How To Collect Data Using MacQuisition Live

As more employees are required to work from home, we’ve heard from our customers that they need the ability to remotely collect data from Mac systems without having to send MacQuisition hardware to someone’s home. In order to help our customers in this unique time, BlackBag is making a new software only option available to MacQuisition customers for a limited time.  

Below we’ve answered some common questions about this new functionality. 

In addition, below is an easy to use how-to guide for the person running the application and completing the collection.

Using MacQuisition Live

So, you’ve downloaded MacQuisition Live, let’s take a look at some ways you can use it.

MacQuisition Live provides a mechanism to collect data from remote users in one of the following ways:


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

  • Provide the MacQuisition Live dmg and license information to the person who needs to complete the collection and they can run it live on any Mac that needs files extracted.
  • The examiner can drive the collection connecting to the Mac remotely to run the MacQuisition software.  There are several built in options on the Mac to allow remote access, for instance Mac Remote Access or Mac Screen Share, or commercial remote access tools.  For more information on remote access of Mac systems there are helpful suggestion in this article.

Once the data is collected on the macOS system, the collection can be transferred via a cloud storage solution such as Dropbox or email.  We recommend storing data collected in the logical evidence file format which preserves key file metadata.

Things To Keep In Mind

If you are having the user of device collect data, specific instructions must be provided.  The scope of the collection should be clearly defined in the instructions sent to the user. Our triage mode allows you to browse file content or search for files based on location, filename, extension, file size, dates, and keywords.  MacQuisition also has built-in collection options available in the Collection tab.

In addition to MacQuisition Live, a license file is required.  The license file will be saved to any system MacQuisition Live is run on.  Both of these must be provided for the user to run the application on their system.

A plan must be in place to transfer the collected data from the device the data was collected on to the people analyzing the collected data.

Possible Uses

MacQuisition Live provides a mechanism for eDiscovery data collections, collections related to HR requests, or even to find files that correlate to indicators of compromise when a threat is detected.  Let’s walk through how to run MacQuisition Live and then one collection scenario. This scenario can be used as a template for creating a set of instructions for data collection.

How To Run MacQuisition Live

MacQuisition Live is stored in MacQuisition_2020R1.dmg.  Open the dmg on the macOS system data will collected from.  A Finder window appears showing the MacQuisition Live application.

Double-click on MacQuisition.  The following dialog box appears:

The User Name box contains the user account user name.  Type in your login password in the Password box. Click Install Helper.  

The following dialog box will appear:

Click Enter License Key.  In the window that appears either manually enter the license information or if a license file has been provided click Load from File.

Note:  You cannot copy and paste the license file information.  It must either be manually typed in or loaded from a license file.

Once the license information is entered or loaded from a file, click Enter License.  

The MacQuisition EULA window will appear.  Click Agree

The following warning dialog box may appear:

Click OK.

MacQuisition Live is now running on the system.

Collecting Data

This section provides an instruction sample for collecting data that can be sent to users performing the data collection.  These instructions should be customized for your collection needs before they are sent. Keep in mind the level of expertise of the collector when creating your own data collection instructions.  The instructions should be tested by someone with data collection experience before they are distributed to users who are less familiar with data collection processes. Also remember running MacQuisition Live will create changes on the system.   At the end of this example, possible variations that you can use to customize these instructions are provided.

Example 1 – Collecting Data Based on Keyword

In this example we are going to search for files related to the flamingo project and the octopus project.  Specifically, we are looking for documents used on these projects.  The target for the collection is the user’s Documents folder.  

Step 1 – In MacQuisition, click on the Collection tab.  Right-click on the left side of the collection tab and choose Deselect All.

Step 2 – Click on the Search tab.

Step 3 – Use the Location drop-down menu and select your Documents directory.

Step 4 – In the Content section type the keyword “flamingo” and check the Search Documents check box.  Click Search.

Step 5 – The results returned are displayed in the middle window.  Highlight all of the files in the middle window, right-click and choose Add selected Items to Collection.

Step 6 – Repeat steps 4 and 5 using the second keyword “octopus.”

Step 7 – Click on the Collection tab.  The files added to the collection are displayed in the ADDITIONAL FILES section.  The total size of the collection is also listed.

Step 8 – Choose a location for the data collection by clicking Set….  In the Select Destination Volume Window, choose the data volume of the device and click Open.  In this example, the data volume is named MacSSD – Data

A Finder window appears.  Navigate to Desktop folder of your user profile.  MacSSD/Users/<username>/Desktop. Click Open.  The path to your Desktop appears in Destination.

Step 9 – From the drop-down menus select .L01 for Format, and 2GB for Segment Size.  Uncheck SHA1.  Click Start.

The Activity window appears showing the status of the collection.  Once the collection completes, the Finished acquiring data message appears with the collection storage path.

Step 10 – Close MacQuisition.  In Finder navigate to the collection folder.  Email the entire collection folder to [email protected].  

Collection Variations

MacQuisition Live has a myriad of other features that can be used for data collection, so depending on what you are trying to collect, the above instructions can be altered fit your collection requirements.  

In the Search tab Data can be searched for by Location, Name, Extension, File Size, Date(s), and Contents (keyword).  You can search for multiple file extension at the same time by separating the file extension with a colon.  For example, pdf:png:doc.

