Examining Mac Data from Hardware With the Apple T2 Chip
Apple grabbed the attention of forensic examiners everywhere when they released hardware with new T2 chip technology in December 2017. Many examiners are asking “How does the T2 chip impact examining data from this new hardware?”
At the time of this article, the T2 chip is included in the iMac Pro and most 2018 MacBook Pro models. This Apple Support page provides the list of Macs with Apple T2 chip.
After conducting tests with the new hardware, we discovered two primary issues that can impact a forensic examination, the Secure Boot feature and built-in SSD encryption.
Issue 1: Secure Boot
With the introduction of the T2 chip, Apple added the Secure Boot feature, ensuring only a legitimate and trusted operating system can load at startup. By default, Mac hardware with T2 chip is shipped from Apple with the “Full Security” Secure Boot setting and disallows booting from external media.
This means in order to boot an external device such as MacQuisition or another imaging tool, the Secure Boot setting must be switched to “Allow booting from external media” and “No Security”. Switching these settings requires using the Startup Security Utility and entering an admin account password. Instructions can be found on Apple’s site here and here.
If the admin password is unknown, the examiner is limited to:
- Conduct a logical Data Collection while the source Mac is running live and logged into a user account.
- Place the source Mac into Target Disk Mode and attach it to another Mac (host), then conduct a logical Data Collection.
Issue 2: Built-in SSD Encryption
Mac hardware that has the Apple T2 chip integrates security into both software and hardware to provide encrypted-storage capabilities. Apple explains more here.
For forensic examiners, this means the T2 chip from the original hardware is needed to decrypt the data, which impacts examining a physical image. A physical image of the SSD from a Mac with a T2 chip has encryption that is different than FileVault 2 encryption. Since the data from a physical image is outside of its original hardware, the built-in encryption from the T2 chip cannot be decrypted. At this time, this forces examiners to conduct logical acquisitions of Macs with Apple T2 chip while the data is in a decrypted state.
In addition to the physical disk being encrypted by default, a user can opt to add another level of protection by turning on FileVault 2 encryption. This requires the examiner to unlock FileVault 2 first, using original hardware, in order for its T2 chip to decrypt the data.
Don’t worry, we’ve got you covered! MacQuisition 2018 R1 and newer supports logical Data Collections of Mac computers with the Apple T2 chip. A MacQuisition user can conduct a Data Collection in the following states:
- While the Mac is running live, the data is in a decrypted state and can be collected to a folder on destination drive, sparse image, or DMG. We recommend formatting the drive/image as APFS or HFS+ to preserve the most metadata.
- If the Secure Boot setting allows booting to external media, then boot to MacQuisition and logically collect the decrypted data. Note- if FileVault 2 is enabled, the password or recovery key will need to be entered to decrypt the additional encryption before collecting the data.
- If the Secure Boot setting does not allow booting to external media or you are acquiring the latest MacBook Pro, then place the Mac in Target Disk Mode. Attach the source Mac while in Target Disk Mode to a host Mac that can be booted to MacQuisition and perform the Data Collection using the host Mac. Note- the host Mac will need to have either a USB 3.0 port, USB-C port, Thunderbolt 2 port, or Thunderbolt 3 port to be compatible with Target Disk Mode for the newer Macs. Be prepared to unlock FileVault 2 for the source Mac if it is enabled.
MacQuisition version 2018 R1 and newer supports booting to the iMac Pro models when Secure Boot setting is switched to allow booting from external media. The upcoming version 2018R2 will support booting to the new 2018 MacBook Pro models, if Secure Boot setting has also been switched.
For more information about Apple hardware and Apple’s new file system (APFS), BlackBag has added the latest research and discoveries in both Essential Forensics Techniques Courses. We encourage examiners to attend at least one of these courses to better understand examining Mac and iOS data.
For additional questions, contact firstname.lastname@example.org.
In Case You Missed It:
Ask the Expert: The Importance of APFS Snapshots in Investigations
Our latest webinar on APFS Snapshots is now available to view on demand. In this webinar, Dr. Joe T. Sylve, Director of Research and Development at BlackBag, shows you how to go back in time to review what happened on an APFS volume. Dr. Sylve discusses details of the snapshot functionality built into APFS, why snapshots will be useful in your investigations and how you will be able to take advantage of snapshots in upcoming BlackLight releases.
If your tool of choice is not parsing APFS snapshots, then you may be missing data.