ADF tools have the ability to scan all available Mac computers (M1 and T2 chips) with all types of encryption and virtual drives by running a remote agent that communicates with the desktop application.
To perform Mac Forensics, follow these instructions.
Direct Ethernet Connection
There are several ways to connect the target Mac computer and the ADF workstation. We recommend using Direct Ethernet Connection as it will provide the fastest and most reliable connection.
Also available is an Ethernet cable to the Router or Wireless connection - all detailed in our User Guides
The remote agent is deployed on the Collection Key and can be executed on a Mac that is already running (a live Mac), or a Mac that is in Recovery mode. We recommend using the recovery mode as it grants access to more files and is more stable. Note that the Recovery mode was only introduced in 2012 and older Macs do not offer it.
Today we are going to show you the Mac M1 Running in Recovery Mode and using Direct Ethernet Connect.
Follow these instructions to place the Mac in Recovery Mode and run the remote agent:
The agent should start and display the following information:
ADF Remote Agent
To connect to this device enter the following IP address in the Scan screen of the ADF desktop application:
eth0 - 192.168.0.22
eth1 - 192.168.0.24
Status: started
Make a note of the IP address listed by the agent as it will have to be entered in the ADF desktop application.
If the default connection port 32771 is not available, the remote agent will use a different port and display the message: Server bind error on port 32771 Agent started on port 32772 This port number will have to be entered with the IP address in the ADF desktop application as follows: xxx.xxx.xxx.xxx:32772 |
Note that all available volumes will be scanned and only allocated files will be processed (no deleted files recovery and no unallocated file carving).
Once the scan is finished, if the target computer was in recovery mode: