Triaging with MacQuisition
Today’s investigations often involve multiple machines and devices. It can be time consuming to image and process several computers, external hard drives, and other media when there is no guarantee data of relevance will be located on these devices. Imaging multiple macOS computers and external media devices that may or may not contain data relevant to an investigation can waste time, storage space, and other resources. MacQuisition triage capabilities provide access to a new methodology that can decrease the number of devices you need to acquire while increasing your overall efficiency.
With the release of MacQuisition 2020 R1, BlackBag provides the capability to browse and search through data, preview file contents on macOS systems and other data devices, all before any data is collected or devices are imaged. This can be done using MacQuisition on a live system or with a macOS system booted into MacQuisition’s boot environment. The new MacQuisition interface provides two new views to triage data on devices: Browser and Search.
Click on the Browser tab. The left side of the window lists the volumes attached. The right side of the window contains the preview pane and an area to display file metadata. The Browser view allows you to manually navigate through the files and folders, previewing the contents as you explore.
You may notice two listings in Browser for the APFS boot volume of a macOS system. This will be seen on all macOS systems updated to 10.15 (Catalina). Apple separated the boot volume into two areas, a read-only volume for the OS to run in, and a separate volume for all other files. While this is apparent in Disk Utility and MacQuisition (Browser, Search, Collection, and Image views), it appears as one volume to system users. The volume names follow a pattern. The read-only portion maintains the original volume name, the second volume has the same name with “ – Data” appended. In Browser, this second volume appears with the label Data. User files are available on both volumes via MacQuisition.
Click on the Search tab. The left side of the window displays various search criteria available to find data of interest. You can filter files or search by keyword. The middle of the window displays the results of the search, and the right side displays the preview pane and an area to display file metadata.
So, let’s look at the search criteria available.
You can select the location you wish to search via one of the pre-populated entries in the location drop-down menu, or use the Select Other… option at the bottom of the drop-down.
As you can see, in Search the two macOS system volumes are displayed a little bit differently than in Browser. The read-only volume is listed as / (Volume Name), while the Data volume is listed as /System/Volumes/Data. The location defaults to / (Volume Name), which searches the entire macOS boot volume.
Other Search Filters
The other search filters are pretty self-explanatory. The options are Name (file name), Extension, File Size, and Date. Additional specifications available for each of these filters are as follows:
- Name: contains, does not contain, exact match
- Extension: is, is not
- File Size: greater than, less than, between
- Date: date created, date modified date accessed and is between, is before, is after, is exactly
Search by Keyword
The last option is to search using a keyword, which can be especially useful. Type the keyword in the Content section. MacQuisition presents the option to Search Binary Files or Search Documents. Locating files containing terms relevant to your investigation has never been easier.
Note: At this time, MacQuisition only allows searching for non-English characters when running on a live system in restricted mode.
Putting it Together
Adding further refinement, using various combinations of search criteria, you can easily determine if there are files present pertinent to your investigation.
For example, if you want to find screen shots created on a macOS system search for the following:
Below is a sample of results returned from this search:
Combining a keyword with more complex filters allows you to quickly determine if relevant files are located on a system or device.
Things to Remember
There are a couple of things you need to keep in mind as you use the triage features. The first is very important, when using MacQuisition on a live system changes will be made to the system. As more features are used (Browser, Search, and previewing) more changes are made to the live system. See Appendix B – Changes to Live Systems in the MacQuisition User Guide for more information.
The second concern is FileVault 2. The triaging features will work on a system booted with MacQuisition, but if FileVault 2 is enabled on a system, the proper credentials (a user login password or the FileVault Recovery Key) are required to unlock the data. Without these credentials you will be unable to view any data from the system. Whenever you encounter a macOS computer still running, determining if FileVault 2 is enabled should be one of the first steps. After the Mac is powered off, you may never get access to the data again.
Now That I Found It, What Do I Do With It?
So, you’ve browsed, searched and previewed files on the system, or other connected media, and found data that is indeed important to your investigation. The next thing to do is collect the data. You have a couple options, and if you are looking at a system where FileVault 2 is enabled, collecting the data from the live systems should be seriously considered. So, here are the options:
- As you find data of relevance, add items to the Collection. Then perform a live collection of data from the Collection view.
- Image the entire device:
- For connected media, image the device.
- For a macOS system, shutdown the system and image the entire device from the MacQuisition boot environment.
Adding items to the Collection is a straight-forward process in both the Browser and Search views. Highlight the relevant items, right-click (control-click) and choose Add Selected Items to Collection.
Click on the Collection tab. Items added to the collection from Browser and Search appear in the Additional Files section.
Already a MacQ user? Download the latest version of MacQuisition here.