With the increased use of FileVault2 encryption, an examiner must acquire as much logical data on a live Mac as possible because it may be the only time that particular data is accessible. The days of simply shutting off a computer to collect a forensic image are long gone, especially when you encounter a Mac. MacQuisition can identify if the Mac has a T2 security chip installed, what file system is currently running, if FileVault2 is enabled, and if a firmware password has been enabled. MacQuisition, BlackBag Technologies’ premier imaging tool for Mac computers, can help you answer some of those questions.
Having the answers to the above questions is imperative. Is the Mac installed with a fusion drive?.Has the owner of the Mac enabled a firmware password on the system?.Do you need a logical or physical acquisition of the Mac?.Is FileVault2 enabled on the source Mac? Do you have the password or Recovery Key available?.What file system (HFS+ vs APFS) is currently running on the source Mac?.Are SecureBoot settings enabled to prevent booting from external media? Type of Mac computer: Identify the serial number / model number i dentify if the Mac is installed with a T2 security chip.There are several things you must identify ahead of attempting a full disk image of the system. Stephanie Thompson, Solutions Engineer, BlackBag Technologiesĭepending on the digital forensic imaging tool you have available, creating a forensic image of a Mac computer can be either an anxiety-creating situation, or as easy as “1-2-3-START”. Justin Matsuhara, Solutions Engineer, BlackBag Technologies
0 kommentar(er)
