D Thanks, I'll give it a go!
Resurrecting this topic.
Doing the same kind of tests on my own and having similar issues.
My test "suspect" machine is a Macbook Pro mid-2018 A1990 with 4 USB-C / Thunderbolt 3 ports and my forensic Mac is an older Macbook A1398 with USB 3 and Thunderbolt 2 ports.
I disabled secure boot and enabled external boot on my suspect machine for testing purposes. Macquisition is unable to boot from the suspect computer. I get a message "A software update is required to use this startup disk" and boot loops.
I am also unable to establish a link between both computers using a USB-C (suspect) to USB-A (forensic machine) cable when booting my suspect machine in Target Disk Mode. macOS on my forensic machine does not see the suspect machine at all.
The only USB-C to USB-A copy that worked was booting the suspect in TDM and connecting it to the source port of my Logicube Falcon-NEO. Then, I was able to perform a drive-to-file acquisition. But no forensic software was able to read the image properly (probably because of the APFS and T2 chip).
I contacted Blackbag to figure out why Macquisition won't boot on the newer suspect machine.
My last test to try and make my forensic Mac see the suspect machine will be to purchase a Thunderbolt 3 to Thunderbolt 2 adapter.
If you have any insight on what works or not, I would appreciate.
Thx
PM
What version of Macquisition are you using ?
Latest version 2019 R1.2
I am not sure if you have read this yet, but I hope it helps.
https://
Yes I had already read this. Unfortunately, it does not explain why Macquisition won’t boot on the laptop.
Colleagues,
I am testing Carbon Copy Cloner 5 as a "live acquisition" option to booting to Macquistion and Recon Imager.
Carbon Copy Cloner 5 has the ability to create "bootable APFS formatted backups" https://
My plan is to compare Recon Imager generated image to a CCC5 generated image using BlackLight.
I assume I will see the insertion of my "collection external USB drive" and artifacts related to running CCC5" but I am curious what if anything performing a "live" image with CCC5 will overwrite or possibly destroy versus the traditional boot-to-Macquisition approach.
Due to full disk encryption and user rights lockdowns, 99% of my corporate clients' Windows machines require live imaging using a tool such as FTK Imager to an external USB "collection drive" whilst logged into the machine as local admin (in order for FTK Imager to run and USB ports be enabled).
So perhaps live imaging and Mac computers is possible as well. We shall see.
For those interested, here is Blackbag’s reply on why Macquistion does not boot on my Macbook
We appreciate the information you sent. It helped us get closer to the issue. It appears this is a first generation 2018 MacBook Pro that was shipped with macOS 101.3.6 without having an updated T2 BridgeOS. Since it is running an older BridgeOS, it doesn't recognize MacQuisition's bridge file that is built with 10.14.
Our developers are looking into how they can address this scenario and should have a solution in next release of MacQuisition.
Also, we were able to make TDM work using the following configuration
Suspect machine with TB3/USB-C —> Thunderbolt 3 /usb-c to Thunderbolt adapter —> Thunderbolt cable —> forensic Mac.