How To Acquire Data From A Mac Using MacQuisition

Written by:
Justin Matsuhara, Solutions Engineer, BlackBag Technologies
Stephanie Thompson, Solutions Engineer, BlackBag Technologies

Depending on the digital forensic imaging tool you have available, creating a forensic image of a Mac computer can be either an anxiety-creating situation, or as easy as “1-2-3-START”.  There are several things you must identify ahead of attempting a full disk image of the system. Below are some things to consider:

  1. Type of Mac computer: Identify the serial number / model number; identify if the Mac is installed with a T2 security chip. Are SecureBoot settings enabled to prevent booting from external media?
  2. What file system (HFS+ vs APFS) is currently running on the source Mac?
  3. Is FileVault2 enabled on the source Mac? Do you have the password or Recovery Key available?
  4. Do you need a logical or physical acquisition of the Mac?
  5. Has the owner of the Mac enabled a firmware password on the system?
  6. Is the Mac installed with a fusion drive?
  7. Do you need a RAM image?

Having the answers to the above questions is imperative.  MacQuisition, BlackBag Technologies’ premier imaging tool for Mac computers, can help you answer some of those questions.  MacQuisition can identify if the Mac has a T2 security chip installed, what file system is currently running, if FileVault2 is enabled, and if a firmware password has been enabled.

Acquiring live vs “cold box”

The days of simply shutting off a computer to collect a forensic image are long gone, especially when you encounter a Mac.  With the increased use of FileVault2 encryption, an examiner must acquire as much logical data on a live Mac as possible because it may be the only time that particular data is accessible.  Running MacQuisition on a live system will immediately identify the presence of FileVault2 encryption. Once identified, an examiner would want to immediately acquire logical data, especially if the FileVault2 password or Recovery Key is unknown.

Live collection: How to to acquire logical data

When the MacQuisition dongle is plugged into a running target machine, multiple volumes will appear on the desktop (the number of volumes depends on what version of macOS is running on the target machine).  There are two volumes of interest on the MacQuisition dongle for a live collection. The ‘Application’ volume stores the application and will be used to start MacQuisition. The ‘MQData’ volume is a storage location on the dongle where acquired data can be saved.  The examiner has the option to save data to another external device as well.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

To begin a live acquisition, the examiner navigates to the ‘Application’ volume and clicks on ‘MacQuisition’.  The user will be prompted for the admin password at this time and can enter it here if it is known. If the admin password is not known the below prompt will be displayed, and the user can choose to run restricted.

Next the user will see a pop-up regarding FileVault2, if it is detected by MacQuisition.

Once ‘Continue’ is clicked, the user will see the main display for MacQuisition and can enter all the relevant case information as well as change the time zone used for the logs and reports.

From here, you can select whether to do a ‘Data Collection’ (which will export specific folders and file into a folder or sparse image), or image the device.  Below is a screenshot for Data Collection:

There are several locations pre-defined within MacQuisition that are already selected, and the user can simply check or uncheck areas they would like to export.  There is also a button on the bottom left-hand side to ‘Select Files’ should the user want to select a location not already included.

If ‘Image Device’ is selected at the top, the user will see a screen that looks like this:

Physical disks are displayed, and MacQuisition will show APFS containers as well as encrypted volumes (and whether they are unlocked).  Select the disk to image, and choose the appropriate image formats, image segment size, and acquisition hashes. Here are the file formats and segment sizes available to choose from:

*Note: If acquiring a physical image of a T2 chip system, the output format is restricted to AFF4.

Click the plus sign under destination to pick the acquisition storage location.

To acquire RAM from the live Mac, root access is necessary.  If the Mac is logged in under “guest” privileges, acquire RAM from a “cold” box state.  

Cold box acquisition

Obviously, a full physical acquisition of the source Mac’s hard drive(s) is preferred by most examiners, and provides the largest amount of data, including APFS snapshots.  There are two methods an examiner can use to perform such acquisition. The first method is using a control boot method (Startup Manager). This is accomplished by depressing the POWER key while holding down the Option/Alt key.  Then select the appropriate version to run depending on the source Mac architecture. The second method is acquiring the source Mac while in Target Disk Mode (TDM). This method is recommended for Mac computers installed with the T2 security chip and allows the examiner the ability to obtain a physical image without modifying the SecureBoot settings.  The source Mac (in TDM) is attached through a write-blocker (hardware or software) to the examiner’s forensic Mac computer. Run MacQuisition from the examiner’s forensic Mac Computer and follow the same process as described under live collection how-to.

In either of the above methods, if a firmware password has been enabled on the computer, it will be identified at this stage by a “padlock” icon.  If the computer is protected with a firmware password, Apple must be served with a legal process to circumvent it. In a corporate environment, the IT department who owns the computer may have a record of it and should be contacted.  This holds true for Recovery Keys as well, since most corporate IT departments keep records of Recovery Keys on systems issued to their employees.

Obtaining the firmware password, FileVault2 password or Recovery Key is imperative.  But when will you need it? Below is a quick reference chart.

FileVault2 password/Recover key reference chart:

Output

Once an examiner has decided what method to use to acquire the source Mac (control boot or Target Disk Mode), as well as what to collect (logical or physical images), the next step is to determine where to send the acquisition/image and what filesystem to use for storage.

It is always recommended to stay with the native filesystem which you are imaging, but there are situations where the examiner may choose to analyze the acquired Mac data on a Windows-based system.  For physical images, BlackBag Technologies incorporated Paragon© drivers to allow output to NTFS. Although MacQuisition supports output to ExFat volumes, this is not recommended due to the instability of the drivers used to create it, especially on a Mac.  Improperly ejecting the external drive can cause it to corrupt the filesystem, thereby leaving the examiner with an unusable/unrecoverable image file.

Conclusion

At BlackBag we are always looking ahead to how we can enable investigators to make informed decisions with the time and resources available to them. With MacQuisition, we are exploring how we can let on-site personnel view additional relevant content quickly, before even a full image, to make sure they are focused on high-value devices. By giving investigators more information and insights earlier in the collection process, MacQuisition will save customers time and meet changing legal requirements. 

Find out more about MacQuisition and order your own copy at blackbagtech.com.

1 thought on “How To Acquire Data From A Mac Using MacQuisition”

  1. Hi,
    I‘m currently using macquisition w/ a test dongle. In case of a good working flow, i‘m gonna put forward my agency to buy your software.
    For m test, i wanted to image a MacBook Pro 2018 encrypted with a T2 Chip and FileVault2. Because of the workflow of the User Guide i had to start from the dongle. But with several test i had to find out that it is not possible to start from the dongle. So i tested to full image with the Target Disk Mode at the Source Mac. After reading this article, it makes me happy to find out that it was the right workflow to image a full encrypted Mac Computer. Further, the information to the Paragon Drives to use NTFS formatted drives would be a very useful information. For analyzing the image my agency is using the software X-Ways. To read the AFF4 format, i had to download an addon on the website of evimetry. After putting the addon folder into the program folder of x-ways it was possible for me to mount the image as a drive. Unhappily the addon works only in the 32-bit version of x-ways. But now i can start my own workflow with x-ways. At the end, i think using the MacQuisition Software will make our job easier to fully image Mac‘s. So i‘m gonna encourage my agency to buy the software MacQuisition.

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 19 hours ago

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles