Join Us!

Mac OS Remote Foren...
 
Notifications
Clear all

Mac OS Remote Forensic Collection  

  RSS
rahul25
(@rahul25)
New Member

Hello All,

I'm looking for the available options to perform Remote Forensics Collection of Mac OS systems using T2 security Chip and running latest version of MacOS.
Any help or suggestions are greatly appreciated.

Thanks

Quote
Posted : 18/03/2020 5:07 pm
Igor_Michailov
(@igor_michailov)
Senior Member

BlackBag can help you.

ReplyQuote
Posted : 18/03/2020 6:12 pm
hommy0
(@hommy0)
Member

Hi,

EnCase in an upcoming release should have the remote agent that supports the T2 chip. It was demonstrated by Simon Key at EnFuse last November. The agent will also work with macOS 10.15 Catalina

It has been discussed in the following thread

https://www.forensicfocus.com/Forums/viewtopic/t=18238/highlight=mac+acquisition/

It has also been demonstrated it in the Mac training class in the UK.

Is this for an Enterprise wide or for ad-hoc acquisition/preview

Regards

ReplyQuote
Posted : 18/03/2020 6:41 pm
rahul25
(@rahul25)
New Member

@igor - Thanks for the response. I guess your referring to Macquisition tool (https://www.blackbagtech.com/products/macquisition/) and I'm aware we can perform the collection if we have physic access to MAC. could please help with any KB Articles on how to perform the Remote collection using BlackBag.

Thanks in Advance.

ReplyQuote
Posted : 18/03/2020 6:43 pm
rahul25
(@rahul25)
New Member

@hommy0 - Thanks for the response. Could you please let me know which version of Encase provides support for the MacOS remote collection.

Thanks,

ReplyQuote
Posted : 18/03/2020 8:06 pm
hommy0
(@hommy0)
Member

Hi,

EnCase 8.11 has an agent that currently supports macOS Catalina 10.15 remote preview and acquisition, with the T2 support coming in a later release.

Regards

ReplyQuote
Posted : 20/03/2020 9:33 am
MagnetForensics
(@magnetforensics)
Junior Member

Hi Rahul,

You may want to check out our new product, AXIOM Cyber - it can do remote collections and Mac support is coming within a couple months (logical/targeted file acquisition over a network). Let me know if you'd like more information, you can learn more about AXIOM Cyber here https://www.magnetforensics.com/products/magnet-axiom-cyber/

Best regards,
Jad

ReplyQuote
Posted : 20/03/2020 4:53 pm
hommy0
(@hommy0)
Member

Hi,

EnCase Forensic / Endpoint Investigator version 20.2 contains the remote agent which allows for preview/collection of a Mac running macOS 10.15 Catalina and with the T2 security chip over the network

Regards

ReplyQuote
Posted : 16/04/2020 10:50 am
randomaccess
(@randomaccess)
Active Member

Velociraptor is a free collection utility. You can create a server on aws or your local network and deploy the agents to collect/hunt/monitor

We use the Windows version a lot, but there is a Mac client. Haven't personally tested it but I know Mike did recently.

Velocidex

ReplyQuote
Posted : 17/04/2020 12:33 am
Igor_Michailov
(@igor_michailov)
Senior Member

Velociraptor is a free collection utility. You can create a server on aws or your local network and deploy the agents to collect/hunt/monitor

We use the Windows version a lot, but there is a Mac client. Haven't personally tested it but I know Mike did recently.

Velocidex

I am not sure what the opinion is correct for acquisition of a Mac with T2 chip.

ReplyQuote
Posted : 17/04/2020 8:07 am
randomaccess
(@randomaccess)
Active Member

I am not sure what the opinion is correct for acquisition of a Mac with T2 chip.

It should let you acquire files still. And you could write a hunt to collect all of the files that you want.
But I'd love to see someone testing it out and demonstrating why it is or isn't suitable.

ReplyQuote
Posted : 19/04/2020 4:58 am
Em-Belkasoft
(@em-belkasoft)
Junior Member

Hi, rahul25

Have you chosen a tool already? Belkasoft supports remote acquisition of data from Macs (with T2 chips or not).

You can read more on remote forensics options in Belkasoft Evidence Center here https://belkasoft.com/remote_acquisition

ReplyQuote
Posted : 08/05/2020 4:58 pm
cs1337
(@cs1337)
Member

if you own a copy of MacQuisition and current on maintenance they are giving MacQ Live at no additional cost. It will only allow to do a targeted collection to an L01 or Sparse image. It's not ideal but if you need just for eDiscovery it's good enough.

I am not aware of a remote solution for full disk imaging of Mac with T2 as most of the tools I experience require booting to a dongle outside of OSX.

ReplyQuote
Posted : 15/05/2020 4:51 am
Share: