How to Collect Data with MacQuisition Live
So, you’ve downloaded MacQuisition Live, let’s take a look at some ways you can use it.
MacQuisition Live provides a mechanism to collect data from remote users in one of the following ways:
- Provide the MacQuisition Live dmg and license information to the person who needs to complete the collection and they can run it live on any Mac that needs files extracted.
- The examiner can drive the collection connecting to the Mac remotely to run the MacQuisition software. There are several built in options on the Mac to allow remote access, for instance Mac Remote Access or Mac Screen Share, or commercial remote access tools. For more information on remote access of Mac systems there are helpful suggestion in this article: https://www.macworld.co.uk/how-to/mac-software/remote-access-mac-3594139/
Once the data is collected on the macOS system, the collection can be transferred via a cloud storage solution such as Dropbox or email. We recommend storing data collected in the logical evidence file format which preserves key file metadata.
Things to Keep in Mind
If you are having the user of device collect data, specific instructions must be provided. The scope of the collection should be clearly defined in the instructions sent to the user. Our triage mode allows you to browse file content or search for files based on location, filename, extension, file size, dates, and keywords. MacQuisition also has built-in collection options available in the Collection tab.
In addition to MacQuisition Live, a license file is required. The license file will be saved to any system MacQuisition Live is run on. Both of these must be provided for the user to run the application on their system.
A plan must be in place to transfer the collected data from the device the data was collected on to the people analyzing the collected data.
MacQuisition Live provides a mechanism for eDiscovery data collections, collections related to HR requests, or even to find files that correlate to indicators of compromise when a threat is detected. Let’s walk through how to run MacQuisition Live and then one collection scenario. This scenario can be used as a template for creating a set of instructions for data collection.
How To Run MacQuisition Live
MacQuisition Live is stored in MacQuisition_2020R1.dmg. Open the dmg on the macOS system data will collected from. A Finder window appears showing the MacQuisition Live application.
Double-click on MacQuisition. The following dialog box appears:
The User Name box contains the user account user name. Type in your login password in the Password box. Click Install Helper.
The following dialog box will appear:
Click Enter License Key. In the window that appears either manually enter the license information or if a license file has been provided click Load from File.
Note: You cannot copy and paste the license file information. It must either be manually typed in or loaded from a license file.
Once the license information is entered or loaded from a file, click Enter License. The MacQuisition EULA window will appear. Click Agree.
The following warning dialog box may appear:
MacQuisition Live is now running on the system.
This section provides an instruction sample for collecting data that can be sent to users performing the data collection. These instructions should be customized for your collection needs before they are sent. Keep in mind the level of expertise of the collector when creating your own data collection instructions. The instructions should be tested by someone with data collection experience before they are distributed to users who are less familiar with data collection processes. Also remember running MacQuisition Live will create changes on the system. At the end of this example, possible variations that you can use to customize these instructions are provided.
Example 1 – Collecting Data Based on Keyword
In this example we are going to search for files related to the flamingo project and the octopus project. Specifically, we are looking for documents used on these projects. The target for the collection is the user’s Documents folder.
Step 1 – In MacQuisition, click on the Collection tab. Right-click on the left side of the collection tab and choose Deselect All.
Step 2 – Click on the Search tab.
Step 3 – Use the Location drop-down menu and select your Documents directory.
Step 4 – In the Content section type the keyword “flamingo” and check the Search Documents check box. Click Search.
Step 5 – The results returned are displayed in the middle window. Highlight all of the files in the middle window, right-click and choose Add selected Items to Collection.
Step 6 – Repeat steps 4 and 5 using the second keyword “octopus.”
Step 7 – Click on the Collection tab. The files added to the collection are displayed in the ADDITIONAL FILES section. The total size of the collection is also listed.
Step 8 – Choose a location for the data collection by clicking Set…. In the Select Destination Volume Window, choose the data volume of the device and click Open. In this example, the data volume is named MacSSD – Data.
A Finder window appears. Navigate to Desktop folder of your user profile. MacSSD/Users/<username>/Desktop. Click Open. The path to your Desktop appears in Destination.
Step 9 – From the drop-down menus select .L01 for Format, and 2GB for Segment Size. Uncheck SHA1. Click Start.
The Activity window appears showing the status of the collection. Once the collection completes, the Finished acquiring data message appears with the collection storage path.
Step 10 – Close MacQuisition. In Finder navigate to the collection folder. Email the entire collection folder to firstname.lastname@example.org.
MacQuisition Live has a myriad of other features that can be used for data collection, so depending on what you are trying to collect, the above instructions can be altered fit your collection requirements.
In the Search tab Data can be searched for by Location, Name, Extension, File Size, Date(s), and Contents (keyword). You can search for multiple file extension at the same time by separating the file extension with a colon. For example, pdf:png:doc.
The Browser tab can be used to navigate to specific file path to add items to a collection.
The Collection tab has pre-defined sets of information that you can choose for collection.
Refer to the MacQuisition Quick Start Guide or the MacQuisition User Guide to read more about Live data collection options.
One of the most important steps to refine is Step 10. Keep in mind the amount of data that may be in the collection. Send large collections by email may not be feasible. Transferring collections via a cloud storage solution such as Dropbox may be a more appropriate option.