Single User Mode can be one of the best tools available in Macintosh Forensics. This “mode” of the operating system was designed for system administrators to perform maintenance functions easily. When utilizing Single User Mode, you will be the “root” user, which means you will have the power to cause great catastrophe if you do not use great care.
Open Firmware Password Note: When an Open Firmware Password has been applied, access to Single User Mode (among other boot time features) are blocked. There is a documented reset feature from Apple to get rid of this password, but it will unfortunately reset the clock as well.
Single User Mode Note: It is always possible that an advanced user has disabled Single User Mode. If the Mac does not boot into Single User Mode as expected, note this and power it off.
To enter Single User Mode, follow these steps:
- Attach a working Display and keyboard (preferably an Apple Keyboard).
- Plug in the Macintosh.
- Press the Power button and immediately hold down the Option key on the keyboard. (The ALT key is the Option key on a PC keyboard)
- You will be presented with one of two screens. Either you will see the available boot partitions or you will see a password dialog. If you see a password dialog, you will need to follow the steps to remove an Open Firmware Password if you wish to use Single User Mode. (it is safe to hold down the power button to power off the Macintosh and end this procedure now)
- Now that you have the available boot partitions on the screen, you have confirmed that no Open Firmware Password has been applied to this Macintosh. An Open FIrmware Password would prevent us from performing step 5!
- Power off the Macintosh by holding the Power button for about 4 seconds.
- Press the Power button and immediately hold down the Command (Apple) and 'S' keys. This will cause the Mac to enter Single User Mode.
- The Mac will display text across the screen and a prompt near the bottom.
Now that you are in Single User Mode, you are now “root” user. Do not take this privilege lightly. Although the file system has been mounted read-only and very little is actually happening, you have the ability to execute very destructive commands if you are not careful.
At this point, we can execute some useful commands that have no effect on the file system and the evidence it holds. Before we look at the commands that we likely want to use, lets look at the commands we DO NOT want to use.
Notice the message on your system mentioning “/sbin/fsck” and “/sbin/mount -uw /“. Do you know what those are? System administrators do and would likely run these two commands each time they enter Single User Mode. If you execute these commands, you will run a File System Check (fsck) and then re-mount the file system writeable (mount -uw). Unless you truly meant to do that, DON’T DO THAT!
What can you do in Single User Mode?
First, all ‘man’ pages are available. If any of the commands I show you here are not making sense as you are using them, you have help available. Simply use the ‘man’ pages.
Next, the following commands are all non-destructive and safe for gathering information without altering the evidence on the drive in the Macintosh being examined:
date: returns the date with the current time zone applied
date -u: returns the date in UTC
hdiutil partition /dev/disk0: returns the partition table of the boot drive
hdiutil pmap2 /dev/disk0: returns additional partition table information for the boot drive
ls /dev/disk?: lists the current device files in use for installed disks
ls /dev/disk??: use this if you have additional disks installed beyond the first 10 listed
Apple System Profiler is also available in a command line version. We can use this to gather vital information before powering down the Mac. The following commands return useful information.
system_profiler SPHardwareDataType: returns Macintosh hardware info
system_profiler SPSoftwareDataType: returns operating system info
system_profiler SPParallelATADataType: returns info on ATA devices
system_profiler SPHardwareRAIDDataType: returns info on hardware RAID
system_profiler SPMemoryDataType: returns info on installed memory
system_profiler ParallelSCSIDataType: returns info on SCSI devices
system_profiler SPSASDataType: returns info on SAS devices
system_profiler SPSerialATADataType: returns info on SATA devices
(if any of these pause for an extraordinarily long time, you can press CTRL-C to end the system_profiler process. Sometimes devices cannot be polled properly in Single User Mode)
Note: It has been asked, why not just use the Terminal command ‘system_profiler’ and get all of the data at once, utilizing the ‘less’ command, something like this:
system_profiler | less
This command does not work in single user mode in the state of read-only file system. The ‘system_profiler’ command is not a file ‘less’ can read from. At the time of this writing, I am looking for a command line guru that can get me the proper syntax for pausing the output when in Single User Mode with the file system mounted read-only. The command works perfectly when the file system is mounted read-write.