8/16/2021»»Monday

Live Linux Usb For Mac

8/16/2021
One thing I've learned when it's comes to imaging Macs is it's good to have options. When encountering Macs, its seems like there is always a challenge. No firewire ports for target disk mode, no easy way to remove the hard drive, or if the the hard drive is removed, you don't have the specific adapter needed to connect your write blocker to the drive.. and of course, encryption. I am planning on doing several blog posts about different ways to image a Mac. Depending on the situation, some may work, some may not, but I just wanted to throw some options out in the Google soup mix.

If you want to use your USB stick with an Apple Mac, you will need to restart or power-on the Mac with the USB stick inserted while the Option/alt (⌥) key is pressed. This will launch Apple’s ‘Startup Manager’ which shows bootable devices connected to the machine. LinuxLive USB Creator Powerful yet easy-to-use. LinuxLive USB Creator is a free and open-source software for Windows. It will help you in your journey of discovery with Linux. For you, LiLi creates portable, bootable and virtualized USB stick running Linux. Download and Discover. How to create a Mac bootable live Linux USB on Windows? I'm trying to create a bootable linux live USB that will work on a MAC (by holding the option/alt button down while booting)OSX Lion 10.7.something. This USB must be created on a PC however. Windows 7 or 8, it doesn't matter which one I use.


The first option I am going to go walk through is imaging a Mac with a Live Linux bootable USB. Many times cracking open something like a MacBook Air to grab a hard drive requires special tools and adapters which may not be readily available. If the Mac is already powered off, booting the Mac with a live Linux distro may be a good option. Once booted into Linux, an imaging tool with a GUI, like Guymager, can be used to create an image in E01 or dd format.
For this post, I have selected the CAINE distro. CAINE stands for Computer Aided Investigated Environment. This distro was made specifically for computer forensics. Upon boot, CAINE 'blocks all the block devices (e.g. /dev/sda), in Read-Only mode.' The examiner must take active steps, which includes nice big warnings, to turn off this feature.
While I did get Kali to work, it did not seem to offer the extra protection that CAINE did to keep the examiner for inadvertently mounting the wrong drive. If you are interested in making a Kali bootable USB drive for the Mac, I have included some brief instructions at the bottom of the post.
This method was tested with CAINE 7.0, Rufus 2.9, and a MacBook Air Early 2015 model
Create the Bootable USB
The first step is to create a bootable USB drive on a Windows machine. Download the CAINE iso and Rufus. Rufus is the Windows program that will create a bootable USB drive from the iso. Simply launch Rufus and select the CAINE iso as well as a blank USB drive bigger than 4GB. (NOTE - I tried various other tools to create the bootable USB drive, and not all of them worked when it came time to boot the Mac. Thanks to @APFMarc for the tip on Rufus). Below is a screen shot with the settings I used:
There was a pop up dialog box when I clicked start asking me to choose to write in ISO image mode or DD Image mode. I used the default, which was ISO mode.
Boot into LinuxLinux
Once completed, this USB drive can be used to boot the Mac. In order to boot a Mac from a USB device, it must be put into Startup Mode. This is done by holding down the Alt/Option button when the systems boots. Once in Startup Mode, the boot device can be selected. The CAINE USB should show up as the EFI Boot choice:

After CAINE boots, choose the 'Boot Live system'. If all goes well, the following desktop should appear:

Linux Live Usb Persistent Mac


CAINE has a utility called Mounter, which is located in the task bar. It's the tiny icon circled above. Double clicking this icon brings up a dialog box that shows which block devices are currently mounted:

Create Linux Bootable Usb Mac


As demonstrated in the screen shot above, the only device that is currently mounted is the USB containing the CAINE distro (Shown as CAINLIVE). Running the df command also confirmed this:
The reason I like CAINE is that it does not let the examiner inadvertently mount a drive by accidentally clicking on something. For example, when I double clicked the Macintosh HD it gave me an error:

From the CAINE website documentation:
This new write-blocking method assures all disks are really preserved from accidentally writing operations, because they are locked in Read-Only mode.
If you need to write a disk, you can unlock it with BlockOn/Off or using 'Mounter' changing the policy in writable mode.
I personally prefer this extra layer of protection.
Mount the USB drive that will hold the image
Next, an external USB drive is needed to dump the image on. This external device needs to be mounted writable so the image can be placed on it. To do this, Read only mode needs to be turned off for any newly attached devices by using the Mounter program. Right clicking the Mounter icon in the task bar brings up the following dialog box:
I know this looks scary, all in red and what not, but clicking it brings up another dialog box confirming that this action will only make newly mounted devices writable, which is what is needed so the image can be dumped to the external drive:

