How To Digital Forensic Boot Scan A Mac With APFS

by Rich Frawley 

In this short 3-minute video, ADF’s digital forensic specialist Rich Frawley shows how to boot a MacBook Air (APFS, non-encrypted) with Digital Evidence Investigator.

The ADF digital forensic team is hard at work putting the finishing touches on the complete package:

In the meantime, if FileVault is not an issue, ADF software can boot scan and collect the information investigators need to further an investigation or make a case. It is as simple as press and hold the Option key while powering on the Mac. This gives you access to the Startup Manager which will allow you to execute the ADF Software. This is also true for Mac’s prior to the implementation of APFS, ADF will be able to boot to your Mac and get you the relevant information for your case.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Apple T2 Security Chip

But what about the new T2 Security Chip? One of the features of the T2 Security Chip is the ability to use Secure Boot to make sure that only a legitimate, trusted operating system loads at startup. That’s good news since ADF utilizes a legitimate, trusted operating system.

Another feature is the ability to exclude booting from an external device, and this would be important to get an APFS Mac to boot to that trusted operating system. If booting from an external device is not available in the Startup Manager, then by accessing the Startup Security Utility (Authentication Required) the settings can be changed to allow booting. Once this has been accomplished you can now use ADF to boot and conduct a scan of the computer.

With ADF software, you can conduct digital investigations of a suspect Mac in the lab, or on-scene, easier, faster and smarter to:

  • Quickly identify incriminating files and artifacts
  • Easily associate files to victims or a suspect
  • Create comprehensive court-ready reports

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles