Digital Forensic News & Events

Bringing investigators digital forensics and cybersecurity related news from around the world. #AllinForensics

Back to News

Learn Mac Forensics: Mac Boot for M1 and T2 Chips | DFIR for Computers

Posted by Richard T. Frawley on December 30, 2021
Richard T. Frawley

ADF tools have the ability to scan all available Mac computers (M1 and T2 chips) with all types of encryption and virtual drives by running a remote agent that communicates with the desktop application. 


How to Collect Evidence on a Mac

To perform Mac Forensics, follow these instructions. 

Direct Ethernet Connection

There are several ways to connect the target Mac computer and the ADF workstation. We recommend using Direct Ethernet Connection as it will provide the fastest and most reliable connection.

Also available is an Ethernet cable to the Router  or Wireless connection - all detailed in our User Guides

Running the Remote Agent on a Mac

The remote agent is deployed on the Collection Key and can be executed on a Mac that is already running (a live Mac), or a Mac that is in Recovery mode. We recommend using the recovery mode as it grants access to more files and is more stable. Note that the Recovery mode was only introduced in 2012 and older Macs do not offer it.

Overview of the process:

  • Prepare a Collection Key so it contains the remote agent. Note that it doesn’t matter which Search Profile is selected on the Collection Key as it will be selected later in the ADF desktop application.`

Today we are going to show you the Mac M1 Running in Recovery Mode and using Direct Ethernet Connect.

Use a regular Ethernet cable and connect it between the ADF workstation and the target computer. If no Ethernet port is present on the computer, use a USB-C to Ethernet adapter.

  • This will create a local network between the two computers and each will receive a network address (also called an Internet Protocol or IP address). 

Running in Recovery Mode

Follow these instructions to place the Mac in Recovery Mode and run the remote agent:

  • Make sure the Mac is turned off.
  • Turn on the M1 Mac immediately. press and hold the power button until “Loading startup options'' appears. For Older Macs press and hold down the Command (⌘) and R keys. You can release the keys when you see the Apple logo
  • You might be prompted to enter a password, such as a firmware password or the password of a user who is an administrator of this Mac. Enter the requested password to continue.
  • Insert the USB Collection Key into the Mac.
  • To make sure the encrypted partitions are available:
    • Run the Disk Utility.
    • Locate any disabled volumes in the left panel and select the Mount button for each one of them.
    • Quit the program in Disk Utility > Quit Disk Utility.
  • Run the Terminal application in Utilities > Terminal.
  • Type the command /Volumes/CKY/startMacOSAgent and press enter.

The agent should start and display the following information:

ADF Remote Agent

To connect to this device enter the following IP address in the Scan screen of the ADF desktop application:

  eth0 -

  eth1 -

Status: started

Make a note of the IP address listed by the agent as it will have to be entered in the ADF desktop application.


If the default connection port 32771 is not available, the remote agent will use a different port and display the message:

Server bind error on port 32771

Agent started on port 32772

This port number will have to be entered with the IP address in the ADF desktop application as follows:


Starting the Remote Scan

  • Navigate to the Scan screen (see details in the Desktop Scan section below).
  • Click on the Add Remote Agent button.
  • Select the agent in the list of agents discovered automatically by the ADF desktop application.
  • Click on the OK button.
  • The remote agent should now be listed as a target device.

Note that all available volumes will be scanned and only allocated files will be processed (no deleted files recovery and no unallocated file carving).

Terminating the Remote Agent

Once the scan is finished, if the target computer was in recovery mode:

  • Go to the Apple menu Apple Logo and select Shut Down.

Watch: Boot Scan a Mac with APFS & FileVault 2

Topics: Digital Forensics, Digital Evidence Investigator, Triage-G2, Triage-Investigator, Computer Forensics, Forensic Training, Apple Mac Forensics, How To Video, DEI PRO, Triage-G2 PRO, Triage-Investigator PRO, Digital Evidence, DEI PRO Field Tablet, Featured Video, Computer Forensics Video

Posts by Tag

See all

Recent Posts

New ADF Free Trial Website Ad