MacQuisition: Taking Away the Guess Work
By: Justin Matsuhara, Team Lead, Solutions Engineer & Stephanie Thompson, Solutions Engineer
Depending on the digital forensic imaging tool you have available, creating a forensic image of a Mac computer can be either an anxiety creating situation, or as easy as “1-2-3-START”. There are several things you must identify ahead of attempting a full disk image of the system. Below are things to consider:
- Type of Mac computer.
- Identify the serial number / model number
- Identify if the Mac is installed with a T2 security chip
- Are SecureBoot settings enabled to prevent booting from external media?
- What file system (HFS+ vs APFS) is currently running on the source Mac?
- Is FileVault2 enabled on the source Mac?
- Do you have the password or Recovery Key available?
- Do you need a logical or physical acquisition of the Mac?
- Has the owner of the Mac enabled a firmware password on the system?
- Is the Mac installed with a fusion drive?
- Do you need a RAM image?
Having the answers to the above questions is imperative. MacQuisition, BlackBag Technologies premier imaging tool for Mac computers, can help you answer some of those questions. MacQuisition can identify if the Mac has a T2 security chip installed, what files system is currently running, if FileVault2 is enabled, and if a firmware password has been enabled.
Acquiring live vs “cold box”
The days of simply shutting off a computer to collect a forensic image is long gone, especially when you encounter a Mac. With an increased use of FileVault2 encryption, an examiner must acquire as much logical data on a live Mac as possible because it may be the only time that particular data may be accessible. Running MacQuisition on a live system will immediately identify the presence of FileVault2 encryption. Once identified, an examiner would want to immediately acquire logical data, especially if the FileVault2 password or Recovery Key is unknown.
Live collection how-to to acquire logical data
When the MacQuisition dongle is plugged into a running target machine, multiple volumes will appear on the desktop (the number of volumes depends on what version of macOS is running on the target machine). There are two volumes of interest on the MacQuisition dongle for a live collection. The ‘Application’ volume stores the application and will be used to start MacQuisition. The ‘MQData’ volume is a storage location on the dongle where acquired data can be saved. The examiner has the option to save data to another external device as well.
To begin a live acquisition, the examiner navigates to the ‘Application’ volume and clicks on ‘MacQuisition’. The user will be prompted for the admin password at this time and can enter it here if it is known. If the admin password is not known the below prompt will be displayed, and the user can choose to run restricted.
Next the user will see a pop-up regarding FileVault 2, if FileVault 2 is detected by MacQuisition.
Once ‘Continue’ is clicked, the user will see the main display for MacQuisition and can enter all the relevant case information as well as change the time zone used for the logs and reports.
From here, you can select whether to do a ‘Data Collection’ (which will export specific folders and file into a folder or sparse image), or image the device. Below is the screenshot for Data Collection:
There are several locations pre-defined within MacQuisition that are already selected, and the user can simply check or uncheck areas they would like to export. There is also a button on the bottom right-hand side to ‘Select Files’ should the user want to select a location not already included.
If ‘Image Device’ is selected at the top, the user will see a screen that looks like this:
Physical disks are displayed, and MacQuisition will show APFS containers as well as encrypted volumes (and whether they are unlocked). Select the disk to image, and choose the appropriate image formats, image segment size, and acquisition hashes. Here are the file formats and segment sizes available to choose from:
*Note: If acquiring a physical image of a T2 chip system, the output format is restricted to AFF4.
Click the plus sign under destination to pick the acquisition storage location.
To acquire RAM from the live Mac, root access is necessary. If the Mac is logged in under “guest” privileges, acquire RAM from a “cold” box state.
Cold box acquisition
Obviously, a full physical acquisition of the source Mac’s hard drive(s) is preferred by most examiners, and provides the most amount of data, including APFS snapshots. There are two methods an examiner can use to perform such acquisition. The first method is using a control boot method (Startup Manager). This is accomplished by depressing the POWER key while holding down the Option/Alt key. Then select what the appropriate version to run depending on the source Mac architecture. The second method is acquiring the source Mac while in Target Disk Mode (TDM). This method is recommended for Mac computers installed with the T2 security chip and allows the examiner the ability to obtain a physical image without modifying the SecureBoot settings. The source Mac (in TDM) is attached through a write-blocker (hardware or software) to the examiner’s forensic Mac computer. Run MacQuisition from the examiner’s forensic Mac Computer and follow the same process as described under live collection how-to.
In either of the above methods, if a firmware password has been enabled on the computer, it will be identified at this stage by a “padlock” icon. If the computer is protected with a firmware password, Apple must be served with a legal process to circumvent it. In a corporate environment, the IT department who owns the computer may have record of it and should be contacted. This holds true for Recovery Keys as well since most corporate IT departments keep records of Recovery Keys on systems issued to their employees.
Obtaining the firmware password, FileVault2 password or Recovery Key is imperative. But when will you need it? Below is a quick reference chart:
FileVault2 password/Recover key reference chart:
If firmware password is enabled on a Mac, an examiner must first use the password to unlock or no imaging can occur.
Note: On systems with Bootcamp and Fusion or a T2 chip, the Bootcamp partition must be acquired separately from the APFS container.
Once an examiner has decided what method to use to acquire the source Mac (control boot or Target Disk Mode), as well as what to collect (logical or physical images), the next step is to determine where to send the acquisition/image and what filesystem to use for storage.
It is always recommended to stay with the native filesystem in which you are imaging, but there are situations where the examiner may choose to analyze the acquired Mac data on a Windows-based system. For physical images, BlackBag Technologies incorporated Paragon© drivers to allow output to NTFS. Although MacQuisition supports output to ExFat volumes, it is not recommended due to the instability of the drivers used to create it, especially on a Mac. Improperly ejecting the external drive can cause it to corrupt the filesystem, thereby leaving the examiner with an unusable/unrecoverable image file.
“At BlackBag we are always looking ahead to how we can enable investigators to make informed decisions with the time and resources available to them. With MacQuisition, we are exploring how we can let on site personnel view additional relevant content quickly, before even a full image, to make sure they are focused on high value devices. By giving investigators more information and insights earlier in the collection process MacQuisition will save customers time and meet changing legal requirements”