Apple T2 Chip Systems: Create Decrypted Physical Images With MacQuisition

BlackBag Technologies is proud to announce the release of the first and only solution to produce a decrypted physical image of the latest Mac systems utilizing the Apple T2 chip in MacQuisition 2019 R1. Prior logical imaging solutions, including functionality available in the earlier versions of BlackBag’s own MacQuisition tool and competing solutions like Sumuri Recon and EnCase, miss critical file system information that only this new level of physical access will be able to provide. To enhance our forensic Mac imaging tool further, we've included the following new features:

  • Ability to create physical images of Macs with the Apple T2 chip
  • Support for imaging APFS Fusion drives
  • Capture RAM and targeted collections live on Mojave
  • Support added to boot newer hardware

Imaging Devices with the Apple T2 Chips

Starting in 2017, Mac computers have Apple’s T2 security chip providing hardware-assisted encryption for data stored on the system.  In these systems the Apple T2 chip is tightly integrated with the disk controller and contain unique encryption keys. By default, all APFS volumes that contain user data on T2 protected systems are encrypted.  The only way to decrypt the data is to use information embedded in the specific T2 chip that protected that disk, no other T2 chip will work.  Currently, it is not possible to extract encryption keys from the T2 chip.  If the T2 chip is damaged, data can never be recovered from the drive.

The encryption provided by the T2 chip works in conjunction with FileVault 2.  When FileVault 2 is enabled, the Recovery Key or password from any of the user accounts on the system is required at acquisition time to decrypt the data.

MacQuisition 2019 R1 is the only solution that interfaces with the T2 chip to decrypt the filesystem at collection time, providing a decrypted physical image.  Since the T2 chip is responsible for all encryption all data must be decrypted during acquisition; it is not possible to decrypt the data at analysis time.  While BlackBag is in the process of developing a methodology to decrypt unallocated space from T2 systems, that functionality is not yet available.  To save time, since the unallocated space cannot be decrypted, there is an option to skip imaging unallocated space.

When a T2 system is booted or attached in target disk mode, MacQuisition identifies the disk controlled by the T2 device with the label APFS Container (T2).

As the APFS Container on the T2 system is acquired, MacQuisition interfaces with the T2 chip to decrypt the T2-protected data creating a decrypted physical image.  In order to create the physical image, MacQuisition creates an image using the open standard Advanced Forensic File Format (AFF4) image format.  AFF4, supported by a number of popular forensic tools including BlackLight, provides modern compression algorithms and the flexibility required to efficiently image data in a non-linear or sparse way.

Imaging APFS Fusion Drives

With the release of macOS 10.14 (Mojave), Apple provided an implementation for APFS Fusion.  Technical changes by Apple necessitate an imaging tool that is able to handle these complex APFS containers.  Since synthesized APFS containers do not have a limit on the size or location of the volumes within it, creating a bit-by-bit physical image is not realistic.

MacQuisition now performs a physical acquisition that attempts to collect data as it exists on the disks including data not available via the file system interfaces providing more options for analysis and recovery of historical or deleted data.

In order to image the APFS containers spanning Fusion drives, MacQuisition creates an AFF4 image as it has the flexibility required to efficiently image data found on APFS Fusion drives.

When loaded in MacQuisition, the partitions on the physical drives used to create the APFS logical containers will be identified as "APFS Container (Fusion)". The label will also indicate the device MacQuisition assigns to the synthesized APFS container.  The APFS container will indicate the disks and partitions used to create the synthesized container.

To create a physical image of an APFS Fusion device, select the disk that represents the synthesized APFS Container.

Capturing RAM and data collections live on Mojave 10.14

Finally, we've updated our boot options to support Mojave 10.14; examiners can now capture RAM and perform data collections while the Mac is running live.

Need a refresher on how the Apple T2 chip impacts investigators?

Check out our OnDemand webinar Physical Decrypted Images from Macs with the T2 Chip.

BlackBag’s Director of Research Dr. Joe Sylve reviews the impact of these new images, including:

  1. Why these new physical images are better than prior logical imaging techniques
  2. How to image a system with the Apple T2 chip
  3. What changes they can expect when analyzing these new images
  4. Details on the new image format needed to support the Apple T2 chip and APFS Fusion devices

Download The Latest Version of MacQuisition

Leave a Reply

Sorry, you must be logged in to post a comment.