Another benefit is that if there is FileVault encryption, the encrypted drive is decrypted after a username and password are supplied. This may be a good option where it is acceptable to get a live image, but the examiner wishes to minimize changes to the hard drive. While not as forensically sound as using a write blocker or booting into a Linux distro, less changes are made than fully booting the operating system to take a live image. In order to mount the USB drive, the internal drive needs to be changed to read/write to create a mount point. Once in single-user mode, a USB drive can be attached and dd can be used to create an image. In single-user mode, the internal hard drive is mounted read only and a limited set of commands are available. Single-user mode is a limited shell that a Mac can boot into before fully loading the operating system. I plan on following up this post with posts on creating a live image and how to mount and work with FileVault encryption after an image is complete.
This post will cover another option, creating an image by booting a Mac into single-user mode. My first post was on how to image a Mac with a bootable Linux distro. This is the second post in my series on different ways to image a Mac.
