The field of computer forensics investigations is growing, especially as law enforcement and legal entities realize just how valuable these pieces of hardware technology can be when conducting corporate and criminal investigations. As Apple’s Mac computers continue to grow in popularity among users within organizations, today’s forensic examiners need powerful and proven solutions to help them perform live data acquisition, targeted data collection, and forensic imaging from these computers.
MacQuisition is the first and only solution to create physical decrypted images of Apple’s latest Mac computers utilizing the Apple T2 chip. Apple’s T2 encryption methodology is unique to each Mac, and crucial data can only be decrypted using the keys stored in that systems T2 chip. BlackBag has built the only solution that works with the chip to decrypt the file-systems at collection time, empowering examiners to capture the entire physical blocks that hold vital information and not just logical files. In cases where multiple machines and devices are involved, MacQuistion provides the option to browse and search through data, and preview file contents before any data is collected or deices are imaged.
Tested and used by experienced examiners for over a decade, MacQuisition runs on the Mac OS X operating system and safely boots and acquires data from over 185 different Macintosh computer models in their native environment, even Fusion Drives.
TARGETED DATA COLLECTION
- Target and forensically acquire files, folders, and user directories while avoiding known system files and other unneeded data
- Preserve valuable metadata by maintaining its association with the original file
- Authenticate collected data using any or all MD5, SHA-1, or SHA-256 hash functions
- Thoroughly log data acquisitions and source device attributes throughout the collection process
- Selectively acquire email, chat, address book, Calendar, and other data on a per-user, per-volume basis
LIVE DATA ACQUISITION
COLLECT FROM LIVE SYSTEMS
- Capture important live data such as Internet, chat, and multimedia files in real time
- Soundly acquire and save volatile Random Access Memory (RAM) contents to a destination device
- Choose from 26 unique system data collection options, including active system processes, current system state, and print queue status
- Extensively log live data acquisition information throughout the collection process
CREATE FORENSIC IMAGES
- MacQuisition automatically recognizes a combined volume from a Fusion Drive and presents it for imaging
- If FileVault 2 exists, the examiner can, with use of the password, Keychain file or recovery key, mount the volume in a read-only fashion, allowing for either a triage or collection of the files
- Use the source machine’s own system to create a forensic image by booting from the MacQuisition USB dongle
- Write-protect source devices while maintaining read-write access on destination devices
Key features of MacQuisition™ 2017 include:
- Image all Intel® based Macs including the new MacBook Pro with Touch Bar
- Mid-2017 iMac hardware support
- Native Mac OS boot environment
- Ability to image APFS drives
- Core Storage support
- Image any drive with FileVault encryption
- Fusion Drive support
- RAM imager
- Write protection
MacQuisition is a unique forensic imaging and acquisition tool capable of booting hundreds of Mac OS X systems, as well as acquiring live targeted data. As the only forensic solution that runs within a native OS X boot environment, MacQuisition’s compatibility with Mac hardware makes it uniquely versatile and universally reliable.
Below is the range of Mac systems supported by the newest version of MacQuisition, followed by instructions for examiners in need of a solution for older Mac hardware.
*Note: Not all recent systems have been fully tested. The compatibility table represents the full list of systems that MacQuisition is built to support. If you have any issues with system compatibility, please contact our Support Team.
|CURRENT MACQUISITION RELEASE||DATE RELEASED|
|2017 R1||July 13, 2017|
|TYPE||EARLIEST COMPATIBLE SYSTEM*||MOST RECENT COMPATIBLE SYSTEM|
|IMAC||iMac (Late 2009)
Model Identifier: iMac10,1 / 11,1
Model Identifiers: iMac18,1 / 18,2 / 18,3
|MAC MINI||Mac mini (Mid 2010)
Model Identifier: Macmini4,1
|Mac mini (Late 2014)
Model Identifiers: Macmini7,1
|MAC PRO||Mac Pro (Mid 2010)
Model Identifier: MacPro5,1
|Mac Pro (Late 2013)
Model Identifier: MacPro6,1
|MACBOOK||MacBook (Late 2009)
Model Identifier: MacBook6,1
Model Identifier: MacBook10,1
|MACBOOK AIR||MacBook Air (Late 2010)
Model Identifier: MacBookAir3,1 / 3,2
|MacBook Air (2017)
Model Identifiers: MacBookAir7,2
|MACBOOK PRO||MacBook Pro (Mid 2010)
Model Identifier: MacBookPro6,1 / 6,2 / 7,1
|MacBook Pro (2017)
Model Identifiers: MacBookPro14,1 / 14,2 / 14,3
* Certain older 2007-2009 models that are not supported by the MacQuisition 2017R1 partition may be bootable by the MacQuisition Secondary partition.
Having trouble identifying a Mac OS X system? We recommend the MacTracker App, available for free at the App Store.
Trouble booting older Mac systems? Within each MacQuisition dongle, there is a legacy version of the software that can boot Intel-based Mac systems that predate the compatibility table above. For even older systems, including those running OS 9 (Classic), all MacQuisition customers have access to an ISO boot disk. ISO downloads are available within MacQuisition customers’ individual account pages on BlackBag’s website. Please contact email@example.com with any questions regarding current compatibility or use of the ISO boot disk.
A forensic examiner can boot from the MacQuisition USB dongle and image out to an external collection device using the source computer itself. Because MacQuisition boots into a forensically sound environment, no additional write-blocking software or hardware is necessary. The examiner only needs the source computer, a MacQuisition USB dongle, and a destination collection device to perform this type of static data acquisition.
To boot from the MacQuisition USB dongle and acquire data from a Mac Pro, MacBook Pro, or MacBook Air computer, with the power off, and the source system plugged into a power source, insert the USB dongle into a source system USB port and attach an external collection device.
Press the power button and immediately hold down the Option key. The EFI Boot screen (Startup Manager) appears.
Click the MacQuisition icon with the MacQuisition version best suited for the source machine hardware. If you do not know which version you should boot to, click the Compatibility tab above for further information. Click the arrow below the MacQuisition icon to begin the boot process.
The BlackBag logo appears, and shortly after that, a thin progress bar appears beneath the logo. Next, depending on the hardware model and date of manufacture, the Apple logo may appear for approximately 5-10 seconds. Lastly, the MacQuisition splash screen appears, followed by the EULA.
Important: If the Apple logo appears before the BlackBag logo, IMMEDIATELY shut down the computer by pressing and holding the power button – the source system is attempting to boot to a drive or other device, and not to the MacQuisition dongle.
If a gray screen with a slashed circle appears, shut down the system by pressing and holding the power button, and boot the system to the ‘MacQuisition Legacy’ partition.
On May 4th, 2017 the United States Federal Bureau Of Investigation issues an official statement citing reported Domestic and international exposed dollar losses of $5.3 Billion due to Business Email Compromise between October 2013 and December 2016 – (BEC, Imposter, Spoofing, Fraudulent Email)
May 04, 2017 | Alert Number I-050417-PSA | FBI Public Service Announcement