Forensically Imaging a Mac Laptop for BitCurator Exploration

[Original post by Amanda Visconti. Minor updates in July 2018 to resolve outdated links and media.]

Let’s say a digital beauty like this makes its way into your collection:

The lid of the Larsen laptop is covered in flower and lace doily decals.
The lid of the Larsen laptop is covered in flower and lace doily decals.

BitCurator can aid us in such investigations by freeing Larsen’s laptop data from its storage media (which will fail eventually), capturing important contextual details about Larsen’s original work environment, and helping to ensure the authenticity and integrity of files during forensic processing (see this page on how BitCurator fits into existing archival workflows, or this page on how the individual tools making up the BitCurator suite address particular archival concerns, for more information on what BitCurator can do).

To use BitCurator, we’ll need to figure out how to connect the laptop’s hard drive to the BitCurator environment; this post will explore how you can similarly image your Mac laptop for digital forensic work.

Why is it difficult to image an internal Mac laptop drive?

You can get to work quickly with BitCurator if you’ve got a digital device ready to be connected to your computer: an external hard drive or removed internal hard drive, a floppy disk port, a USB stick, or other devices and the cables to attach them to your host machine.

With a Mac laptop, however, the device isn’t as easy to get at. If it’s a working, explorable laptop, as with Larsen’s, there’s a risk to that working status associated with temporarily physically removing the drive for imaging via a SATA cable—so we’d like to avoid opening the laptop up if possible, and find some other way of imaging the drive.

Mac in target disk mode.
Mac in target disk mode.

Imaging the laptop hard drive by connecting one of its exterior ports (e.g. USB) seems like the way to go, but Macs are finicky about showing up as drives on other computers.

If you want to see your Mac laptop as a drive mounted on another computer (and thus be able to image it), you’ll need to set the laptop to something called Target Disk Mode:

Target Disk Mode Steps

  1. The laptop to be imaged (e.g. our Larsen laptop) should be turned off.
  2. Hold down the t key and turn the laptop to be imaged on.
  3. Continue to hold down the t key until the target disk mode image appears on the screen (see photo example).
  4. You can now attach the target disk via firewire cable to a machine with BitCurator running in a partition, and the Mac laptop should show up as a connected drive like any other connected device.

Unfortunately, target disk mode can only transfer data over a firewire; using other ports/cables such as USB will not work. This presents three problems:

  1. Both your laptop and the machine running BitCurator must have firewire ports to allow for the firewire
  2. You’ll need to be running BitCurator on a partition and not as a virtual machine, as VirtualBox can’t handle firewire input
  3. If you want to use a hardware write-blocker, it will need to have both firewire input and output

This use case is Mac plus laptop-specific: that is, desktop Macs don’t use the compact unibody design of the laptop, so it’s far easier to open the case and connect the hard drive to a machine running BitCurator (thus there is no need to adopt Target Disk Mode). And non-Mac laptops will show up as image-able drives on other machines automatically, without the special needs of the Mac Target Disk Mode.

Our Choice: Imaging with BitCurator on a Partition

Imaging the Larsen Mac laptop using a firewire and PC partitioned with the BitCurator Ubuntu.
Imaging the Larsen Mac laptop using a firewire and PC partitioned with the BitCurator Ubuntu.

Why? We had the necessary components to let BitCurator recognize the Mac laptop as a drive: a firewire cable, a firewire port on the Larsen Mac, and a firewire port on a PC partitioned with BitCurator.

Our hardware write-blocker (WiebeTech Forensic ComboDock), used to protect devices from being written to while we're imaging them.
Our hardware write-blocker (WiebeTech Forensic ComboDock), used to protect devices from being written to while we’re imaging them.

We weren’t able to use our usual hardware write-blocker, as it only takes firewire input but doesn’t output it; BitCurator incorporates a feature that can mount devices safely, however, so we were still able to protect the device from being written back to. Follow these instructions to safely mount devices in BitCurator.

The software write-blocker safely mounts the laptop as a drive.
The software write-blocker safely mounts the laptop as a drive.

Next, we used BitCurator’s bundled Guymager software to forensically image the laptop (see these instructions or this video for steps to use Guymager yourself.) This produced a forensic image of the laptop, which we’ll be further exploring with BitCurator in a future post.

Using BitCurator's Guymager instance to forensically image the laptop.
Using BitCurator’s Guymager instance to forensically image the laptop.

In another future post, I’ll discuss an alternative approach for those of you who couldn’t follow these instructions (e.g. no firewire port, no BitCurator running on a partition).

Send us your suggestions for other difficult-to-image use cases and we’ll cover them in future posts!

Amanda Visconti is a MITH graduate research assistant on the BitCurator project, where she creates user-friendly technical documentation, develops and designs for the web, and researches software usability. As a Literature Ph.D. candidate, she blogs about her digital humanities work regularly at

BitCurator Version 0.8.4 Now Available

Hello everyone,
The latest release of the BitCurator environment (0.8.4) is now available on our release portal. Direct links and MD5 checksums can be found on the wiki, or you can follow the links below:

The BitCurator Virtual Machine – 2.5GB
The BitCurator Installation ISO – 2.2GB

This release includes a range of stability updates and bug fixes. Items of note:

– Floppy disk drive access restored. This had become disabled in the previous release due to a system update to the Ubuntu core.
– Installation bug preventing complete installation on laptops with certain types of webcams fixed.
– File system output in Excel format now includes file format identification field.
– BitCurator configuration file (in /etc/bitcurator/bc_report_config.txt) and supporting software module updated to simplify tuning of report file output. Additional documentation to follow on the wiki.

– VirtualBox additions updated to 4.3.10. Our updated Quickstart guide can be found on the release portal, or in the Documentation folder on the BitCurator environment desktop.

As with previous releases, this environment is built on a 64-bit version of Ubuntu and may be unstable on certain 32-bit host operating systems, or host hardware with less than 4GB of RAM. Please don’t hesitate to post here if you have questions!

BitCurator Webinar Series: Announcing a Second Session on Digital Forensics Metadata

Due to the interest in this topic, we have added a second session of this webinar to be held on Thursday, April 17th at 11:00am Eastern Time.

Join us for BitCurator’s monthly webinar series on applying digital forensics tools and methods to the preservation of born-digital materials in collecting institutions. The webinar will be held on Thursday, April 17th at 11:00am Eastern Time. You can register for the webinar at

This month’s webinar will focus on BitCurator and metadata output, including the following topics:

  • Metadata produced by the image capture process
  • File system metadata
  • An overview of DFXML and export capabilities
  • PREMIS event system metadata
  • How BitCurator-generated metadata fits into your archival workflow

There are no prerequisites for this webinar; however, it is designed for users already familiar with the basic operations of the BitCurator environment. The webinar will be roughly one hour with 10 minutes for Q&A at the end.