ADF tools have the ability to scan all available Mac computers (M1 and T2 chips) with all types of encryption and virtual drives by running a remote agent that communicates with the desktop application.
How to Collect Evidence on a Mac
To perform Mac Forensics, follow these instructions.
Direct Ethernet Connection
There are several ways to connect the target Mac computer and the ADF workstation. We recommend using Direct Ethernet Connection as it will provide the fastest and most reliable connection.
Also available is an Ethernet cable to the Router or Wireless connection - all detailed in our User Guides
Running the Remote Agent on a Mac
The remote agent is deployed on the Collection Key and can be executed on a Mac that is already running (a live Mac), or a Mac that is in Recovery mode. We recommend using the recovery mode as it grants access to more files and is more stable. Note that the Recovery mode was only introduced in 2012 and older Macs do not offer it.
Overview of the process:
- Prepare a Collection Key so it contains the remote agent. Note that it doesn’t matter which Search Profile is selected on the Collection Key as it will be selected later in the ADF desktop application.`
Today we are going to show you the Mac M1 Running in Recovery Mode and using Direct Ethernet Connect.
Use a regular Ethernet cable and connect it between the ADF workstation and the target computer. If no Ethernet port is present on the computer, use a USB-C to Ethernet adapter.
- This will create a local network between the two computers and each will receive a network address (also called an Internet Protocol or IP address).
Running in Recovery Mode
Follow these instructions to place the Mac in Recovery Mode and run the remote agent:
- Make sure the Mac is turned off.
- Turn on the M1 Mac immediately. press and hold the power button until “Loading startup options'' appears. For Older Macs press and hold down the Command (⌘) and R keys. You can release the keys when you see the Apple logo
- You might be prompted to enter a password, such as a firmware password or the password of a user who is an administrator of this Mac. Enter the requested password to continue.
- Insert the USB Collection Key into the Mac.
- To make sure the encrypted partitions are available:
- Run the Disk Utility.
- Locate any disabled volumes in the left panel and select the Mount button for each one of them.
- Quit the program in Disk Utility > Quit Disk Utility.
- Run the Terminal application in Utilities > Terminal.
- Type the command /Volumes/CKY/macOS_start and press enter.
The agent should start and display the following information:
ADF Remote Agent
To connect to this device enter the following IP address in the Scan screen of the ADF desktop application:
eth0 - 192.168.0.22
eth1 - 192.168.0.24
Make a note of the IP address listed by the agent as it will have to be entered in the ADF desktop application.
If the default connection port 32771 is not available, the remote agent will use a different port and display the message:
Server bind error on port 32771
Agent started on port 32772
This port number will have to be entered with the IP address in the ADF desktop application as follows: xxx.xxx.xxx.xxx:32772
Starting the Remote Scan
- Navigate to the Scan screen (see details in the Desktop Scan section below).
- Click on the Add Remote Agent button.
- Enter the IP address of the target computer that was provided by the remote agent earlier. Click on the CONNECT button.
- The remote agent should now be listed as a target device.
Note that all available volumes will be scanned and only allocated files will be processed (no deleted files recovery and no unallocated file carving).
Terminating the Remote Agent
Once the scan is finished, if the target computer was in recovery mode:
- Go to the Apple menu and select Shut Down.