Possible to mount Target Disk Mode (TDM) as read only?

[SnakeByte]

I've got two 2020 MBPs connected together with a thunderbolt 3 cable, one booted in Target Disk Mode. I'd like to mount the encrypted apfs volumes as read only.

Once connected, the booted mac (Catalina) prompts for a password to unlock an encrypted volume which I cancel. From the terminal, if I unlock the volume with the "nomount" option, the system nonetheless mounts the partitions:

$ apfs unlockVolume /dev/disk3s1 -user [UUID CODE GOES HERE] -nomount
Passphrase:
Unlocking the specific cryptographic user [UUID CODE] on APFS Volume disk3s1
Unlocked but did not mount APFS Volume attached via Target Disk Mode
Updated related disks attached via Target Disk Mode to read/write

A second GUI prompt appears asking for the password to unlock an encrypted volume again, which I also cancel. However:

$ mount
/dev/disk3s1 on /Volumes/Macintosh HD 1 (apfs, local, nodev, nosuid, journaled, noowners)
/dev/disk3s2 on /Volumes/Macintosh HD - Data (apfs, local, nodev, nosuid, journaled, noowners, nobrowse)

In a last ditch attempt, I tried to remount as RO:

sudo mount -u -r /Volumes/Macintosh\ HD\ 1
Password:
mount_apfs: volume could not be mounted: Invalid argument
mount: /Volumes/Macintosh HD 1 failed with 66

Is there a forensically safe way to achieve this?

 

[barbu]

Sounds like you're on the right track. There must be a way to mount read-only.
As far as "forensically safe", the only way to do that (for purposes of evidence) is a write-blocker device.

 

[SnakeByte]

Is there a write-blocker device for target disk mode type setups? The solid state drives in recent MBPs are soldered in place if I remember correctly.

Any idea why -nomount isn't being honored? Is there no way to prevent the automount? Is there another way to unlock an encrypted volume in target disk mode from the CLI?

 

[Flint Ironstag]

This is old, but check out Elcomsoft blog. Sometime in the last year they released a free write block utility.