Press Room

BlackBag’s MacQuisition 2019 R1: Decrypt Physical Images From Macs With T2 Chips

BlackBag Technologies is proud to announce the release of the first and only solution to produce a decrypted physical image of the latest Mac systems utilizing the Apple T2 chip in MacQuisition 2019 R1.

San Jose, CA – May 9, 2019 – MacQuisition 2019 R1 also includes several exciting updates to support the latest Mac systems you may encounter in the field. Prior logical imaging solutions, including functionality available in the earlier versions of BlackBag’s own MacQuisition tool and competing solutions like Sumuri Recon and EnCase, miss critical file system information that only this new level of physical access will be able to provide. To enhance our forensic Mac imaging tool further, we’ve included the following new features:

– Ability to create physical images of Macs with the Apple T2 chip
– Support for imaging APFS Fusion drives
– Capture RAM and targeted collections live on Mojave
– Support added to boot newer hardware

New Feature Highlights

1. Imaging Devices with T2 Chips

Starting in 2017, Mac computers have Apple’s T2 security chip providing hardware-assisted encryption for data stored on the system. In these systems the Apple T2 chip is tightly integrated with the disk controller and contain unique encryption keys. By default, all APFS volumes that contain user data on T2 protected systems are encrypted. The only way to decrypt the data is to use information embedded in the specific T2 chip that protected that disk, no other T2 chip will work. Currently, it is not possible to extract encryption keys from the T2 chip. If the T2 chip is damaged, data can never be recovered from the drive.

The encryption provided by the T2 chip works in conjunction with FileVault 2. When FileVault 2 is enabled, the Recovery Key or password from any of the user accounts on the system is required at acquisition time to decrypt the data.

MacQuisition 2019 R1 is the only solution that interfaces with the T2 chip to decrypt the filesystem at collection time, providing a decrypted physical image. Since the T2 chip is responsible for all encryption all data must be decrypted during acquisition; it is not possible to decrypt the data at analysis time. While BlackBag is in the process of developing a methodology to decrypt unallocated space from T2 systems, that functionality is not yet available. To save time, since the unallocated space cannot be decrypted, there is an option to skip imaging unallocated space.

When a T2 system is booted or attached in target disk mode, MacQuisition identifies the disk controlled by the T2 device with the label APFS Container (T2).

If the physical disk is imaged, disk0 in the example shown above, the resulting image would be encrypted. The information needed for decryption is resident on the T2 chip and the decryption must occur during acquisition. For MacQuisition to decrypt the data, the synthesized APFS container needs to be imaged. If the physical disk contains other volumes, such as a Bootcamp volume, they must be imaged separately.

As the APFS Container on the T2 system is acquired, MacQuisition interfaces with the T2 chip to decrypt the T2-protected data creating a decrypted physical image. Pre-image hashing would not be valid as the data is decrypted during the acquisition process. In order to create the physical image, MacQuisition creates an image using the open standard Advanced Forensic File Format (AFF4) image format. AFF4, supported by a number of popular forensic tools including BlackLight, provides modern compression algorithms and the flexibility required to efficiently image non-linear data, the APFS container, while optionally skipping data that cannot be decrypted, such as the unallocated space.

2. Imaging APFS Fusion Drives

With the release of macOS 10.14 (Mojave), Apple provided an implementation for APFS Fusion. In macOS 10.14 (Mojave), the APFS logical container pool may consist of blocks that span across multiple physical volumes. APFS logical containers allow all volumes in the container to share a common pool of extents, data from all volumes is interspersed and volumes are not contiguous. This necessitates an imaging tool that is able to handle imaging more complex volume and drive structures. Since synthesized APFS containers do not have a limit on the size or location of the volumes within it, creating a bit-by-bit physical image is not realistic.

Versions of MacQuisition prior to 2019R1 allowed the acquisition of logical files only from APFS Fusion drives, copying files from the APFS container. Only information available via the file system interfaces was available. MacQuisition 2019R1 performs a physical acquisition that attempts to collect data as it exists on the disks including data not available via the file system interfaces providing more options for analysis and recovery of historical or deleted data.

In order to image these new APFS containers on Fusion drives, MacQuisition creates an image using the open standard Advanced Forensic File Format (AFF4) image format. AFF4 is supported by a number of popular forensic tools, including BlackLight, provides modern compression algorithms and the flexibility required to efficiently image non-linear data found on APFS Fusion drives. When loaded in MacQuisition, the partitions on the physical drives used to create the APFS logical containers will be identified as APFS Container (Fusion). The label will also indicate the disk MacQuisition assigns to the synthesized APFS container. The APFS container will indicate the disks and partitions used to create the synthesized container. To create a physical image of an APFS Fusion device, select the disk that represents the synthesized APFS Container.

3. Additional APFS Imaging Options

Examiners are increasingly encountering Apple File System (APFS) formatted Mac computers with FileVault 2 encryption. MacQuisition 2019R1 provides the capabilities to either acquire the encrypted data or now the decrypt the data at the time of acquisition.

4. Capturing RAM and Data Collections Live on Mojave 10.14

MacQuisition 2019R1 has been updated to support Mojave 10.14; examiners can capture RAM and perform data collections while the Mac is running live. The Data Collection pre-selected categories are also improved to better support the files on Mojave.

As always, BlackBag recommends users update to the latest version, to ensure the software is functioning properly and has all available fixes. Update to the latest release here or visit BlackBag’s blog to learn more. To learn more about MacQuisition, request a quote, request a trial, or renew your license, click here.

About BlackBag Technologies:
BlackBag® Technologies offers innovative forensic acquisition and analysis tools for both Windows and Mac OS X based computers, as well as iOS and Android mobile devices. Its forensic software is used by hundreds of federal, state, and local law enforcement agencies around the world, as well as by leading corporations and consultants, to investigate all types of digital evidence associated with both criminal, civil and internal investigations. BlackBag® Technologies also develops and delivers expert forensics training and certification programs, designed for both novice and experienced forensics professionals. To learn more, visit www.blackbagtech.com. Media inquiries should be sent to Julie O’Shea, Manager, Global Marketing, at marketing@blackbagtech.com.

BlackBag PR

BlackBag offers innovative forensic acquisition and analysis tools for both Windows and macOS based computers, as well as iOS and Android mobile devices. Its forensic software is used by hundreds of federal, state, and local law enforcement agencies around the world, as well as by leading corporations and consultants. For the latest company press releases please visit our Press Room blackbagtech.com/press/. Media inquiries should be sent to Julie O’Shea, Manager, Global Marketing, at marketing@blackbagtech.com
BlackBag PR