After selecting Yes, a brief confirmation message pops up and the icon in the tray also turns red indicating the current status:
The next step is to plug in the USB drive that will contain the image. I named my external USB drive 'Images' and formatted it with NTFS on a Windows system before beginning this process (FAT32 will work as well, just be aware of the 4GB file limit). Once the drive is plugged in, it can be mounted by opening up the 'Caine's Home' folder on the desktop and double clicking the drive. This will mount the drive to /media/CAINE/YourDriveName:

Now the drive can be accessed to create folders, dump the image to etc. Note - if I try and do the same with the other devices on the host drive (e.g. BOOTCAMP and Macintosh HD), it will give me an error, thereby preventing me from accidentally mounting them.
Use Guymager to create the image
Now that the external USB drive is mounted, Guymager can be started to to create the image. Guymager is found on the Desktop, or under Menu>Forensic Tools>Guymager.
Once launched, select the device that needs to be imaged by right clicking it. In this example, the drive I want is the 'ATA Apple SSD SM0256G':
The next step is to fill out all the requisite image data:

Once started, the previous table will show a status on the imaging process. When the image is complete Guymager will create a log file in the same directory as the image. An interesting tidbit - a while back, Eric Zimmerman did some testing on various imaging tools, and Guymager was one of the fastest :)
Kali live Linux bootable USB for Mac
So far, I've only found one method that works consistently to boot into Kali Linux on a Mac (at least on my test Mac). That method is to use the Mac Linux USB Loader on a Mac to create the bootable USB.
There is a video here that has step by step instructions for the Mac Linux USB Loader, but it's pretty straight forward to use. The basic steps are 1) Download Kali Linux; 2) Using Disk Utilities on Mac to format a USB drive with Fat32 and MBR; 3) Run Mac Linux USB Loader and select the Kali Iso; 4) Choose Kali from the distro type
You can now boot into Kali and use Guymager on a Mac using the same steps I detailed in the sections above. One very important thing to note - using this method will automatically boot you into the Kali Live environment and you will not be given the choice for the Kali Linux Forensics Mode.
In my limited testing it does not appear to mount the host drive, or make any changes to the drive. It also does not have the additional steps and warnings when it comes to inadvertently mounting drives that CAINE does. The Live version will also auto-mount plugged in USB devices. Proceed at your own risk, and as they state on the Kali website:
If you plan on using Kali for real world forensics of any type, we recommend that you don’t just take our word for any of this. All forensic tools should always be validated to ensure that you know how they will behave in any circumstance in which you are going to be using them
Echoing these same sediments, although I have walked though a method of imaging a Mac from a live Linux distro, please test and validate before using either of these methods in the the real world.
Happy Mac-ing!

Take your Favorite Portable Linux Desktop with you!
Install, Boot, and Run Linux from USB. Your Portable Linux OS toolkit.

Most Popular ToolYUMI – Your Universal Multiboot Installer
2nd most PopularUUI – Universal USB Installer

Easily install your favorite Linux operating system on a bootable usb key or flash drive no larger than your thumb (aka thumb drive). Your Portable Linux operating system can then be taken with you and will consequently run from any computer that can boot from the usb flash device. With YUMI, you can even bring multiple operating systems, diagnostic utilities, antivirus scanners, penetration testing, backup tools, and more with you. Resulting in your very own custom pocket diagnostic toolkit.

Quicktime mp4 codec. In that case, you need to install an older version of QuickTime 7 or similar software to be able to use 3rd party codec plugins to play the.avi and other non-Mac files. Download QuickTime Player 7 for Mac OS X v10.6.3 or later. For plug-ins or components, you can find several third-party plug-ins on the web to view AVI videos via QuickTime 7, no matter what the video codec is used under the.avi container. Perian is one stop codec resource on Mac similar to K-Lite Codec Pack on Windows. Perian is a free, open source, QuickTime component that extends QuickTime support for many popular types of media, including MKV, FLV, WMV, AVI, DivX, and XviD. How to download and install K-Lite Codec for Mac – Perian? Perian is just 3 MB in size. Global Nav Open Menu Global Nav Close Menu; Apple; Shopping Bag +.

Pendrivelinux provides simplified information to make it easy for anyone to install, boot, and run their favorite Linux Distro from a portable flash drive!

Recently Updated or NEW USB Linux Posts
  • UPDATED (Oct 26, 2020) YUMI - Multiboot USB Creator
  • UPDATED (Oct 14, 2020) Universal USB Installer - Easy as 1 2 3
USB Linux Flash Drive Creation from within Windows
USB Linux Flash Drive Creation from a running Live Linux CD
Virtual Machine Emulation (Running Linux Within Windows)
Bootable USB Software Tools (Linux or Windows Based)