by Jade James
MacQuisition is an effective 3-in-1 tool which provides the facility to acquire data live from a running system, as well as offering targeted data collection and forensic imaging. MacQuisition runs on Mac OS X and safely boots and acquires data from over 185 different Macintosh computer models in their native environments, even Fusion Drives. The tool is contained within a 120GB dongle or a 1TB SSD.Targeted data collection allows you to select and forensically acquire files, folders and user directories whilst avoiding known system files and other unnecessary artifacts. Acquiring live data from a running system allows you to capture valuable data such as internet usage, chats from iMessage, WhatsApp etc. and multimedia files in real time; this would be beneficial in a time sensitive investigation. With MacQuisition you are also able to forensically acquire volatile Random Access Memory. MacQuisition allows you to acquire images in a forensically sound manner and automatically recognises a Fusion drive or if FileVault is present.
As I have previously reviewed MacQuisition 2018R1.2, it was interesting to see what had been updated in the latest release.
MacQuisition 2019 R1 includes:
● Ability to create physical images of Macs with the Apple T2 chip
● Support for imaging APFS Fusion drives
● Ability to capture RAM and targeted collections live on Mojave
● Support for booting newer hardware
● Full APFS support
● Output to NTFS drives with built-in Paragon drivers
The latest MacQuisition release may not be compatible with all Macs, but you can try using a legacy version if you need to. Below is a table which specifies the compatibility with Macs.
An examiner may need to collect data live from a running system, without shutting the system down. This can be due to a number of reasons; for example, the computer could be encrypted, with either FileVault or T2 chip encryption. Or perhaps the examiner is only authorised to collect data live from the running system in situ. Also, if you shut down the system, there may be certain files which may not be available afterwards.
While the live system is running, you would simply need to connect the MacQuisition dongle to one of the free ports. When you connect the dongle, you will notice three volumes being mounted on the desktop: Application, MQData and MQLicence. Within ‘Application’, you will find; MacQ 2019R1, MacQ Secondary, MacQ Legacy 2015, MacQ Legacy 2011, and the quick start guides.
To launch the tool you simply need to double click on the ‘Application Volume’, select the MacQ 2019R1, and follow the prompts. It is notable that when you launch MacQuisition on a live system, changes are being made to the host computer. Also when connecting the MacQ dongle to a Windows system, only the ‘MQLicense’ folder is accessible, therefore if you wanted to save screenshots, it would be best to save them to this folder or another separate storage medium.
You may come across difficulties in regards to authorisation, as accessing certain areas of storage is prohibited unless you have Admin privileges. In order for me to use MacQuisition on a live system, I had to go to ‘System Preferences’ and allow MacQuisition to access the kernel. Again, this would mean making changes to the host system and therefore could compromise the integrity of the data being acquired. This was required to elevate the user privileges and allow me to collect data from multiple user accounts.
MacQuisition will automatically scan for FileVault. If you do not have the password to decrypt a FileVault encrypted disk, then a live acquisition of the data may be your only option. If it is presented, you will be prompted to enter the password at this point. Again it is notable that FileVault is encryption of the user’s home folder, whereas FileVault 2 is encryption of a volume, and the only way Full Disk Encryption (FDE) is achievable is through the T2 chip which provides hardware encryption.
Once you have gone through the necessary steps, you will be presented with the ‘Case Details’ screen. At this point you will be able to enter basic details about the case, such as the case name, and ID number, location, details of the examiner, and comments. There is also the option to change the system time and date for the logs and reporting. Along the top of the screen, you will see the options for ‘Data Collection’, ‘Image Device’ and ‘Tools’.
This option allows you to target your data acquisition and only acquire data which is actually necessary or relevant. You can select or deselect the files and folders which you wish to capture. These can include system data, such as users, attached disks, processes, clipboard, and so on. You can select the user files per volume and per user; these can also show chats, email, desktop picture, iOS backups and certificates, web activity, trash, and so on. You also have the option to specify desired files by location, by navigating directly to where they are stored. Deselecting unnecessary or known files will mean that the data collection will take less time to collect.
