Join Us!

Solutions for MacOS...
Clear all

Solutions for MacOS 10.14 Mojave  


My enterprise is looking at introducing Macs into the environment; MacOS 10.14 Mojave. From what I gathered from OpenText, Encase does not support this version.

Are there forensic solutions out there that support the imaging and analysis of MacOS 10.14 Mojave.

Posted : 25/03/2019 8:42 pm
Active Member

Encase is pretty bad for non-windows file systems.

In terms of OS X Analysis, Blacklight is probably the most comprehensive tool in terms of artifacts recovered and is probably your only viable option if the filesystem is encrypted APFS. If the filesystem is not encrypted, then X-Ways provides a good alternative.

In terms of imaging, Macquisition is a good tool and now supports the T2 encryption chips in Macbooks (not personally tested!).
Other than that, any Linux distribution that you can boot to would be suitable for imaging (DEFT, PALADIN etc).

Posted : 26/03/2019 1:28 pm
New Member

Cody here from the Product Development team at Magnet Forensics. Would suggest giving Magnet AXIOM 3.0 a try if you haven't. We added support for analysis of the APFS filesystem, including the ability to decrypt filevault2 encrypted images, and also added support for 20+ MacOS system artifacts. If you don't have AXIOM already and are interested I could get you a trial key. Shoot me an email at Cody.Bryant @

Posted : 30/03/2019 5:23 pm