Why Acquire T2 Macs with MacQuisition?
What is Missing from Logical Acquisitions?
By: Tim Thorne, Solutions Engineer
Over the past couple of weeks, I have attended several international events and customer meetings where we hear the same thing over and over – people still believe that the ‘logical imaging’ of T2 chip Macs “is as good as it needs to be!”
This is simply not true and all of us who value the acquisition of the most forensically sound data should always seek to achieve a physical decrypted image from Apple’s post 2017 released Macs.
If you do not use the latest version of BlackBag’s MacQuisition you will miss a great deal of potential evidence. The Mac file system is built to protect data; it is not willing or able to give you all of the data that resides on the disk. Since the creation of a logical image relies on the file system, data will be missed.
This data may include the following:
- Data from the APFS ‘Free Queue’: These are allocated blocks on the drive that are not referenced in the file system, therefore they will not be acquired as part of a logical acquisition. Hundreds of files can be recovered from the Free Queue.
- ‘Dataless Snapshots’: APFS uses backups, similar to Volume Shadow Copies in Windows, known as ‘APFS Snapshots.’ What is not so well known is that these can sometimes be un-mountable ‘Dataless Snapshots’ that are not given up by APFS as part of a logical acquisition. Testing at BlackBag has proven that thousands of unique files can be recovered from the erroneously named ‘Dataless Snapshots,’ including entire iPhone Backups.
- Data stored in unallocated space: If you have a user that has decided that T2 chip encryption is sufficient and has turned off FileVault 2, data from the unallocated space, known as Shared Pooled Space within the APFS container, may be recoverable even on SSD drives with TRIM enabled. This data will not be acquired as part of any logical imaging process.
- Data in File Slack: File Slack can still contain data relevant to an investigation. There are tools available that enable users to hide data between the end of a file and the end of the file’s allocated blocks. Once again, if you have only managed to create a logical acquisition of data from a T2 chip Mac, you will not get this data.
MacQuisition allows you to obtain a physical decrypted image, the most comprehensive acquisition available for T2 Mac computers. Prior to the release of MacQuisition 2019 R1, logical acquisitions were the only option. The data listed above, potentially contains relevant information, could not be acquired. A physical decrypted image acquired using MacQuisition, collects this data. If you need more information or training on how to use MacQuisition contact us at Sales@BlackBagTech.com.
Latest posts by BlackBag Training Team (see all)
- Why Acquire T2 Macs with MacQuisition? - September 29, 2019
- MacQuisition: Taking Away the Guess Work - September 10, 2019
- A Present From Santa (APFS): Providing APFS support to The Sleuth Kit® Framework - December 19, 2018