MacQuisition From BlackBag
Posted Friday December 21, 2018 (16:26:51)
by Jade James
MacQuisition is a simple but effective tool used for imaging and data collection of iMacs, MacBooks, and Mac Pros & Minis. This tool is solely for the use with Macs, but although it is a niche product MacQuisition has many benefits.
The latest release of MacQuisition is 2018 R1.2, which is contained within a 120GB or 1TB dongle/drive. This in itself is extremely useful as it allows you to image directly to the dongle. It can also act as a collector and is ideal for data collection in situ. Booting into a dongle eliminates the need to dismantle the system to access drives, which could be problematic and could potentially result in the loss of data. The 120GB version comes with USB2.0 and USB C connector cables, allowing for use with the latest MacBook Pros and iMac Pros.
The latest release comes with the following features:
● Formatting and imaging to NTFS drives
● Unlocking APFS with FileVault2 encryption
● Capturing RAM and data collections live on High Sierra 10.13
● Creating logical data containers for collections
● Support for APFS formatted drives with or without encryption, including logical file collection
MacQuisition provides a powerful 3-in-1 solution for:
● Live data acquisition
● Targeted data collection
● Forensic imaging
Live data collection is a very effective feature of MacQuisition as it allows you to collect data from a live system, which means you won’t lose volatile data by switching the system off in order to boot into MacQuisition. This also allows for the live capture of Random Access Memory (RAM), which could be beneficial in a forensic investigation. However, caution should be taken whilst accessing a live system as there is nothing to stop you from writing to the system.
Targeted data collection gives you the opportunity to pre-select artefacts of interest to speed up the acquisition process and cut down on unnecessary imaging. You can select from a range of user files and folders, including internet history, email, chat messages, pictures and contacts, and it gives you an indication of the collection size which is useful. You also have the option of hashing the logical image with MD5, SHA-1 or SHA256.
The latest version of MacQuisition will automatically recognise if there is a Fusion drive (Apple’s name for a hybrid drive: a combination of a conventional HDD and a NAND Flash storage or SSD). If FileVault2 is apparent, MacQuisition will use the password, Keychain file or recovery key to mount the volume in a read-only state, then you can decide to triage or conduct data collection. Imaging is made easy with the option to image to the dongle acting as a collector, but even using the best compression you will have difficulty imaging a drive larger than 128GB, unless you have the 1TB SSD version of MacQuisition. Imaging to an external source is simple enough and you have the option within MacQuisition to mount and format a drive so that it is appropriate for imaging.
If the system is turned off, you simply connect MacQuisition and power on the system whilst holding down the ‘Alt’ or ‘Option’ key. You will be presented with three choices: MacQuisition2018R1.2; MacQuisition Secondary; or MacQuisition Legacy.
Selecting MacQuisition2018R1.2 will bring you to the main menu, where you will find a variety of different options to choose from. First you can enter the case details and check that the system time and date are correct for the logs.
The tools tab allows you to mount a device as either read-only or read/write; erase and format a device in either hfsx, HFS+, MS-DOS (FAT 32) or NTFS; launch the terminal to use a command line interface for MacQuisition (recommended for advanced users only); and hash a device or image file. Before imaging you will need to have a suitable device to image to, as MacQuisition can only image to the formats mentioned above.
Data collection allows you to select predefined items to create a logical image of the system, including system data (such as kernel version, system hostname, etc.), user files (user directories and files per user) and system files (OSX volumes and files per volume). MacQuisition first prepares the data for collection by gathering path and metadata.
If there are different email accounts, you will be prompted to ‘copy alias only’, ‘copy target’ or ‘convert alias’. The data collection can be contained within a folder or as a ‘sparse image’ (a disk image file used on MacOS that grows in size as the user adds data to the image, taking up only as much disk space as is stored in it).
Creating a forensic image is simple enough: select the image device tab, then choose to acquire a physical or logical image by selecting either the physical device or a particular partition. There is a choice of output format (raw, DMG, E01 – uncompressed, empty block compression, fast compression, and best compression), various segment sizes (640MB, 1GB, 2GB, 4GB, 8GB, and custom) and you can choose which hash algorithm you would like to use. It is very easy to differentiate between the source device and partitions.
Booting into MacQuisition on a live system is straightforward: you connect the dongle and navigate to the application, and it will run as a program on the device. From here the setup is exactly the same. This process is ideal for on-scene investigations or simple triage.
MacQuisition is a useful tool for the collection and forensic imaging of digital data on Macs. It is straightforward to use, and if you do need guidance, there is documentation available within the software to support you. If you are familiar with Linux-based systems, you will find MacQuisition easy to use, as the underlying coding for Mac OS X and Linux are separate branches of UNIX and MacQuisition has been created specifically for use on Mac OS X.
The only added functionality that I would like to see in future releases is the ability to take screenshots while examining a device. Currently, you are only able to take screenshots while booted into MacQuisition on a live system, which means the screenshots are saved to the desktop of the source device. It would be really useful in the production of examiner notes if you could take screenshots during examination as well. Overall however I would recommend this tool to all examiners and investigators.
About The Reviewer
Jade James BSc (Hons) is currently a Digital Forensic Investigator at the Serious Fraud Office. She has previous professional Digital Forensic experience from working at IntaForensics, Home Office Centre for Applied Science and Technology and the City of London Police. Jade has gained experience from conducting Computer, Mobile devices examinations, Drone Forensics and has been involved with ISO 17025 & Quality Standards both as a Digital Forensic Practitioner and Quality Manager.
BlackBag Technologies develop forensic acquisition, triage, and analysis software for Windows, Android, iPhone/iPad, and Mac OS X devices. Find out more about their products and training options at blackbagtech.com.
Article content received from: Forensic Focus,