Monday, February 8, 2016

Apple Time Capsule: imaging and data extraction


Imaging a Time Capsule
  1. Tear down the Time Capsule (iFixit provides a detailed guide)
  2. Clone the Time Capsule hard disk to another hard disk (drive-to-drive copy). I used a hardware duplicator for this step. You'll need the cloned drive later.

Data preview

In my case the sparsebundle files were stored in "/volumes/Backup/ShareRoot". FTK Imager will just show a number of files of 8 MB in size.


Data extraction

Prerequisites

Steps to follow
  • Connect the cloned drive in RW mode to your Mac and choose not to use it as a Time Machine drive.
  • Connect to your Mac an additional drive of the same capacity as the Time Capsule drive. In case your Mac doesn't have enough USB/FW ports, you can copy (drag and drop) the sparsebundle files to the internal drive on your Mac.


  • Mount a sparsebundle file in RO mode by typing in the terminal:

         hdiutil attach -readonly yourfilename.sparsebundle

  • List now all connected drives:

         diskutil list

  • Clone the mounted sparsebundle to your destination drive (you must be root for this):

         dcfldd if=/dev/diskMountedSparseBundle of=/dev/diskDestinationDrive conv=noerror,sync


Once finished with dcfldd, unplug the destination drive. As a final step, capture a compressed forensic image of the destination drive. A compressed E01 image will be more or less the same size as the relative sparsebundle file.

You have to repeat all the steps for each sparsebundle file.

If you know a quicker way, please let me know.


No comments:

Post a Comment