# Mac Imaging Made Easy with Fuji

## Метаданные

- **Канал:** 13Cubed
- **YouTube:** https://www.youtube.com/watch?v=9ZkLdFodhzM
- **Дата:** 18.03.2026
- **Длительность:** 5:21
- **Просмотры:** 1,607
- **Источник:** https://ekstraktznaniy.ru/video/20311

## Описание

🎉 New for 2026!

In this episode, we’ll look at Fuji — a free, open-source tool for performing live, logical forensic acquisitions of Mac computers (Intel or Apple Silicon). You’ll see how Fuji leverages built-in macOS tools to generate a DMG image, ready for analysis in your forensic tool of choice.

This video is an excerpt from the 13Cubed training course "Investigating macOS Endpoints." Visit https://training.13cubed.com to learn more!

🛠 Resources

Fuji:
https://github.com/Lazza/Fuji

## Транскрипт

### Segment 1 (00:00 - 05:00) []

The following video is an excerpt from investigating Mac OS endpoints. Visit training. 13cubed. com today to learn more about this and other comprehensive and affordable training courses from 13Cubed. And now let's learn how to use Fuji. We're currently on the Mac from which we want to create a disk image. There are no external drives connected yet, but I'm going to plug in a 1 TBTE USB SSD. This volume has been formatted as XPAT which is required for Fuji. I've also named the volume Fuji and I'll explain why in a moment though that is optional. In the root I've placed the Fuji DMG. So let's open that. And the first thing we're going to do is click on full disk access settings URL. That's going to take us directly to system settings full disk access. Here we can drag the Fuji app icon into this panel to grant Fuji full disc access. That's going to be an obvious requirement if we want to use this tool to create a full disk image. Now that that's done, we can go ahead and double click to open the Fuji app itself. We'll enter our credentials as prompted here. And then finally, we can see the Fuji app window. At the top, we have three areas of optional metadata. We have case name, examiner, and notes. In this case, I'm going to leave all three of these blank. Below that, we have image name. By default, the image name is going to be the serial number of this MAC followed by underscoreacquisition with a capital A. Below that, we have the source location, which by default is going to be system volumes data. That's where our user data lives and is going to be fine in almost every case. Though to the right, we can click browse if we want to change that. We could also click list of drives and partitions and choose something else here, like for example, forward slash or the root of the volume. But like I said, the user data is going to live under system volumes data anyway. So that's going to be perfectly fine. Below that, we have output destination and temporary files. Notice that both paths are set to volumes Fuji. The reason for that is because I've labeled my external drive Fuji. When you do this, it automatically populates those paths by default, which saves a step. Of course, there's no requirement to label your drive Fuji, and you can easily change the path for either of those fields, but just know that it saves a step if you do that. Output destination is going to be the final location of our completed compressed DMG disc image and our acquisition log. And then, of course, temporary files will be the location where we have temporary files that are created during the imaging process. And that's really all there is to that. So, that leaves one thing, which is the acquisition method. By default, that's going to be RS sync. We also have ASR and CIS diagnose and logs, which we talked about. We're going to choose ASR or Apple software restore. Again, that's going to work great in many cases. And then we have play loud sound when acquisition is completed, which we'll leave checked. We click continue. And then we get an acquisition overview. Notice the only thing we see in red is the fact that the Mac is connected to the internet, as you can see under network check. That may or may not be ideal depending on your use case, but in this case, it's perfectly fine. Otherwise, I don't see any other red items, so everything looks good. And we'll click confirm. And now we are off to the races. Now, obviously, this is going to take a variable amount of time depending on how big the disc is and depending on how fast your destination media is. So, what we'll do is come back when this is done and take a look at the results. And as you can see at the top of the window in bright green text, it says acquisition completed. That's exactly what we want to see. If we scroll all the way to the top, we can see everything that happened throughout the acquisition. And if we scroll all the way to the bottom, the last line says acquisition completed. Let's go ahead and open up our external volume. And in the root, you'll notice the acquisition folder. Within that folder, we have two files. The first is going to be the compressed DMG disc image itself. That's the main thing that we're looking for. In this case, the image is 243. 7 GB. And then below that, we have a text file, and that's going to be our acquisition log. Notice at the top, we have some metadata, including the start time, end time, the source, the acquisition method, and whether or not this acquisition was running in recovery mode. And of course, below that, we have quite a bit of additional metadata, including software. Then we have hardware. Below that, you're going to see NVME Express on this Mac anyway. And notice that we have the Apple SSD controller itself. We have a large metadata section for volume, which shows all of the volume metadata. And finally, at the bottom, we have the computed hashes for the compressed DMG disc image itself, which forensically would be very useful to note in a report as an example. Okay, so that's really all

### Segment 2 (05:00 - 05:00) [5:00]

there is to it. I think you'll agree that using Fuji is quite straightforward and easy. The user interface really is extremely intuitive and really with just a couple of clicks you can create a disk image in no time on a Mac. So this is an extremely valuable forensic tool. And with that said, that wraps up our lesson on Fuji.