The Browser tab can be used to navigate to specific file path to add items to a collection.  

The Collection tab has pre-defined sets of information that you can choose for collection. 

Refer to the MacQuisition User Guide to read more about Live data collection options. 

One of the most important steps to refine is Step 10.  Keep in mind the amount of data that may be in the collection.  Send large collections by email may not be feasible. Transferring collections via a cloud storage solution such as Dropbox may be a more appropriate option.   

If you have any other question or issues, search the BlackBag support portal https://support.blackbagtech.com or reach out to tech support via email [email protected].

Leave a Comment

Latest Videos

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 11:00 am

In this episode of the Forensic Focus podcast, Si and Desi explore the cutting-edge technology of deepfake videos and image manipulation. In addition to discussing the latest technological developments and efforts being made to detect manipulated media, they also examine the associated legal and ethical implications.

Show notes:

Boris Johnson image - https://www.theguardian.com/politics/2023/jan/10/spot-the-difference-boris-johnson-appears-scrubbed-from-photo-posted-by-grant-shapps

Deep Fake Neighbour Wars - https://m.imdb.com/title/tt21371376/

Stalin image - https://www.history.com/news/josef-stalin-great-purge-photo-retouching

Nvidia eye contact AI - https://www.polygon.com/23571376/nvidia-broadcast-eye-contact-ai and https://www.youtube.com/watch?v=xl87WTDrReo

Birthday problem - https://en.wikipedia.org/wiki/Birthday_problem

Same frightening woman in AI images - https://petapixel.com/2022/09/09/the-same-frightening-woman-keeps-appearing-in-ai-generated-images/

Inherent mysogeny of AI portraits - https://www.theguardian.com/us-news/2022/dec/09/lensa-ai-portraits-misogyny

Midjourney - https://www.midjourney.org/

Deepfake porn legality - https://www.theverge.com/2022/11/25/23477548/uk-deepfake-porn-illegal-offence-online-safety-bill-proposal and https://www.technologyreview.com/2021/02/12/1018222/deepfake-revenge-porn-coming-ban/

AIATSIS - https://aiatsis.gov.au/cultural-sensitivity

Fake tiger porn story - https://www.dailydot.com/unclick/tiger-porn-britain-law/

Group photo with no blinking - https://www.countrylife.co.uk/comment-opinion/curious-questions-group-photo-179102

Emma Watson deefake audio - https://www.thetimes.co.uk/article/ai-4chan-emma-watson-mein-kampf-elevenlabs-9wghsmt9c

Domestika - https://www.domestika.org/en/courses/981-introduction-to-interviewing-the-art-of-conversation

Investigative Interviewing - https://www.amazon.co.uk/dp/0199681899?ref=ppx_pop_mob_ap_share

Forensic Focus events calendar - https://www.forensicfocus.com/events/

Si Twitter - https://twitter.com/si_biles

In this episode of the Forensic Focus podcast, Si and Desi explore the cutting-edge technology of deepfake videos and image manipulation. In addition to discussing the latest technological developments and efforts being made to detect manipulated media, they also examine the associated legal and ethical implications.

Show notes:

Boris Johnson image - https://www.theguardian.com/politics/2023/jan/10/spot-the-difference-boris-johnson-appears-scrubbed-from-photo-posted-by-grant-shapps

Deep Fake Neighbour Wars - https://m.imdb.com/title/tt21371376/

Stalin image - https://www.history.com/news/josef-stalin-great-purge-photo-retouching

Nvidia eye contact AI - https://www.polygon.com/23571376/nvidia-broadcast-eye-contact-ai and https://www.youtube.com/watch?v=xl87WTDrReo

Birthday problem - https://en.wikipedia.org/wiki/Birthday_problem

Same frightening woman in AI images - https://petapixel.com/2022/09/09/the-same-frightening-woman-keeps-appearing-in-ai-generated-images/

Inherent mysogeny of AI portraits - https://www.theguardian.com/us-news/2022/dec/09/lensa-ai-portraits-misogyny

Midjourney - https://www.midjourney.org/

Deepfake porn legality - https://www.theverge.com/2022/11/25/23477548/uk-deepfake-porn-illegal-offence-online-safety-bill-proposal and https://www.technologyreview.com/2021/02/12/1018222/deepfake-revenge-porn-coming-ban/

AIATSIS - https://aiatsis.gov.au/cultural-sensitivity

Fake tiger porn story - https://www.dailydot.com/unclick/tiger-porn-britain-law/

Group photo with no blinking - https://www.countrylife.co.uk/comment-opinion/curious-questions-group-photo-179102

Emma Watson deefake audio - https://www.thetimes.co.uk/article/ai-4chan-emma-watson-mein-kampf-elevenlabs-9wghsmt9c

Domestika - https://www.domestika.org/en/courses/981-introduction-to-interviewing-the-art-of-conversation

Investigative Interviewing - https://www.amazon.co.uk/dp/0199681899?ref=ppx_pop_mob_ap_share

Forensic Focus events calendar - https://www.forensicfocus.com/events/

Si Twitter - https://twitter.com/si_biles

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i41eg24YGZg

Deepfake Videos And Altered Images - A Challenge For Digital Forensics?

Forensic Focus 13th February 2023 10:30 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...