Yes that is Macquisition (review here) booting up, but that is outside our budget

 so lets look elsewhere.

If you look in the top left, you can see that the glass is cracked, but the LCD panel underneath is perfect.  It is barely noticeable if you are old and blind like me - a machine like this is worthless to your average consumer, so thats where bargains can be had.

Your hands are safe as well, there is some form of laminate film that sits over the screen, so you can claw away at the cracks all day - you can't cut yourself.

Be a Cheap A*s at Home - but not in the lab!

Obviously if you work in a lab - don't buy anything that could put your employees or colleagues at risk, a law suit for eye-strain or some other random injury is not what we are trying to achieve here - use common sense when purchasing machines!

You don't have to be a total peasant like me, you can spend a little more and get a machine without a cracked screen or cosmetic damage for around £225/$300/€270.

Take Your Mac to the big Screen:

You can buy an adapter online for £5/$5/€5 from Ebay that will let you output the display on any of these machines to HDMI, VGA and DVI, so you can hook these bad boys up to any huge widescreen monitors you have in the lab, hide the budget machine in a cupboard and do Mac forensics like a boss.

Quality is crisp when using these cheap adapters (its a digital connection with DVI and HDMI), I've had no issues, just remember to buy two for redundancy!  This link gives you an example of what I am talking about over on Ebay.

Take a look at this little fella;

Apple = No Bang for Buck:

Apple machines in my opinon have always been overpriced and provide little bang-for-buck.

To crystalise my disdain for this brand, I would not buy a new Apple machine for all the tea in China (and that's a lot) - you get the picture here, I'm no fan boy.

Check out Linus's show and tell video with the new Mac Pro - you can see just how much margin Apple actually makes on its shiny new products (you will be gobsmacked).

The thing is,  if consumers desire an Apple product, they will buy it, regardless of how much Apple rips them off for it - its their business model and it works very, very well - just look at their stock price and profits!

Like lemmings jumping off a cliff in that old Amiga game from the 1990's.

Some Used Machines are Better Than Others:

Certain Apple computers from a few generations back are built well - very well - and they will go on and on and on, day in, day out.  Why is this ?

Component quality and cooling.  

If you buy the right machine - it will work for years on end, however, if you buy the wrong machine (one with a design flaw for example, or one that is full of dust as it has sat on the desk of a chain smoking mob boss in lower manhatten for years) - it is not "if" its going to break down, its "when".

Apple has had lots of issues in the past - for example, Nvidia graphics chips in Macbooks.  After after a finite period of time, the solder on these chips cracked and caused the GPU to stop working. 

Then as soon as they rectified something (usually with a new generation of machine), another problem came along - such as batteries puffing up to the poiint they were damaging the track pad and internal components on certain Macbooks.

You then have the exposure of Apple's klandestine "build it to fail" methods of making sure a machine fails outside of the warranty period.  For example, they put under-rated resisitors in a circuit that eventually (and safely) burns out - rendering the machine unusable.  Component level failures would require the Apple store to recommend a new logic board, which often can cost almost as much as a new machine.

A higher value resistor would ensure trouble free operation for years, but no - thats not how Apple makes money.  Check out the champion of exposing Apples dirty practices-  Louis Rossman who owns a repair shop in New York - you can find him at 186 on 1st, if he can't fix it - nobody can. 

So this all sounds pretty negative huh ?

There are some really good machines out there to be had for cheap, so don't let all that put you off an adventure into used Macland.  If you are unsure what machine to get, copy me!

Portability = Macbook Pro

For portability, go for a Macbook Pro laptop (2012 at the earliest, 2015 onward ideally).  These have lots of ports built in and have more powerful CPU's than their lightweight Mac Air brothers.

I roll with a pair of these in my field kit - they are bulletproof (2012 editions) and have never let me down.

Lab Based = iMac

For a lab based machine, go for a 21.5" and up iMac (Same date range again).  These have decent sized screens (up to 27") and a decent number of USB 3 ports.

All of the above come with Thunderbolt 2 ports in addition to the USB3's.

Don't Touch with a Barge Pole:

Mac Minis:

Nasty - Avoid

- They overheat as they are literally like dust hoovers.

- For what you get, they are overpriced.

Mac Pro:

Looks like a cheese grater.

- Overpriced (they hold their value in the used market)

- You will need to buy a relatively recent one to run Catalina

At the prices we are going to be paying here for used machines, we are not going to stress too much if something fails in six months or a year - the revenue generated from Apple forensics will pay for these machines many many times over.

How do I know? - I've been doing this for the past ten years.

Why are Older Machines so Cheap ?

Older machines quickly become undesirable, as they go out of fashion as quickly as my parents bell bottomed trousers did.  This is how you can get an amazing bargain and kit out your lab for pennies.

Two generation old iMac's have thick casings and big borders around their displays - that makes them look dated.  Macbook's that are last gen also look thick, bloated and are heavy when compared to their sleek  next-gen replacements.

I swear that if Apple makes the Mac Air any thinner, you will cut yourself on it.

Consumers don't want last gen models, they don't want their machine to look dated - remember these are fasion items.  They make the consumer look good whilst they are supping a hot chocolate in Starbucks whilst hooked up to the free wifi and reading how to save the environment - so that works in our favour and drives down the prices in the used market!

These are the machines you are looking for, those last ot two gen back machines.

What to Buy & is it Catalina Capable ?

If you are buying a used Apple off Ebay, ensure you get one capable of running Catalina, the list of Mac's that can run it is;

• MacBook (2015 or newer)
• MacBook Air (2012 or newer)
• MacBook Pro (2012 or newer)
• Mac mini (2012 or newer)
• iMac (2012 or newer)
• iMac Pro (2017 or newer)
• Mac Pro (2013 or newer)

Remember that Apple usually cull machines from this list each time they release an OS, so I would recommend something 2015 onwards, as those machines from 2012 are likely to get the chop in OSX 10.16.

Most forensic vendors are updating their software to work with Catalina, so ensure you are ready for that by having a Catalina capable machine. 

We are not buying an old clunker that tops out at High Sierra (which is what the pre 2012 machines do) - if you can't run the latest software - whats the point?

2. What are you Using your Ebay Mac for ?

Before you purchase anything, you need to decide what are you going to use the Mac for;

a) Purely for imaging connected computers in TDM

or

b) TDM imaging AND analysis

Purely Imaging:

Then you can buy anything from the list above, early machines will still have Thunderbolt 2 ports (which are superfast), you will need an adapter to connect a newer Mac which has Thunderbolt 3 (You, know the one that looks like USB C) and some Macbook Air's only have one port (so you will need a hub).

We will cover cables, adapters and hubs later my friends, so lets stay focussed for now.  I'm surprised I haven't gone of on a tanget yet, thats normally what happens....talk of the devil, I have to shoot in a bit, its Friday and thats Fish and Chips night here in twee little England (U.K) - Skate and chips for me...yum.

Right, back to it;

Don't Waste Money Upgrading Imaging Machines:

Don't waste money attempting to upgrade potato machines (such as Macbook Air's with 4GB RAM and 64GB SSD's) from their stock spec, as an imaging mule does not need any additional memory or storage - that also defeats the purpose of doing this on a budget!

You will be hanging all of your destination disks off the USB3 bus that all of these machine have, so you have plenty of bandwidth to get your images out of the machine, even if you image to two destination disks at the same time. 

If you intend to image out to a Thunderbolt RAID - note that the laptops only have 1 Thunderbolt port which you will be using to connect to the suspect machine - so no delusions of granduer please.  You can however image out over LAN if that takes your fancy.

TDM Imaging & Analysis:

So, if you are going to be doing analysis as well - you need to be a little more selective of the machine you buy.

Don't buy a machine that has the RAM soldered to the logic board (as those top out at 8GB if I remember correctly) these are typically the Macbook Air's, my advice is go for an iMac that has upgradeable memory (most top out at 32GB circa 2015 and the 2012 models 16GB).

Unless you are doing really really large indexing jobs (of multiple images at the same time), 16GB or RAM is fine, 32GB is a luxury and will make the machine considerably more responsive during these tasks, the rest of the time (the majority) that RAM won't be used.

The more RAM you have, the less beach ball you will see - simple.

Used DDR3 Memory for these machines is cheap these days, you don't need Apple approved RAM either - just as long as it matches the speed and voltage of the factory RAM you are good to go.  I would only recommend branded memory, there are some nasty cheap brands out there that are not going to work.  Stick with Kingston, Crucial, Hynix or Samsung.

For this generation of machine thats going to be DDR3 Unbuffered 1600Mhz (although if you cant get that, 1333Mhz RAM will usually work fine) you just lose a fag papers worth of memory bandwidth - which at this price point and performance level, is going to be un-noticable.  It does not matter what flavour of RAM either, low-voltage, ultra-low voltage - they all work.

On iMac's, to upgrade the RAM you will need to remove the screen (easy peasy with a guitar pick or plastic spudger - its held in by sticky tape) and take out the logic board (not hard either) to upgrade most machines - but its no more than a 45 minute.  On some of the iMacs you can get away without removing the logic board - you can lower the dimms in place with a screwdriver or pliers - no need to remove the logic board.

Macfixit website has a full guide and sells a kit to help you stick the screen back together!

On Macbook Pro's, its a case of getting a tiny normal or pentalobe screwdriver, removing the back cover and slotting in the new RAM, which is much easier. 

EveryMac's website is a great resource to find out how much RAM your prospective Apple machine can take, don't bother with Apple's website, they only tell you what they offer in the way of RAM at the time of sale, not the maximum.

As for processors, go for a machine with a high end i5 or mid range i7 CPU, avoid the dual core i5's they are terrible (but turbo quite high, so are fine for just imaging), as is anything with an i3 cpu - so ensure you get a quad core machine as a minimum.

Installing a 512GB SSD for £50/$65/€60 turns this machine into a rocket, so don't go leaving the mechanical drive inside, it will feel super sluggish if you do and ruin the experience.

Catalina or Not to Catalina ?

Catalina is a double edged sword as many software vendors have not updated their product to run on it (even though it was available to developers since June 2019).  Too much laying on the beach sipping pina colada's in California no doubt!

So you may want to run Mojave on it instead until updates are available - check out the Further Reading section of my Macquisition review if you have not already - to see the devastation that Catalina has caused to developers that have been slow rewriting their code post release.

3. Who to buy from on Ebay:

Its useful to find a vendor on Ebay that has a lot of machines and is regularly selling them off - make sure they are a "Business Seller" and not some Joe selling his nan's clapped out old machine from home.

A vendor offering a warranty of some kind is going to push up the price, but when you are paying two hundred or less for a machine - spending a little more may give you peace of mind.

Decent Ebay feedback is what you are looking for and make sure you buy something that is fully functional and not listed as "parts" or "spares or repair".

Machines that have cosmetic damage are the ones to go for, if they are staying in the lab where no client is ever going to see them !

I found this one, in about 15 seconds, its needs a RAM upgrade - but apart from that is a great machine.

Then we have this one, an iMac with a cracked screen - no bids at £100/$120/€130 with 5 hours left to go.  This one even has the 16GB of RAM fitted, so no need to upgrade that.

All of these machines have the Ebay 30 day returns policy attached, so this is a no risk transaction - if it has an undisclosed problem, send it back (the seller also pays the return postage!)  Lots of sellers will list "no returns" on their auctions, but the Ebay policy still applies, if they say the letter "a" does not work on the keyboard and letters "a", "b" and "c" don't work either - you can return it as "not as described".  You can't lose here.

If you prefer something with a warranty, then. you want something like this - a full years warranty with grade A cosmetics.  I can see you in Starbucks with this looking gooooooood.

4. Preparing the Machine:

So, if your machine has an SSD already - it needs to be completely wiped, get rid of everything (including the recovery partition) so that you have a sanitised machine ready to deal with client data.  Look out for my upcoming article "How healthy is your SSD" - where I take a look at issues using them in forensic workstations - subscribe to be notified when this drops.  My advice is to replace it with a new one, regardless if it seems to be working ok.

If your machine has a mechanical drive (which at these prices is most likely) then that needs to go in the bin as;

a) It is tired and will be on its last legs (end of life).

b) It is super slow and will make using the machine frustrating.

Treat this Machine as Hostile:

Don't  connect a used machine to your lab network until you have done this sanitisation process, remember, this is an unknown machine - so don't connect it to a trusted corporate environment willy nilly.

You don't want to just fire up the "clean install" the seller has done for you and start logging into your  online accounts - as you don't know what nasties or malware lurk on the hard drive.  As you are putting client data on these machines, you need to ensure you have documented the sanitisation of the machines.

Remember, we are doing things on a budget, not being reckless!

Which SSD to buy ?

SSD's are usually marketed to the unwashed such as you and I by read and write speeds.  500MB Read here.... 470MB Write there... well forget all that - its marketing bullsh*t.

Look at these 3 drives currently on Amazon;

All are branded, all will have really good sequential Read and Write speeds, but that is not what we are looking for here.

For forensics work, you will often be dealing with small files and your tool will most likely be using some kind of database.  For these operations it is Random 4k Reads  the important statatistic.

Whilst none of these drives are super slow, the Samsung drive is going to be a *lot* faster than the Sandisk drive at these reads and writes.

So its a no brainer, get the Samsung drive.

Don't try and cheap out using any of the "super cheap" SSD's out there, from the likes of Kingdian or other brands that you have never heard of - they used sub-standard memory chips and will let you down just when you need them most!  

Also avoid any second-hand SSD's, you need reliability here - we are running businesses or working for one as an employee!

Reset the BIOS:

Haha, trigger alert - no such thing on Apple machines, but you can;

Clear that PRAM, NVRAM and the SMC for good measure, this will ensure your machine goes back to factory settings completely there is a guide how to do this here.

Update the Firmware:

This one is really easy and can be completely automatic.

Apple have a clever way of delivering firmware updates to your machine, they either roll them up into the operating system installer - which is one of the reasons why your machine reboots a few more times during and OS install.

Apple also roll updates to firmware into to OS sub versions, so if you have a machine in your lab - run that Software Update feature and install what ever updates Apple has released.  By default, in most cases, this option is set to off - and a lot of lab machines don't see the internet at all, so updates can and will be missed.

Once in a while sanitise (wipe all client data) a lab machine and temporarily hook it up to the internet and see if any software updates are available.

Do a Burn in Test:

Before any machine is entered in to service in your lab, give it a 24 hour torture test to see if there are any hardware issues.

You can use the Apple diagnostics (power on holding the D key - more here from Apple) in a loop to do this, or search the web for tools that will let you simultaneously max out the CPU, GPU, RAM and HDD - any machine that can take this for 24 hours solid has proven it is stable and can handle long processing tasks (such as indexing).

Take a look at the diagnostics in the gallery that follows;

5. Cleaning the Machine Inside:

You are going to need to open the machine and clean the fans out - Apple machines are notorious for filling up with dust and then slowly sending the machine to the landfill by cooking it. 

Processors throttle down when they get hot, so having a clean cooling system means you will get maximum performance all the time.  If your machine hangs when you push it - chances are the cooling system is dirty.

There is an interesting article here, which shows what happens if you don't clean out your Apple machine - this also reaffirms why I would not use Mac Mini's (older ones that we are looking at) - their thermal efficiency in relation to cooling is not good. 

6. Reinstalling the Operating System:

So after wiping the storage of the machine, or installing a new SSD - you need to install the operating system again.

Great article here, on how to build installers for the various flavours of OSX onto a bootable USB stick.  Make sure your stick is USB3 and this will make installs really fast.  Not Windows 10 fast, you are still looking at around 15-30 minutes at least.

Don't be lazy and download some dodgy OSX ISO file from a torrent, well unless you hash it with that of the actual Apple issued OSX image file, just follow the guides and you won' t need to!

7. Don't Look Like a Lemon:

No matter how small you are, you need to appear professional and diligent to your clients, so if you are buying machines that will be used on live cases from Ebay, my advice is buy two used machines that are identical and don't have cosmetic damage (if they are going to be used in front of clients).

This way, should one fail, you have another on standby that can get you through so you don' t have to explain to your client "The 6 year old beater machine that Jon Munsey of CFRO told me to buy on Ebay has died, so the court will have to wait whilst I get another one".

Whipping out your backup Mac will save the day and everyone is a happy bunny.

As you will see at the end of the article, if you buy at the right price, it is possible to have two duplicate machines and still be within the budget we set at the start!

8. Essential Cables & Hubs:

You are going to need all of the items in this section so get shopping!

If you scrimp out and think you won't need all of these at some point, think again - as it will come and bite you on the b*m.

Thunderbolt 2 to 3 Adapter Cable:

So you will need one of these if you want to image any contemporary Apple machines that have USBC ports only.

