Join Us!

Solutions for MacOS...
 
Notifications
Clear all

Solutions for MacOS 10.14 Mojave  

  RSS
bntrotter
(@bntrotter)
Member

My enterprise is looking at introducing Macs into the environment; MacOS 10.14 Mojave. From what I gathered from OpenText, Encase does not support this version.

Are there forensic solutions out there that support the imaging and analysis of MacOS 10.14 Mojave.

Quote
Posted : 25/03/2019 8:42 pm
minime2k9
(@minime2k9)
Active Member

Encase is pretty bad for non-windows file systems.

In terms of OS X Analysis, Blacklight is probably the most comprehensive tool in terms of artifacts recovered and is probably your only viable option if the filesystem is encrypted APFS. If the filesystem is not encrypted, then X-Ways provides a good alternative.

In terms of imaging, Macquisition is a good tool and now supports the T2 encryption chips in Macbooks (not personally tested!).
Other than that, any Linux distribution that you can boot to would be suitable for imaging (DEFT, PALADIN etc).

ReplyQuote
Posted : 26/03/2019 1:28 pm
Cbryant34
(@cbryant34)
New Member

Cody here from the Product Development team at Magnet Forensics. Would suggest giving Magnet AXIOM 3.0 a try if you haven't. We added support for analysis of the APFS filesystem, including the ability to decrypt filevault2 encrypted images, and also added support for 20+ MacOS system artifacts. If you don't have AXIOM already and are interested I could get you a trial key. Shoot me an email at Cody.Bryant @ MagnetForensics.com.

ReplyQuote
Posted : 30/03/2019 5:23 pm
Share: