Join Us!

Apple T2 Chip 2018 ...
 
Notifications
Clear all

Apple T2 Chip 2018 model Macbook and iMac  

Page 1 / 2
  RSS
dandaman_24
(@dandaman_24)
Active Member

Im testing a Macbook Pro 2018 model, OS version 10.13.6 which has a T2 chip.

I have tried booting to Macquisition (latest version), however the Mac will not allow it to boot. I have disabled secure boot, allowing boot media to be run from a external source, just shows the prohibited symobl.

I have booted it into target disk mode and connected another 2018 Macbook with T2 and also a 2017 Macbook to it via USB C whilst running Macquisition. Still no luck.

Having looked online there are many posts on various geek forums, none appear to have come up with an answer.

Anyone here have anyluck ?

Thanks

Quote
Posted : 29/10/2018 8:50 pm
minime2k9
(@minime2k9)
Active Member

I haven't had one of those devices through yet, but have you tried contacting manufacturer?
They are pretty good for issues like this.

ReplyQuote
Posted : 30/10/2018 7:19 am
dandaman_24
(@dandaman_24)
Active Member

I tired to contact Tim Cook at Apple, he hasn't returned my call yet, I guess he's busy today. lol

I have spoken to some Blacklight trainers and they are in the dark too at the moment.

ReplyQuote
Posted : 30/10/2018 8:24 am
dandaman_24
(@dandaman_24)
Active Member

See below link to Apples paper on the T2 chip

https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf

ReplyQuote
Posted : 30/10/2018 7:14 pm
dandaman_24
(@dandaman_24)
Active Member

Update

It seems after booting the Macbook into Target Disk Mode (TDM) i connected a generic thunderbolt cable oops oops .

I have since purchased a thunderbolt 3 cable, Macbook in TDM and my forensic mac booted to Macquisiton to enable write blocking and the Mac then pops up on my Forensis machine for acquisition.

So it does work, just make sure you use thunderbolt 3 cable.

ReplyQuote
Posted : 09/11/2018 2:16 pm
lammy_uk
(@lammy_uk)
New Member

Can you tell me if the test machine you were acquiring had FileVault II enabled or not? If so, at what point (if any) were you prompted to enter the password by MacQuisition?
Thanks

ReplyQuote
Posted : 28/11/2018 1:20 pm
dandaman_24
(@dandaman_24)
Active Member

Yes it had fv2.

Macquisiton will tell you if the drive you wish to acquire is encrypted. The macquisiton manual tells you all about how to acquire and decrypt with the password.

ReplyQuote
Posted : 28/11/2018 4:15 pm
CFEx
 CFEx
(@cfex)
Member

50-50 chance that MDM may be enabled. I ran into this issue a while ago and it was MDM. If in your case it is MDM, MDM has to be manually disabled in System Preferences and then you will be able to image the hard drive.

If it is not MDM, you are back to square one.

ReplyQuote
Posted : 28/11/2018 4:17 pm
lammy_uk
(@lammy_uk)
New Member

Thanks for the info. One last question Was the 'forensic' Mac you booted into MacQuisition also a T2 model or older? Thanks again.

ReplyQuote
Posted : 28/11/2018 5:23 pm
dandaman_24
(@dandaman_24)
Active Member

Booted my 2017 MBP T1 chip Mac into macquisiton. I then put the 2018 MBP T2 chip into TDM and connected to my 2017 MBP.

This way the target device is write blocked.

ReplyQuote
Posted : 28/11/2018 5:47 pm
lammy_uk
(@lammy_uk)
New Member

D Thanks, I'll give it a go!

ReplyQuote
Posted : 29/11/2018 10:32 am
ThePM
(@thepm)
Active Member

Resurrecting this topic.

Doing the same kind of tests on my own and having similar issues.

My test "suspect" machine is a Macbook Pro mid-2018 A1990 with 4 USB-C / Thunderbolt 3 ports and my forensic Mac is an older Macbook A1398 with USB 3 and Thunderbolt 2 ports.

I disabled secure boot and enabled external boot on my suspect machine for testing purposes. Macquisition is unable to boot from the suspect computer. I get a message "A software update is required to use this startup disk" and boot loops.

I am also unable to establish a link between both computers using a USB-C (suspect) to USB-A (forensic machine) cable when booting my suspect machine in Target Disk Mode. macOS on my forensic machine does not see the suspect machine at all.

The only USB-C to USB-A copy that worked was booting the suspect in TDM and connecting it to the source port of my Logicube Falcon-NEO. Then, I was able to perform a drive-to-file acquisition. But no forensic software was able to read the image properly (probably because of the APFS and T2 chip).

I contacted Blackbag to figure out why Macquisition won't boot on the newer suspect machine.

My last test to try and make my forensic Mac see the suspect machine will be to purchase a Thunderbolt 3 to Thunderbolt 2 adapter.

If you have any insight on what works or not, I would appreciate.

Thx

PM

ReplyQuote
Posted : 13/06/2019 8:57 pm
dandaman_24
(@dandaman_24)
Active Member

What version of Macquisition are you using ?

ReplyQuote
Posted : 14/06/2019 6:51 am
ThePM
(@thepm)
Active Member

Latest version 2019 R1.2

ReplyQuote
Posted : 14/06/2019 1:03 pm
kastajamah
(@kastajamah)
Member

I am not sure if you have read this yet, but I hope it helps.

https://www.blackbagtech.com/blog/2019/05/08/apple-t2-chip-decrypted-image/

ReplyQuote
Posted : 14/06/2019 1:05 pm
Page 1 / 2
Share: