BlackBag Technologies is proud to announce the first and only solution to produce a decrypted physical image of Apple’s latest Mac systems utilizing the T2 chip. Current logical imaging solutions, including functionality available in the previous version of BlackBag’s own MacQuisition tool, and competing solutions like Sumuri Recon and EnCase, miss critical file system information that only this new level of physical access will be able to provide. This vital imaging functionality will be available in the upcoming MacQuisition 2019 R1 release and the output will be seamlessly ingested for analysis by BlackLight 2019 R1.All Mac computers, starting in late 2017, rely on Apple’s T2 security chip to provide hardware-assisted encryption for data stored on the system. Apple’s T2 encryption methodology is unique to each Mac, and critical data can only be decrypted using the keys stored in that systems T2 chip. Although currently it is infeasible to extract the encryption keys from the T2 chip, BlackBag has built the only solution that works with the chip to decrypt the filesystem at collection time, enabling examiners to capture the entire physical blocks that hold vital information and not just logical files. In addition, unlike other products that need admin credentials just to obtain logical data, BlackBag can do this without the user’s credentials or a recovery key (credentials are only required if the additional security of FileVault protection is also enabled on the system).
“I am excited customers can rely on BlackBag to provide leading solutions to handle the ever-changing complexities introduced by encryption, especially for Mac. Last year we were the first to provide a complete solution for Apple’s APFS, and now we are again first to update our tools to fully support the latest hardware from Apple,” said Derrick Donnelly, BlackBag’s Chief Scientist and founder.
With the upcoming release of MacQuisition 2019 R1 and BlackLight 2019 R1, investigators will be able to gather all the data exactly as it is stored on file system, not just what is gathered by completing a logical acquisition through other tools. Dr. Joe Sylve, BlackBag’s Director of Research further explains, “These physical images will include file system level artifacts, like APFS Snapshots and extended attributes, that can show details unavailable to investigators since this new hardware has been introduced.”
As Microsoft and Apple continue to update their systems, BlackBag will continue to provide investigators the tools they need to reveal the truth in both Windows and Mac OS.
About the Company
BlackBag Technologies is a developer of innovative forensic acquisition, triage, and analysis software. The company’s flagship product, BlackLight, has been adopted worldwide by digital forensics examiners as a primary analysis tool. Mobilyze, BlackBag Technologies’ ground-breaking mobile device triage tool, empowers law enforcement personnel, with or without specialized experience, to capably triage and report on data from smartphones. MacQuisition, the leading software for macOS forensics, is a 3-in-1 solution for live data acquisition, targeted data collection, and forensic imaging. To learn more about BlackBag Technologies contact us at 855-844-8890, email [email protected] or visit us at blackbagtech.com.
