With the release of Apple’s T2 chip, forensic examiners are forced to conduct logical acquisitions. This is where MacQuisition steps in and saves the day!
One of MacQuisition’s strengths is its Data Collection functionality. Data Collections have the ability to logically acquire data, hash each file, record metadata for each file, and document the acquisition process.
This article is a continuation to the first T2 chip blog article Examining Mac Data from Hardware With the Apple T2 Chip and designed to share some quick tips to help with a logical acquisition. Don’t forget the MacQuisition user guide is an excellent resource and is much more comprehensive.
Read-only verses Read-write state
Step 1 - let’s review some Mac forensic basics that are sometimes forgotten
Booting to MacQuisition allows the examiner to mount the Mac’s SSD in a read-only state, whereas running the Mac live will leave the SSD in a read/write state. We are often asked, “why would you want to run MacQuisition live when the data is not write-protected?”. One example is, if you seize a Mac while the user is logged in and FileVault2 encryption is turned on, it may be necessary to collect the user data immediately while the files are decrypted.
We are also asked, “Why does this Mac not have FSEvents to collect?” There are at least 3 reasons for this, but the most common one is explained next. Many examiners do not realize that if they choose to place the source Mac in Target Disk Mode and then attach it to another Mac that is running live without write protection, the source Mac is in a read/write state. In our experience, attaching the source Mac in Target Disk Mode to another Mac while it is running live, can remove the contents of the source Mac’s ‘.fseventsd’ folder.
To Note: if you want to conduct the Data Collection in a read-only state by booting to MacQuisition, make sure to cleanly shut down the computer using the operating system. If the Mac is not shut down “cleanly” using the operating system, then the disk is in a “dirty” state and cannot be mounted. This impacts the physical disk and the APFS container, which means if you boot to MacQuisition, the volumes cannot be accessed to calculate size and files cannot be selected for a logical acquisition. To shut down the Mac cleanly, the examiner will need to be logged into a user account, then click on the Apple menu and choose ‘Shut Down…’.
Step 2 - let’s start a Data Collection
Click on the Data Collection icon and you will see MacQuisition has pre-selected popular categories of interest. If you want to collect all files, not just the displayed categories, right click and choose ‘Deselect All’.
Then scroll down to the last section called Additional Files and click on the ‘Select Files…’ button. A Finder window will open where you can select the Mac’s internal disk from the drop-down menu at the top center.
As tempting as it is to select all folders from this Finder window, some system files are difficult to acquire when all folders and files are collected at once. We recommend collecting the Users directory on its own and then collecting the system files in a second collection.
To Note: if you are running MacQuisition live and entered the admin password at the beginning, you will have root access and visibility of files on additional user accounts. If you did not enter the admin password and are in restricted mode, other user account directories will be grayed out or have the no access symbol.
In the screenshot below, four folders are selected to collect that have numerous Mac artifacts, such as FSEvents and Unified logs that are excellent for investigations.
You have the option to choose whether the collection is written to a Folder or a Sparse Image. We recommend if you choose ‘Folder’ to check that your destination drive is formatted as APFS or HFS+ to preserve the most metadata.
To Note: you might see a pop-up message like the one below informing the user that Status Tracking is turned on. In our most recent testing, when collecting a large number of files, it is actually faster to keep Status Tracking on. Please disregard this message in 2018 versions. One way to save some time is uncheck one or both of the Hash types if you do not need them.
Step 3 - a macOS Mojave tip
For examiners that are required to conduct a Data Collection while running MacQuisition live on Apple’s newest macOS, Mojave (10.14), you may need to adjust a system preference to conduct a comprehensive collection.
Apple introduced a new privacy feature for Mojave users that can be accessed by going to the Apple Menu and choosing ‘System Preferences’. Then select on ‘Security & Privacy’ and click on the ‘Privacy’ tab.
Notice in the screen shot below, a feature called ‘Full Disk Access’ is displayed which allows the user to add the applications they want to give full disk access to. Once you click on the lock in the bottom left corner and enter admin credentials, you will be able to add MacQuisition to this list from the ‘Application’ volume of the MacQuisition dongle.
If you do not allow MacQuisiton full disk access on macOS Mojave, the user account categories will display 0 bytes in the Data Collection view. However, you can still conduct a limited collection by following the Data Collection steps above and manually select the files you have access to.