In this short 4-minute Mac forensics "How To" video, ADF forensic specialist, Rich Frawley, shows you how to conduct a boot scan of a MacBook Air with APFS & FileVault2 enabled.
Beginning at this point you have decided on a Search Profile or the profiles to use and prepared your collection key Rich will demonstrate a forensically sound Mac boot scan using Digital Evidence Investigator®. This means that no changes are made to the target media.
Prior to conducting a Boot Scan establish how many USB ports are available and determine if the 4-port USB hub is required. Two ports are required in order to complete a scan, one for the Collection Key and one for the ADF Authentication Key. Once the scan has started the ADF Authentication Key can be removed.
In this example, the MacBook Air has two USB ports so you will be ready to go with the collection key connected and the Authentication Key. In order to boot to the USB Device you will hold the Option key after pushing and releasing the power button.
When booting to the Collection Key, Digital Evidence Investigator will automatically launch the application to scan the computer. No user input is normally required within the Windows Boot Manager.
Once DEI has launched there are two options available:
- Scan Computer
- Image Computer
To proceed with the boot scan click on Scan Computer and select the target device(s).
Physical Drives are denoted by a hard disk icon. Logical volumes are listed beneath the physical drive entry. Attached devices are denoted by a flash drive icon. Bitlocker/FileVault 2 volumes are flagged (volume will be disabled if not decrypted). Credentials can be added to make the volume available.
Add the password or recovery key to unlock the drive.
Once a scan is complete you are given the option to Image the device or I can go directly to image device.
Learn about Mac - M1 T2 Recovery Mode Scan capabilities.