MacQuisition Will Decrypt Physical Images From Macs With T2 Chip
We’re extremely proud to announce that our Mac forensic tool, MacQuisition, will be the first and only solution to produce a decrypted physical image of Apple’s latest Mac systems utilizing the T2 chip.
This essential imaging functionality will be available in the upcoming MacQuisition 2019 R1 release and the output will be seamlessly ingested for analysis by BlackLight 2019 R1.
The logical imaging solutions currently on the market, including functionality offered in the previous version of MacQuisition, and competing solutions like Sumuri’s Recon and OpenText’s EnCase, miss critical file system information that only this new level of physical access will be able to deliver.
Every Mac computer, starting in late 2017, rely on Apple’s T2 security chip to offer hardware-assisted encryption for data stored on the system. Apple’s T2 encryption methodology is unique to each Mac, and critical data can only be decrypted using the keys stored in that systems T2 chip. Although it is infeasible to extract the encryption keys from the T2 chip at the moment, BlackBag has built the only solution that works with the chip to decrypt the filesystem at collection time, empowering examiners to capture the entire physical blocks that hold vital information and not just logical files.
In addition, unlike other products that need admin credentials just to obtain logical data, BlackBag can do this without the user’s credentials or a recovery key (credentials are only required if the additional security of FileVault protection is also enabled on the system).
Derrick Donnelly, BlackBag’s Chief Scientist and co-founder, explains, “Last year we were the first to provide a complete solution for Apple’s APFS, and now we are first again at updating our tools to fully support the latest hardware from Apple. I am so proud and excited that our customers can rely on BlackBag to provide leading solutions to handle the ever-changing complexities introduced by encryption, especially for Mac. ”
As we prepare to release MacQuisition 2019 R1 and BlackLight 2019 R1, investigators will be able to gather all the data exactly as it is stored on file system, not just what is gathered by completing a logical acquisition through other tools.
BlackBag’s Director of Research, Dr. Joe Sylve, further explains, “These physical images will include file system level artifacts, like APFS Snapshots and extended attributes, that can show details unavailable to investigators since this new hardware has been introduced.”
As Microsoft and Apple both continue to update their systems, BlackBag will continue to deliver investigators the vital tools they need to reveal the truth in both Windows and Mac OS.
Questions? Contact us at 855-844-8890 or email email@example.com.
To learn more about this topic, view our on-demand webinar “Physical Decrypted Images from Macs with the T2 Chip” where BlackBag’s Director of Research, Dr. Joe Sylve covers:
- Why these new physical images are better than prior logical imaging techniques
- How to image a system with the T2 chip
- What changes they can expect when analyzing these new images
- Details on the AFF4 open standard image format needed to support T2 chip and APFS Fusion devices