MacQuisition 2018 R1 Is Now Available

We are very excited to announce our first major release of 2018 – MacQuisition 2018 R1 is now available! MacQuisition continues to be the leading and most advanced forensic imaging software for Mac OS X and macOS.When Apple launched macOS High Sierra, unarguably the biggest change was the creation of the new Apple File System (APFS). With the challenges that this presents examiners in Mac forensic imaging, providing enhanced APFS support through MacQuisition 2018 R1 has been one of BlackBag’s highest priorities.

Uniquely versatile and reliable, MacQuisition is the trusted forensic solution that runs within a native OS X boot environment. The advanced imaging processes of MacQuisition provides examiners with the software to acquire live data (including RAM) or forensically image over 200 different Apple computers.

“The innovative technologies present in today’s personal computers frequently make the already challenging job for law enforcement and intelligence communities that much more difficult,” explains Ben Charnota, BlackBag’s Chief Customer Officer. “We appreciate all their collective efforts working tirelessly to keep us all safe, so we have spent some time ourselves getting this functionality into our tools – in hopes of making their jobs a bit less challenging.”

What’s New and Improved?

To enhance our forensic Mac imaging tool further, the new features and enhancements of MacQuisition 2018 R1 include:

Ability to format and write to NTFS destination drives
Enhanced Apple File System support, including unlocking APFS FileVault 2 encryption
Ability to capture RAM and targeted collections live on High Sierra
Ability to create a logical container for data collections with the output written to a sparse disk image


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Top 4 New Features

1. Formatting and imaging to NTFS drives

We understand why Windows users are looking for a better destination drive solution than FAT32 and ExFAT formats. BlackBag listened to your requests and we are now licensing and using Paragon NTFS for Mac drivers in MacQuisition 2018 R1 and later. This provides the ability to format drives as NTFS in the ‘Tools’ view. It also allows 2018 R1 users to write data collections and images to NTFS formatted destination drives.

2. Unlocking APFS with FileVault 2 encryption

Examiners are increasingly encountering Apple File System formatted Mac computers with FileVault 2 encryption. MacQuisition 2018 R1 detects FileVault 2 and, after an examiner has entered the password, recovery key, or recovery keychain in ‘Tools’ view, MacQuisition will unlock the APFS synthesized disk and reveal the decrypted data. Thereafter, the examiner is able to conduct a data collection from the unlocked volume to a folder or sparse image.

Examiners will be aware that APFS encryption is handled differently to CoreStorage. We would encourage examiners to look for details in our new “Ask An Expert” series. Part of this series will cover how data storage and encryption has changed and what techniques examiners can use to ensure that they acquire an image they can successfully examine.

3. Capturing RAM and data collections live on High Sierra 10.13

Despite High Sierra’s increased SIP (System Integrity Protection), restricting what an application can access while the Mac is running live, we were still able to build in solutions to MacQuisition 2018 R1. Although SIP prevents live imaging of the 10.13 operating system volume, we solved how to capture RAM and perform data collections while the Mac is running live. The Data Collection pre-selected categories are also improved to better support the files on High Sierra.

4. Creating logical data containers for collections

BlackBag strives to keep up with the ever-changing needs of today’s examiners. Through MacQuisition 2018 R1, examiners are able to conduct targeted data collections and send the output to a logical container. The output is written to a sparse disk image of an HFS+, APFS, NTFS or ExFAT formatted destination drive. This logical container can then be processed by BlackLight, our forensic analysis software.

Your Feedback Fuels The Design

As we grow and perfect new features and functionality within our products, we need you to continue to provide the insightful feedback that has allowed us to develop the tool we are proud to offer today. If you would like to submit feedback or suggestions, please contact us through our product feedback form. Through your feedback, we can continue to provide investigators with the solutions they need to solve the critical issues they face every day.

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 11:44 am

Throughout the past few years, the way employees communicate with each other has changed forever.<br /><br />69% of employees note that the number of business applications they use at work has increased during the pandemic.<br /><br />Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.<br /><br />Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.<br /><br />Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.<br /><br />With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.<br /><br />Join Monica Harris, Product Business Manager, as she showcases how investigators can:<br /><br />- Manage multiple cloud collections through a web interface<br />- Cull data prior to collection to save time and money by gaining these valuable insights of the data available<br />- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box<br />- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee<br />- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 11:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...