Mac OS Remote Foren...
 
Notifications
Clear all

Mac OS Remote Forensic Collection

13 Posts
7 Users
0 Likes
3,924 Views
(@rahul25)
Posts: 3
New Member
Topic starter
 

Hello All,

I'm looking for the available options to perform Remote Forensics Collection of Mac OS systems using T2 security Chip and running latest version of MacOS.
Any help or suggestions are greatly appreciated.

Thanks

 
Posted : 18/03/2020 5:07 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

BlackBag can help you.

 
Posted : 18/03/2020 6:12 pm
(@hommy0)
Posts: 98
Trusted Member
 

Hi,

EnCase in an upcoming release should have the remote agent that supports the T2 chip. It was demonstrated by Simon Key at EnFuse last November. The agent will also work with macOS 10.15 Catalina

It has been discussed in the following thread

https://www.forensicfocus.com/Forums/viewtopic/t=18238/highlight=mac+acquisition/

It has also been demonstrated it in the Mac training class in the UK.

Is this for an Enterprise wide or for ad-hoc acquisition/preview

Regards

 
Posted : 18/03/2020 6:41 pm
(@rahul25)
Posts: 3
New Member
Topic starter
 

@igor - Thanks for the response. I guess your referring to Macquisition tool (https://www.blackbagtech.com/products/macquisition/) and I'm aware we can perform the collection if we have physic access to MAC. could please help with any KB Articles on how to perform the Remote collection using BlackBag.

Thanks in Advance.

 
Posted : 18/03/2020 6:43 pm
(@rahul25)
Posts: 3
New Member
Topic starter
 

@hommy0 - Thanks for the response. Could you please let me know which version of Encase provides support for the MacOS remote collection.

Thanks,

 
Posted : 18/03/2020 8:06 pm
(@hommy0)
Posts: 98
Trusted Member
 

Hi,

EnCase 8.11 has an agent that currently supports macOS Catalina 10.15 remote preview and acquisition, with the T2 support coming in a later release.

Regards

 
Posted : 20/03/2020 9:33 am
MagnetForensics
(@magnetforensics)
Posts: 40
Eminent Member
 

Hi Rahul,

You may want to check out our new product, AXIOM Cyber - it can do remote collections and Mac support is coming within a couple months (logical/targeted file acquisition over a network). Let me know if you'd like more information, you can learn more about AXIOM Cyber here https://www.magnetforensics.com/products/magnet-axiom-cyber/

Best regards,
Jad

 
Posted : 20/03/2020 4:53 pm
(@hommy0)
Posts: 98
Trusted Member
 

Hi,

EnCase Forensic / Endpoint Investigator version 20.2 contains the remote agent which allows for preview/collection of a Mac running macOS 10.15 Catalina and with the T2 security chip over the network

Regards

 
Posted : 16/04/2020 9:50 am
(@randomaccess)
Posts: 385
Reputable Member
 

Velociraptor is a free collection utility. You can create a server on aws or your local network and deploy the agents to collect/hunt/monitor

We use the Windows version a lot, but there is a Mac client. Haven't personally tested it but I know Mike did recently.

Velocidex

 
Posted : 16/04/2020 11:33 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Velociraptor is a free collection utility. You can create a server on aws or your local network and deploy the agents to collect/hunt/monitor

We use the Windows version a lot, but there is a Mac client. Haven't personally tested it but I know Mike did recently.

Velocidex

I am not sure what the opinion is correct for acquisition of a Mac with T2 chip.

 
Posted : 17/04/2020 7:07 am
Page 1 / 2
Share: