Reviewed by David Flynn, Forensic Examiner for the Pitt County Sheriff’s Office, Greenville, North Carolina.
MacQuisition has been the go-to tool for acquisition of Apple computers for quite some time.
With the most recent changes in the methods of acquiring data from Apple products, the MacQuisition software is now needed more than ever.
This tool has been time tested and remains at the top of the list for must have tools in the arena of computer forensics.
MacQuisition arrives in the form of a bootable USB drive in a durable and useful case. For a live acquisition accessing the software is as simple as plugging in the USB device to the suspect computer and opening the application. When examining a “dead box” the software can be accessed by booting to the USB device by holding the option key and selecting the MacQuisition partition.
The initial screen provides a place to record all of the pertinent details of the case, as one has come to expect from good forensic tools. This screen also has the added feature of being able to designate the time and date stamps on the logs and reports to the system time, system time adjusted for another time zone, or a custom time of your choosing. This will help alleviate time conversions later in the examination.
If your goal is to capture data from a live system, without imaging the entire drive, the “Data Collection” tab allows the user to collect data from various places on the drive including chats, internet history, system information, email, and many others. Selecting the data to collect in the left pane shows you the locations of the files that will be collected and the reported size of the total amount of data to be collected. Each of the check boxes can be selected or deselected, which allows for only collecting the data that is relevant to your case. This is especially helpful in electronic discovery or if a search warrant only allows for certain data. The software also allows for collection of specific data like the user keychain and recovery of user passwords.
The collected data will be written to a location that you specify. While using MacQuisition on a live system it does not prevent you from writing to the suspect drive, so care should be taken to write out to a separate device and preserve the target as much as possible. As with any live acquisition, proper documentation can prevent claims that the evidence was altered unnecessarily.
MacQuisition has the same limitations as the OSX operating system, in that it can only write out to drives formatted as HFS, ExFAT, or MS-DOS. A device formatted FAT32 is supported as an MS-DOS device and will also work on a Windows machine. The Macbook that I was working with had Paragon’s NTFS for Mac installed. I was able to write out data to an NTFS formatted USB device without issue. This is especially helpful because all of my other software for computer forensics is run on Windows machines. This worked on both a live acquisition and when booted to the MacQuisition USB device. Unfortunately, the ability to write to NTFS drives is dictated by the target machine.
When capturing the imaging a drive, partition, or RAM you are given several options for the output format. You can choose Raw, DMG, and E01 with several compression options. You are also able to choose a segment size for your image and which hash algorithm to use to verify your image. The RAM and each disk is shown, along with all of the partitions on each drive. The interface is well laid out and it is easy to identify each disk connected to the target machine.
With the frequency in the use of encryption on the rise, live acquisitions have become very important in computer forensics today. Without the user password it is nearly impossible to recover any data from an encrypted device. With the ability to capture the RAM of a live system and the keychain files, you can recover the passwords necessary to complete an image of the drive. This allows the examiner to complete the acquisition in the convenience of your lab instead of spending hours on scene imaging target drives.
When an image is created it is documented in several log files that will be added into the same directory as the image file itself. The acquisition log contains the case information that the examiner enters on the initial screen, information about the target volume, start and end times, and hash values for the images. A system summary file contains information about the host machine. Other files contain more information on the acquisition and system events.
The tools tab offers several options that can help with acquisitions and verification. From here the examiner can choose which volumes to mount and whether the volume is read only or read / write. There is an option to erase and format a device. The formatting options are hfsx (Case Sensitive), HFS+, and MS-DOS (FAT32). The examiner can also open a terminal or hash a device. Lastly there is an option to hash an image file. This would be useful for hashing and verifying any image file created with MacQuisition.
One feature I would like to see in future releases is the ability to take screenshots while booted to the MacQuisition drive. When imaging a live system screenshots are easily taken with the target OS. There is currently no option to screenshot while booted to the MacQuisition drive.
Overall, I find the MacQuisition software to be an outstanding and necessary tool for any digital forensic examiner. The fact that OSX machines now require a special tool to acquire data makes MacQuisition a tool that any examiner should have. MacQuisition is very simple and easy to use: I was able to successfully image RAM, specific data, and entire drives without experience or training specific to MacQuisition. It is the simplicity of the software that makes it one of the best choices for examiners. I personally do not see many OSX computers and MacQuisition is easy enough to use without repeated and frequent use.
About the Reviewer
David Flynn is a Detective and Forensic Examiner for the Pitt County Sheriff’s Office in Greenville, North Carolina. He has been conducting digital forensic examinations for the past 10 years as both a computer and mobile device examiner. He uses his knowledge and expertise to provide consultation and assistance to several agencies in Eastern North Carolina. Detective Flynn is a part of the North Carolina Internet Crimes Against Children Task Force and has attended training provided by the National White Collar Crime Center, Academy of Applied Forensics, National Computer Forensics Institute, and Department of Homeland Security.
About MacQuisition from BlackBag
MacQuisition is a powerful, 3-in-1 solution for live data acquisition, targeted data collection, and forensic imaging. Find out more on BlackBag's website.