This cable is around £49/$60/€55 and can be purchased here from the Apple store.

Don't cheap out here and buy a compatible adapter - there are a couple of manufacturers that make copies.  Also don't be tempted to buy a used one, make sure you get a fresh new cable.  The last thing you want is for the cable to disconnect whilst in the middle of imaging a suspect machine - get a new one, look after it and it will look after you.

Whilst this connector looks like it is a simple USBC connector, physically it is, but Thunderbolt is a completely different proticol - its not USB.

Take a look below so you know what you are looking for;

Thunderbolt 2 to 2 Cable:

The other type of TB cable you will need is the older TB2 to TB2 type, this retails from Apple at £29/$29/€29.

This is interchangable with early TB 1 machines, so you only need one cable to cover the two versions of the protocol.

Again, you can buy copies on Ebay or from reputable sellers such as Belkin on Amazon, but for me, I don't take chances, so an Apple cable is not going to let you down when you need it most.

Take Care of Your Cables & Don't Plug in Blindly:

These cables don't grow on trees, so if you damage one when you are onsite, unless there is an Apple store nearby, you can't just walk out into the high street and buy another one.

Keep your cables either in the box they came in, or some form of protective pouch.

Don't kink them or wrap them too tightly - these cables are delicate.

Also, just like other scenario's when you could be putting something you own into a dirty hole, always, always check the port on your lab machine and the suspect machine is clean.

Fluff, lint (has anyone ever seen any of that before?), hair and all sorts of other detritus get in these ports and can contaminate your cable causing intermittent connectivity issues, or worse still, fry the controller chip on the suspect or lab machine if it is conductive.

I'm not saying wear gloves and clean the port with a cotton bud (cue tip), but just look in the hole and remove any debris - TB ports are seldom used in most cases, so they do get dirty.

Is that a Display Port or a Thunderbolt Port:

The other thing to remember is that not all ports that look like TB ports are TB ports, check out this image - showing you the Displayport and the TB 1/2 port up close.

Whilst you can use the Thunderbolt port for attaching external monitors AND connecting up data storage devices (such as hard drives or another Mac via TDM mode), you can't use the older DisplayPort to transfer any data.

The cables will connect up and look the part, but no matter how much you try, you won't get the two machines to see each other.  So you will end up looking like a nelly.  There is an article explaining the confusion that can arise here.

You can read up on the DisplayPort here, 

How Fast is Thunderbolt ?:

Well, if you are interested, Thunderbolt was always designed from the outset to trump the civilised worlds' favourite peripheral protocol, USB 3.

As we can see, they did a pretty good job from day one with Thunderbolt 1 offering twice the speed at 10gbps!

Remember this measurement is not GigaBytes per second, its Gigabits, so divide 10gbps by 8 gives you 1.25 GigaBytes per second maximum theoretical transfer speed.

You need a hub:

When you are out in the field imaging Apple computers, you absolutely, categorically need a hub.

Even if the Mac you are thinking of imaging has enough USB ports to accomodate your destination drive and any dongle based imaging environment you may be using (Such as Macquisition, Recon ITR or Evimentry) - if one of those ports is damaged or has intermittent connection issues - you are not going to be imaging that Mac any time soon.

I have a pair of Aluxm hubs which work on older Apples in USB A mode and with the included adapter work in USB C mode as well.  Keep in mind that this is a USB hub and not a TB hub.

The hub has 4 USB ports (one hidden on the back of the unit), remember the USB3 specification allows for around 900ma of power, so that is easily enough for a dongle and two modern USB hard drives.  Go past that current draw and you are going to see drives dropping on and off the USB bus like yo-yos.

I would not attach anything over 2TB, as the 4TB drives and larger do draw a fair bit of peak current when they spin up - so if you are using super large drives and things are not working for you - that is probably the reason.  This only applies to magnetic mechanical drives, for SSD's capacity makes no difference.

Take a Spare:

Hubs break, so again, always have a spare - they are cheap.  My secondary hub is an Aukey C17.  You can see that in the gallery below as well!

Not all hubs are Equal:

Don't buy super cheap hubs of Ebay for a few dollars, some of them won't allow you to boot from them.  This was a big problem a few years ago when Apple introduced USB 3 to their machines, but not so much now.

The cheaper hubs also tend to get hot and have poor cooling, which means the bridge chip in the hub overheats and reboots itself - meaning all devices drop off the USB bus and at the same time trashes any image in progress.

Another problem with the cheaper hubs is that somtimes the micro-controller used is a copy of a legit bridge chip and can't handle long intensive data transfers without an uncorrectable error occuring.  Which is exactly what imaging is going to do !

So remember, buy a decent brand or use the ones I have tested.

If in doubt, just buy these ones - the Aluxm hub is definetely still readily available.

Which Macs Have Which Thunderbolt ?

So, as you may or may not know, there are 3 revisions of the Apple Thunderbolt connector.

In order to work out what cable you will need ahead of time, the following list can be used as a guideline.

Remember that Thunderbolt  1 and 2 use the same cable.

If you would like to read a little more about Thunderbolt, check out this great wikipedia article.

Thunderbolt 1:

Thunderbolt 2:

Thunderbolt 3:

 iMac Pro

iMac 2017

Mac Mini 2018

MacBook Pro 2016

MacBook Air 2018.

9. Mac Forensics Software:

Like I said at the start of this review, you can forget Macquisition as that is way too expensive, is relatively crippled at present and has about as much ability to triage data as the blind one handed, two fingered monkey I have recently employed here at CFRO to read your messages :)

What you need is this;

Which costs £930/$1199/€1095 from these guys - click the image to watch the video.  Full review coming soon, so subscribe to be first to see it !

Steve and Jason are a friendly duo, you can literally ask them anything and they will help you out - that is why they have Super Vendor status here on CFRO.

If you are new to CFRO, this is not a paid promotion - if anyone offered me money for a decent review or a plug on the site, they would be shamed on the front page!  As luck would have it Recon ITR was being released just as I was polishing this article up for release, so it is really a last minute add-on!

Everybody gets a second chance here on CFRO, so if Black Bag decide to release a competing updated version of Macquisition at a fair price - I will include details here so you can decide which vendor you want to go with.  But at the moment, to me anyway, its a no brainer.

10. Budget Mac Forensics Cost Breakdown:

1. Macbook Pro £235/$300/€275

2. Apple T2 to T3 Adapter £50/$64/€58

3. Apple T2 to T2 Cable £30/$38/€35

4. Pair USB3 Hubs  £50/$64/€58

5. Recon ITR £930/$1199/€1095

TOTAL: £1295/$1664/€1517

Optional Upgrades

1. 512GB Crucial SSD £50/$64/€58

2. 16GB DDR3 RAM 2 x 8GB (Used) £60/$77/€70 (all featured machines)

3. 32GB DDR3 RAM 4 x 8GB (Used) £120/$150/€140 (certain iMacs only)

4. Second Macbook Pro £235/$300/€275

5. Apple Display Port to HDMI/DVI/VGA adapter = £5/$5/€5

11. Final Words:

Well, I hope this has been useful to you, if you are thinking of buying something for your lab/home/college to experiment with on a budget - drop me a line via the contact form and I will give you my opinion on the machine you are thinking about!

This shows that you can do Apple forensic imaging and triaging for a lot less money than people will have you believe.

Yes, you will have to leave a machine indexing overnight - and yes searches may not occur instantaneously on these older machines - but they get the job done.

If you are an impatient diva, used to a 32 core Xeon powered Mac Pro with 128GB of RAM and a zillion terabyte dual TB3 RAID array for storage, then this route is most certainly not for you!

Please like and share this article, I find LinkedIn works really well - make sure you subscribe to the newsletter so that you are notified when new content is published!

See you in the next one - your humble webmaster - Jon Munsey.

Products Wanted for Review:

Vendors, if you have a product that you would like to see get a fair and honest review here on CFRO, please get in touch.  I don't bite.

If your software has issues and you are afraid you will get negative publicity and lose sales - don't let that put you off we don't crucify vendors here.  CFRO's readers like to see "Known issues" so they can work round them and you can demonstrate that you are actively working on fixes.  This builds confidence in your brand (the community reads these reviews!) and stops people like myself throwing my toys out of the pram when something is found not to be working as intended during my testing.

The worst thing you can do is put your head in the sand and maintain radio silence.  CFRO's mission is to improve standards in the industry as a whole.