated if you transfer the software without the written consent of SUMURI LLC. You are to ensure that the software is not made available in any form to anyone not subject to this Agreement. A transfer fee of $150 USD will be charged to transfer the software (not applicable to transfers associated with orders from distributors, or resellers or intra-company transfers).

Upgrades – If the software is an upgrade from an earlier release or previously released version, you now may use that upgraded product only in accordance with this EULA.  If the RECON IMAGER is an upgrade of a software program which you licensed as a single product, the RECON IMAGER may be used only as part of that single product package and may not be separated for use on more than one computer.

OEM Product Support – Product support for the RECON IMAGER is provided by SUMURI LLC.  For product support, please call SUMURI LLC.  Should you have any questions concerning this, please refer to the address provided in the documentation.

No Liability for Consequential Damages – In no event shall SUMURI LLC or its suppliers be liable for any damages whatsoever (including, without limitation, incidental, direct, indirect special and consequential damages, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use or inability to use this ‘SUMURI LLC‘ product, even if SUMURI LLC has been advised of the possibility of such damages.  Because some states/countries do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

Indemnification By You – If you distribute the software in violation of this Agreement, you agree to indemnify, hold harmless and defend SUMURI LLC and its suppliers from and against any claims or lawsuits, including attorney’s fees that arise or result from the use or distribution of the software in violation of this Agreement.

Jurisdiction – The parties consent to the exclusive jurisdiction and venue of the federal and state courts located in the State of Delaware, USA, in any action arising out of or relating to this Agreement. The parties waive any other venue to which either party might be entitled by domicile or otherwise.

Suggest Edit