Skip to content

Acquire Profiles

  • Make sure all requirements above are met
  • Login as an admin into the target Mac computer
  • Connect the LLIMAGER drive that contains the copy of the llimager.app and license key file (llimager.lic)
  • Connect the destination disk (as needed)
  • On your USB SSD, navigate to /llimager and double-click on “llimager.app” and once it launches, enter a local admin password and click the button.

LLIMAGER open screen

• On your USB SSD, navigate to /llimager and double-click on “llimager.app” and once it launches, enter a local admin password.

LLIMAGER initial menu screen

• Make sure to review the "Best Practices Checklist" and click OK when done. Then select the type of image you want to make

LL*IMAGER* Select the type of image

LLIMAGER Menu Options

Full File System

This option is equivalent to a full file system and allows the entire process of imaging the computer’s hard disk volumes’ active space, saving the image to a Mac sparse image container and then conversion of the image to a compressed DMG file, and calculating the hash value of the DMG file. During the process, there will be an option to fully automate the process by creating the final DMG or to just generate the sparse file.

Targeted

This option allows the imaging of targeted files/folders on the computer’s hard disk, saving the image to a compressed read-only DMG file, and calculating the hash value of the DMG file. It includes granular selection of documents and folders based on custom file types (extensions) and file system dates such as the birth time (creation), modified, accessed and the change time (inode delta). Moreover, profiles are available to save selections for future jobs.

Time Machine

A Time Machine-based disk image of the near-full data volume, including Trash folders, can be created using this feature. Unlike standard Time Machine backups, LLIMAGER 6.0 includes all Trash folders, which are typically excluded, and packages the image into a single DMG file. Note, Time Machine omits specific system, log, and cache files, thus this option is better suited for e-discovery rather than digital forensics workflows.

Convert/ Hash

This option allows the process of converting a sparse image file to a compressed DMG file, and to calculate the hash value of the DMG file.

Send to Cloud

Allows uploading of images to AWS, Google Cloud or Microsoft Azure using authentication keys and giving option to securely saving credentials for future uploads. Note, you can preview the upload speed on the environment where the upload process will be occurring.

User Profiles

This option allows the imaging of targeted user profile(s), saving the image to a ZIP or DMG file, and calculating the hash value.

Exit

This option will exit the application.

Creating Evidence files

The core workflow of the LLIMAGER app encompasses evidence capture, DMG file generation, and the creation of a signed, tamper-protected PDF log.

Before You Begin

  • Confirm you are logged in the target Mac computer with valid local admin credentials
  • Make sure you have enabled full disk access for the LLIMAGER app

Step 1 — Start a Profile Acquisition Session

  1. Click the Profiles icon.
  2. The acquire Profiles form will appear.

Aside from Targeted collections, LLIMAGER offers a forensic collection of user profiles from macOS systems.

The application presents a list of all available user profiles on the target system, allowing the examiner to select one or more profiles for extraction. Upon selection, the chosen profiles are collected and packaged into a single archive. Users can choose between two archive formats: ZIP or DMG (Apple Disk Image). This functionality enables efficient and comprehensive collection of user data for forensic analysis; see below:

LLIMAGER 6.0 Acquire Profiles LLIMAGER 6.0 Acquire Profiles