MacQuisition 2017 From BlackBag Technologies

by

Reviewed by David Flynn, Forensic Examiner for the Pitt County Sheriff’s Office, Greenville, North Carolina.

MacQuisition has been the go-to tool for acquisition of Apple computers for quite some time.

With the most recent changes in the methods of acquiring data from Apple products, the MacQuisition software is now needed more than ever.

This tool has been time tested and remains at the top of the list for must have tools in the arena of computer forensics.

Ease of use

MacQuisition arrives in the form of a bootable USB drive in a durable and useful case. For a live acquisition accessing the software is as simple as plugging in the USB device to the suspect computer and opening the application. When examining a “dead box” the software can be accessed by booting to the USB device by holding the option key and selecting the MacQuisition partition.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

The initial screen provides a place to record all of the pertinent details of the case, as one has come to expect from good forensic tools. This screen also has the added feature of being able to designate the time and date stamps on the logs and reports to the system time, system time adjusted for another time zone, or a custom time of your choosing. This will help alleviate time conversions later in the examination.

Live acquisitions

If your goal is to capture data from a live system, without imaging the entire drive, the “Data Collection” tab allows the user to collect data from various places on the drive including chats, internet history, system information, email, and many others. Selecting the data to collect in the left pane shows you the locations of the files that will be collected and the reported size of the total amount of data to be collected. Each of the check boxes can be selected or deselected, which allows for only collecting the data that is relevant to your case. This is especially helpful in electronic discovery or if a search warrant only allows for certain data. The software also allows for collection of specific data like the user keychain and recovery of user passwords.

The collected data will be written to a location that you specify. While using MacQuisition on a live system it does not prevent you from writing to the suspect drive, so care should be taken to write out to a separate device and preserve the target as much as possible. As with any live acquisition, proper documentation can prevent claims that the evidence was altered unnecessarily.

Imaging a drive

MacQuisition has the same limitations as the OSX operating system, in that it can only write out to drives formatted as HFS, ExFAT, or MS-DOS. A device formatted FAT32 is supported as an MS-DOS device and will also work on a Windows machine. The Macbook that I was working with had Paragon’s NTFS for Mac installed. I was able to write out data to an NTFS formatted USB device without issue. This is especially helpful because all of my other software for computer forensics is run on Windows machines. This worked on both a live acquisition and when booted to the MacQuisition USB device. Unfortunately, the ability to write to NTFS drives is dictated by the target machine.

When capturing the imaging a drive, partition, or RAM you are given several options for the output format. You can choose Raw, DMG, and E01 with several compression options. You are also able to choose a segment size for your image and which hash algorithm to use to verify your image. The RAM and each disk is shown, along with all of the partitions on each drive. The interface is well laid out and it is easy to identify each disk connected to the target machine.

With the frequency in the use of encryption on the rise, live acquisitions have become very important in computer forensics today. Without the user password it is nearly impossible to recover any data from an encrypted device. With the ability to capture the RAM of a live system and the keychain files, you can recover the passwords necessary to complete an image of the drive. This allows the examiner to complete the acquisition in the convenience of your lab instead of spending hours on scene imaging target drives.

When an image is created it is documented in several log files that will be added into the same directory as the image file itself. The acquisition log contains the case information that the examiner enters on the initial screen, information about the target volume, start and end times, and hash values for the images. A system summary file contains information about the host machine. Other files contain more information on the acquisition and system events.

Tools and options

The tools tab offers several options that can help with acquisitions and verification. From here the examiner can choose which volumes to mount and whether the volume is read only or read / write. There is an option to erase and format a device. The formatting options are hfsx (Case Sensitive), HFS+, and MS-DOS (FAT32). The examiner can also open a terminal or hash a device. Lastly there is an option to hash an image file. This would be useful for hashing and verifying any image file created with MacQuisition.

One feature I would like to see in future releases is the ability to take screenshots while booted to the MacQuisition drive. When imaging a live system screenshots are easily taken with the target OS. There is currently no option to screenshot while booted to the MacQuisition drive.

Summary

Overall, I find the MacQuisition software to be an outstanding and necessary tool for any digital forensic examiner. The fact that OSX machines now require a special tool to acquire data makes MacQuisition a tool that any examiner should have. MacQuisition is very simple and easy to use: I was able to successfully image RAM, specific data, and entire drives without experience or training specific to MacQuisition. It is the simplicity of the software that makes it one of the best choices for examiners. I personally do not see many OSX computers and MacQuisition is easy enough to use without repeated and frequent use.

About the Reviewer

David Flynn is a Detective and Forensic Examiner for the Pitt County Sheriff’s Office in Greenville, North Carolina. He has been conducting digital forensic examinations for the past 10 years as both a computer and mobile device examiner. He uses his knowledge and expertise to provide consultation and assistance to several agencies in Eastern North Carolina. Detective Flynn is a part of the North Carolina Internet Crimes Against Children Task Force and has attended training provided by the National White Collar Crime Center, Academy of Applied Forensics, National Computer Forensics Institute, and Department of Homeland Security.

About MacQuisition from BlackBag

MacQuisition is a powerful, 3-in-1 solution for live data acquisition, targeted data collection, and forensic imaging. Find out more on BlackBag's website.

Leave a Comment

Latest Videos

Forensic Focus

Forensic Focus
In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi. Show Notes: A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234 YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/ Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 11:44 am

Throughout the past few years, the way employees communicate with each other has changed forever.<br /><br />69% of employees note that the number of business applications they use at work has increased during the pandemic.<br /><br />Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.<br /><br />Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.<br /><br />Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.<br /><br />With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.<br /><br />Join Monica Harris, Product Business Manager, as she showcases how investigators can:<br /><br />- Manage multiple cloud collections through a web interface<br />- Cull data prior to collection to save time and money by gaining these valuable insights of the data available<br />- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box<br />- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee<br />- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 11:00 am

As a hybrid working environment continues to be a way of life for many professionals, the way employees communicate has been altered as well. The scope and volume of data that needs to be collected and reviewed from computers, mobile devices and cloud applications is evolving. As the devices and collaboration platforms employees use changes, the approach to collecting data generated on emerging devices and platforms grows increasingly complex as a result. In a 2022 Endpoint Intelligence benchmark survey, only 65% of legal professionals are confident in their ability to collect relevant data from endpoints. Understanding this ever-changing collection landscape is essential for legal and litigation technology professionals as modern data increases in volume in discovery. Join Monica Harris, Product Manager at Cellebrite Enterprise Solutions for an educational discussion on the what, when, why and how of modern data collections for legal teams.

As a hybrid working environment continues to be a way of life for many professionals, the way employees communicate has been altered as well. The scope and volume of data that needs to be collected and reviewed from computers, mobile devices and cloud applications is evolving.

As the devices and collaboration platforms employees use changes, the approach to collecting data generated on emerging devices and platforms grows increasingly complex as a result. In a 2022 Endpoint Intelligence benchmark survey, only 65% of legal professionals are confident in their ability to collect relevant data from endpoints.

Understanding this ever-changing collection landscape is essential for legal and litigation technology professionals as modern data increases in volume in discovery.

Join Monica Harris, Product Manager at Cellebrite Enterprise Solutions for an educational discussion on the what, when, why and how of modern data collections for legal teams.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_jVTDS1UTTtA

We’re Not in Document Land Anymore: Modern Data Collections for Litigation Technology Professionals

Forensic Focus 6th March 2023 10:00 am

Load More... Subscribe
This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Digital Forensics Round-Up, March 23 2023
News

Digital Forensics Round-Up, March 23 2023

ByForensic FocusMar 23, 2023
UPCOMING WEBINAR – Identifying And Triaging Security Risks In Your Organization
News

UPCOMING WEBINAR – Identifying And Triaging Security Risks In Your Organization

ByCellebriteMar 23, 2023
AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases
Podcast

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

ByForensic FocusMar 22, 2023
Tips And Tricks: Data Collection For Cloud Workplace Applications
Webinars

Tips And Tricks: Data Collection For Cloud Workplace Applications

ByCellebriteMar 20, 2023
ADF Solutions Offers Complimentary Mobile Forensics Training On March 22nd
News

ADF Solutions Offers Complimentary Mobile Forensics Training On March 22nd

ByadfsolutionsMar 16, 2023
Digital Forensics Round-Up, March 16 2023
News

Digital Forensics Round-Up, March 16 2023

ByForensic FocusMar 16, 2023
Share to...
BufferCopyFlipboardHacker NewsLineLinkedInMessengerMixPinterestPocketPrintRedditSMSTelegramTumblrVKWhatsAppXingYummly