By Kevin J. Ripa
PI, GSEC, GCFE, GCFA, EnCE, BAI, CDRP, CEH
Mar 10, 2016
There is no question that Mac computers are gaining market share, and as forensic examiners, we see more of them in the lab. Many labs that have been doing forensics on Windows computers think they can just pull a hard drive from a Mac, image it the way they always have, and then examine it. Simply not true. This is akin to saying that because you can drive a car, you must be able to fly a plane, because they are both modes of travel.
Our research has determined that there are a lot of “bits” of advice on the Internet about Mac forensics, but little in the way of “easy to follow” concise start to finish tutorials that cover the various scenarios. That was the genesis of this corner of our website.
Mac computers, most likely due to their smaller market share, have a smaller amount of tools with which a digital forensics examiner can work with. When there is little competition, (and little demand), cost of these tools can be extremely prohibitive, and examiners look for workarounds. That is what this section of our website is devoted to.
MacQuisition
This tool, made by a company named BlackBag Technologies is truly the last word in commercial Mac acquisition tools. It allows acquisitions using methods that are simply not possible in any other manner. One method that comes to mind is forensically acquiring a drive that is FileVault enabled, and you only have the Recovery Key. No other method or tool will extract this image.
You will notice that this section of the website has a number of tutorials, and yet it does not have one for MacQuisition acquisitions. The reasons are twofold. Firstly, this section is about being able to properly acquire forensic images on a budget (and MacQuisition is NOT cheap). Secondly, MacQuisition is so intuitive and easy to use that a tutorial would be moot. When considering where to spend money, this should be high on the list, if you can afford it.
Other Methods
Fortunately, there are other ways to create forensic images of Mac computers. It is true that there are some methods used on Windows computers that would work on Mac computers once the hard drive is removed, but they will not image FileVault enabled drives with CoreStorage, and they will not rebuild images on Macs using Fusion drive technology.
This section of our site is dedicated to properly acquiring Mac drives in a variety of scenarios and at no cost.
The 4 “MUST KNOW” Mac Special Startup Key Combinations
During various phases of the acquisition process, the Mac needs to be started in modes other than “normal”. These instructions are deployed simultaneous with pressing the power button. This is extremely important. Press and hold them first, and then press the power button. Here they are, and what they are for. This is by no means an exhaustive “startup key” list.
“option” key – Used to start the computer to the point where it shows various boot drives. Also used to determine if a Firmware Password has been deployed.
⌘ + S – This key combination is used to start the computer in Single User Mode. Will NOT work if FileVault is enabled. When the computer is started in Single User Mode, it allows for polling the computer for a number of very important computer forensic information.
⌘ + R – This key combination is used to start the computer in Recovery Mode. The only reason you would use this is if FileVault was enabled. Once the imaging process is complete, you would come here to gather the data that you could otherwise have collected in Single User Mode.
“T” – Holding down the T key while powering up places the computer into Target Disk Mode. This is the mode necessary for forensic acquisition without other tools.
Imaging Process
Click on the links below to go to pages that provide simple instructions to complete the tasks necessary.
Understanding Mac Storage For Forensic Acquisition
Formatting a Destination Storage Device for Mac
Mac Forensic Imaging Benchmarks
Information Collection on Mac Computers For Forensic Acquisition
Hashing Commands for Mac Forensic Acquisition
Live Forensic Acquisition of Macs