Skip to main content
Question

Full Disk Backup solutions?

  • April 22, 2022
  • 3 replies
  • 29 views
V
Forum|alt.badge.img+8

Scenario: An exec leaves the company and we get the laptop back. We need to re-use the laptop, but we also need to keep an archive of the whole drive - a bit copy of everything on the drive, including empty space, for legal reasons.

Cabon Copy Cloner doesn't seem to do it, according to Mike Bombich, as you have to sign in to the device and it excludes some files - thus is not a 'forensic backup' as things can be changed.

SuperDuper doesn't seem to do it either - 

Indeed. In fact, if it's a T2 Mac, a bit-level copy isn't likely to do you much good, since it won't be readable at all on anything. But, legal's gonna lega. -- Dave Nanian Shirt Pocket


We have a license for Acronis - but that doesn't let you use bootable media to back up a Mac completely:
https://kb.acronis.com/content/67784

Any ideas on a utility that will do a forensic backup of a Mac encrypted with FV2, and get readable files? Bonus points if we can buy one license and be able to back up multiple Macs.

    3 replies

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • April 22, 2022

    @VintageMacGuy You need to have your forensics team wake up and notice that the old ways of grabbing the data off a spinning blob of rust no longer apply to modern computers. They'll especially love M-series Macs where Target Disk Mode presents the Mac drive as a network share instead of being an attached drive.

    V
    Forum|alt.badge.img+8
    • VintageMacGuy
    • Author
    • Valued Contributor
    • April 22, 2022

    @VintageMacGuy You need to have your forensics team wake up and notice that the old ways of grabbing the data off a spinning blob of rust no longer apply to modern computers. They'll especially love M-series Macs where Target Disk Mode presents the Mac drive as a network share instead of being an attached drive.


    I tried being snarky to the machine, but it wasn't recognized as a valid command.

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • April 22, 2022

    I tried being snarky to the machine, but it wasn't recognized as a valid command.


    I don't know, I think when I had the discussion with my org's forensics team regarding the changes with T2 and M-series Macs that effectively rendered every tool they'd previously used for capturing Mac drive images obsolete they appreciated the snarky comments I made about the vendors who were promising they would soon have the same access for those Macs as they did for previous generations.

    If you want the no humor approach, perhaps forwarding the responses from Mike Bombich and Dave Nanian, two of the leading experts in Mac backups, might convince your forensics team that they need to adjust their requirements to reflect what is actually possible on today's Macs.

    Terms & ConditionsCookie settingsAccessibility statement