Digital Forensic News & Events
Bringing investigators digital forensics and cybersecurity related news from around the world. #AllinForensics


 

Back to News

macOS Forensics: Live Scan Macs with T2 or M1 chips

Posted by Richard T. Frawley on May 18, 2021
Richard T. Frawley
Find me on:

Investigators can now scan all available Mac computers (including macs with T2 or M1 chips) with all types of encryption and virtual drives by running a remote agent that communicates with the desktop application. Now you can perform digital forensic triage on all Macs including

  • macOS T2 chip
  • macOS M1 chip
  • Mac Fusion Drive

There are several ways to connect the target Mac computer and the ADF workstation. We recommend using Direct Ethernet Connection as it will provide the fastest and most reliable connection. Forensic investigators can also leverage an Ethernet cable to the Router or Wireless connection - all of which are detailed in ADF's User Guides.

Digital Forensic Triage - Scan macOS T2 chip M1 chip with ADF digital forensic tools

Here is an overview of the process:

  • Prepare a Collection Key so it contains the remote agent. Note that it doesn’t matter which ADF Search Profile is selected on the Collection Key as it will be selected later in the ADF desktop application.

Direct Ethernet Connect

Use a regular Ethernet cable and connect it between the ADF workstation and the target computer. If no Ethernet port is present on the computer, use a USB-C to Ethernet adapter.

  • This will create a local network between the two computers and each will receive a network address (also called an Internet Protocol or IP address). It may take several minutes for the IP addresses to be assigned, especially if the computer already had an IP address.

Connecting the Target Computer with the ADF Workstation

There are several ways to connect the target Mac computer and the ADF workstation. We recommend using Direct Ethernet Connection as it will provide the fastest and most reliable connection.

Running on a Live Mac

On a live target Mac computer, already running ADF forensic software will start the remote agent. You'll need to grant full access privileges to the Terminal application. To do this Go to System Preferences > Security & Privacy > Privacy tab > Full Disk Access

  • Click on the “Click the lock to make changes” to be able to edit the settings.
  • Select the checkbox next to the Terminal option. If Terminal is not listed, click on the “+” button and select Applications > Utilities > Terminal.
  • Insert the USB Collection Key into the Mac.
  • Access the CKY and double click on macOS_start and enter credentials if required.

The agent should start and display the IP information required for the ADF desktop application. Now that the remote agent is running, the rest of the process takes place on the workstation running the ADF Desktop application:

Starting the Remote Scan

  • Navigate to the Scan screen (see details in the Desktop Scan section below).
  • Click on the Add Remote Agent button.
  • Enter the IP address of the target computer that was provided by the remote agent earlier. Note that the IP address should look similar to the one displayed by the ADF desktop application.
    For example, if the remote agent has an IP address of 10.10.1.33 and the ADF desktop application has an IP address of 192.168.1.41, they are probably not on the same network and will not see each other.
    Also, if a port number other than 80 is used by the remote agent, it needs to be entered after the IP address separated by a semicolon. For example “10.10.1.33:32772”.
  • Click on the CONNECT button.
  • The remote agent should now be listed as a target device.

Note that all available volumes will be scanned and only allocated files will be processed (no deleted files recovery and no unallocated file carving).

Terminating the Remote Agent

Once the scan is finished, if the target computer was in recovery mode:

  • Go to the Apple menu and select Shut Down.

If the target computer was running live:

  • In the Terminal window, press Ctrl + c to stop the agent.
  • Close the Terminal window.
  • Go to the Finder and eject the Collection Key (CKY).

Watch: Boot Scan a Mac with APFS (Non-Encrypted)

You might also like: 

Topics: Digital Evidence Investigator, Triage-G2, Triage-Investigator, Triage, Computer Forensics, Apple Mac Forensics, Live Scan, How To Video, DEI PRO, Triage-G2 PRO, Triage-Investigator PRO, Digital Evidence, DEI PRO Field Tablet

Get Your News (once a month)

Posts by Tag

See all

Recent Posts

CustomButton
  • READY TO ACCELERATE YOUR DIGITAL INVESTIGATIONS?

", css: '', target: '#hs_form_target_module_152512477666343_blog_subscribe_1', formData: { cssClass: 'hs-form stacked' } });