by Rich Frawley
In this short 3-minute video, ADF’s digital forensic specialist Rich Frawley shows how to boot a MacBook Air (APFS, non-encrypted) with Digital Evidence Investigator.
The ADF digital forensic team is hard at work putting the finishing touches on the complete package:
- Enabling FileVault support at boot
- Allowing the input of credentials, much like we currently support digital forensic investigations Surface Pro computers with Bitlocker
In the meantime, if FileVault is not an issue, ADF software can boot scan and collect the information investigators need to further an investigation or make a case. It is as simple as press and hold the Option key while powering on the Mac. This gives you access to the Startup Manager which will allow you to execute the ADF Software. This is also true for Mac’s prior to the implementation of APFS, ADF will be able to boot to your Mac and get you the relevant information for your case.
Apple T2 Security Chip
But what about the new T2 Security Chip? One of the features of the T2 Security Chip is the ability to use Secure Boot to make sure that only a legitimate, trusted operating system loads at startup. That’s good news since ADF utilizes a legitimate, trusted operating system.
Another feature is the ability to exclude booting from an external device, and this would be important to get an APFS Mac to boot to that trusted operating system. If booting from an external device is not available in the Startup Manager, then by accessing the Startup Security Utility (Authentication Required) the settings can be changed to allow booting. Once this has been accomplished you can now use ADF to boot and conduct a scan of the computer.
With ADF software, you can conduct digital investigations of a suspect Mac in the lab, or on-scene, easier, faster and smarter to:
- Quickly identify incriminating files and artifacts
- Easily associate files to victims or a suspect
- Create comprehensive court-ready reports