There are currently over one billion Apple products in consumer hands worldwide. Apple products often create unique challenges during data acquisition and digital investigations. Fortunately, OpenText™ EnCase™ Forensic and Tableau Forensic Hardware provide a broad range of Apple support to help you easily overcome these challenges.
In 2010, Apple began a new trend of developing proprietary connectors and form factors for their product drives. These custom drives require special adapters for investigators to image the drive contents in a forensically-sound, court-accepted manner. OpenText Tableau Hardware products have kept pace with the evolution of Apple drives. The Tableau Forensic PCIe Bridge was the first-ever portable write-blocker to allow forensic acquisition of PCIe solid-state-drives (SSD). Furthermore, the new Tableau PCIe Adapter empowers investigators to image Apple PCIe from mid-2013 – 2016 MacBook Pro, MacBook Air, and Mac Pro.Regular Tableau Firmware Updates also provide ongoing Apple support. When the FireWire port was replaced by USB-C on Apple Macs, a free firmware update enabled the native write-blocked USB port on the Tableau TX1 Forensic Imager and Tableau Universal Bridge to detect and image USB-C when in Target Disk Mode.
The new Tableau Forensic Imager (TX1) 2.0 now provides support for comprehensive Apple Target Disk Mode Forensics. It offers several methods to acquire digital evidence from Mac computers in Target Disk Mode over USB-C, FireWire or Thunderbolt. It captures both physical drives (HDD and SSD) configured as one Fusion Drive on iMac® and Mac Mini®.
Most recently, the new Apple File System (APFS) was released to replace HFS+ as Apple’s default file system for macOS High Sierra (macOS 10.3). APFS presents many challenges for investigators, beginning with the fact that it must be reverse engineered for digital forensic purposes as Apple has not released the source code. Nonetheless, in September 2017, OpenText EnCase Forensic 8.07 introduced fundamental support for APFS, enabling targeted collection of forensic data from Apple devices running High Sierra. Furthermore, the newly released EnCase™ Forensic 8.08 can now decrypt APFS volumes encrypted with File Vault 2.
As technology continues to advance, so too must the tools for investigators. No other company offers the same breadth of digital forensic solutions as OpenText to support investigators when they encounter Apple products. OpenText will continue to innovate and develop new products and features to overcome any new acquisition and investigative challenges.
For more information about EnCase APFS support, watch the on demand Webinar – The Challenges of APFS and How EnCase Can Help.
Click the links to learn more about OpenText™ EnCase™ Forensic and Tableau products.
