Forensic Examination of the 2016 MacBook Pro

MacBook Pro 2016 Touch BarThis post was updated on July 11th, 2017.

In October 2016 Apple released the new 2016 MacBook Pro models.  While a lot has been made of the fact that Apple only included USB-C (Thunderbolt 3) type ports, not much has been said about some of the other features of this computer.  Some of these features can have an adverse affect on forensic examinations.

In this blog we are going to discuss some of the new features of the 2016 MacBook Pro and how they may affect your forensic examinations.

Identifying The New MacBook Pro

All new MacBook Pros come equipped with USB-C (Thunderbolt 3) type ports.  They can be further identified by the following:

New 2016 MacBook Pro models

Figure 1:  New 2016 MacBook Pro models

Forensic Implications

Apple introduced a couple of new features that examiners should be aware of in order to prevent any unintended changes to the evidence.

New MacBook Pro’s are designed to automatically startup (from an off state) as soon as the lid (or display) is lifted.  Further, if the MacBook Pro is plugged in to power while in an off state the MacBook Pro will startup.

Continuing from the previous release of the MacBook Pros an external visible indication that the computer is sleeping is not present.  So examiners will not know if the computer is off, or sleeping.

Recommended Approach

As an examiner if you come into possession of new MacBook Pro with the lid closed, be prepared prior to opening the lid.

Testing has shown that the examiners will have time to press and hold the <Option/Alt> key to interrupt the boot process and access the macOS startup manager.

BlackBag has always recommended this approach when starting Mac computers prior to examination; however in the case of the new MacBook Pro it is now an essential step.

Where Is The Power Button?

The familiar Mac power button is gone on MacBook Pros equipped with the Touch Bar, replaced by the Touch ID sensor that is on the far right side of the Touch Bar just above the keyboard.

Location of power button on new 2016 MacBook Pro

Figure 2: Location of power button on new 2016 MacBook Pro

Other Considerations

Here are some other points of consideration when examining the new MacBook Pro:

  • Just as with an iOS Device, Touch Bar equipped MacBook Pros that have a configured fingerprint require the password to be entered on startup after power down or restart.
  • Touch Bar equipped MacBook Pros that have a configured fingerprint when waking from sleep or screen lock will default to the fingerprint input to unlock the device.  Examiners will need to click “Cancel” below the user account icon to access a screen where the password can be entered.

Imaging A New MacBook Pro

MacQuisition 2017 R1 is fully compatible with the new MacBook Pro so examiners can automatically boot the new hardware directly from MacQuisition using a USB -C adapter.

Examiners who do not have MacQuisition 2017 R1 are advised to follow this procedure:

1. Boot another Mac computer into MacQuisition 2016R1

2. Start the new MacBook in Target Disk Mode.  Remember it's advisable to always hold the <Options/Alt> key when starting a Mac that is to be examined.  This is to check for firmware passwords.  Once the new MacBook is showing the Startup Manager, press and hold the ’T’ key to put the new MacBook Pro into Target Disk Mode.

3. Attach the new MacBook Pro to the Mac booted into MacQuisition 2016R1 using one of the following:

  • USB-C to USB-A straight cable
  • USB-C to USB adapter and USB 3 cable
  • USB-C to AV Multiport adapter and USB 3 cable
  • USB-C to VGA Multiport adapter and USB 3 cable
  • USB-C To Thunderbolt adapter and Thunderbolt 2 cable

Note: All USB connections must be to a USB 3 port

4. Image the computer using MacQuisition.

More Information

For more information on USB-C equipped Mac computers view our blog post: Imaging a MacBook with only one USB-C port.

Leave a Reply

Sorry, you must be logged in to post a comment.