When exporting from a live data collection, you have the choice of exporting to a folder or as a Sparse image. A Sparse image is a type of disk image that can be created in Mac OS X using the Disk Utility. DMG, a full image file, will take up as much space as the real disk represents including any unused space, however a Sparse image will only take up as much space as the data contained within.
Unlike with Imaging using MacQ, you are unable to send a logical data collection to multiple destinations. From MacQuisition 2013 R2 (and later) in live mode, you are able to select multiple image destination list boxes: select the [+] button to add a destination volume or folder. To remove a destination volume, highlight the volume name and select the [-] button, or press the Delete key on your keyboard.
The hashing options for the data collection are MD5, SHA1 and SHA256. You can also export to APFS or HFS+ formatted drives and you have the option to export to NTFS formatted drives too. Bear in mind, however, that if you do choose to export to an NTFS drive, you will lose potentially valuable metadata in the process.
RAM memory live can be imaged by selecting the ‘Image Device’ tab and highlighting the Physical Memory found at the top of the list. You will be required to enter the admin password to image the Mac memory. The Mac memory will be heavily compressed, meaning the imaged RAM output will be larger than the 16GB or other physical size shown. Therefore it is advisable to make sure you have double the amount of storage capacity of the physical RAM represented. It is crucial that you output the RAM memory in a Raw format. It is possible to image to multiple destinations.
To boot into MacQuisition, you need to make sure the computer is switched off and you have both MacQuisition and a power source connected. When imaging it is also beneficial to use a genuine Apple or Belkin adapter, otherwise you may not be able to acquire an image successfully. When you power on the computer, you will need to hold down the ‘option/alt’ key. You will be presented with the following volumes; MacQ 2019R1, MacQ Secondary, MacQ Legacy 2015 and MacQ 2011. Conveniently in the latest release, these volumes are now numbered so you know which order you need to try them in.
The ‘Image Device’ screen is identical to the one you are presented with in the live mode. The icons you see furthest to the left are the physical devices (note that a physical device can be virtual). The indented icons are the volumes/partitions. On this screen you will be shown if there are any Fusion drives or APFS containers, encrypted or decrypted. APFS containers act like a RAID, therefore it is not possible to image one part of the container by itself: you will need to image to whole container to access all the data.
Imaging is as easy as selecting the necessary drive or volume, selecting the format of the image, i.e. Raw (dd), DMG or E01 compressed or uncompressed, and selecting the segment size (no segments, 640MB, 1GB, 2GB, 4GB, 8GB or custom). Also with image formats, you have the option to select AFF4 for APFS Fusion drives or T2 computers. If an examiner selects the E01 image format, an image may be acquired to two destination volumes or folders. If an examiner selects the Raw or DMG image format, an image may be acquired to unlimited destination volumes or folders. Selecting the E01 image format and more than two destination volumes/folders will result in a warning prompt being displayed.
With macOS 10.14 (Mojave), Apple added Fusion Drive support. Fusion drives are Apple’s implementation of a Hybrid drive. This consists of an HDD (usually spinning at 5400rpm) and NAND Flash storage (i.e. a SSD of 24GB or more), presented as a single logical volume. MacQuisition 2019R1 and above now recognises Fusion drives. To use MacQuisition to image, simply select the APFS container which contains the Fusion drive volume and select AFF4 (compressed or uncompressed) as the image type.
From 2018, Apple has introduced T2 security chips to all Mac computers, providing hardware encryption for the data stored on the system. The T2 chip acts similarly to a Secure Enclave, which is comparable to iOS devices. A Secure Enclave is a hardware based key manager that is isolated from the main processor to provide an extra layer of security. Secure Enclave is part of the A7 and newer chips used for data protection, Touch ID and Face ID. The T2 chip comprises a 256-bit AES UID and GID key, which are fused together during manufacturing; no software or firmware can read the keys directly. It encrypts the data on an enclosed SSD and the encryption is handled by a separate AES chip.
T2 encryption presents a problem to any examiner wishing to image the computer, as the security of the T2 chip prevents the device from booting from external devices. This will cause a problem when trying to boot into MacQuisition, so in order to do so, you will have to have access to the device and configure the Startup Security Utility and change the settings (i.e. change the Secure Boot settings to have no security and change the External boot setting to allow booting from external media). This will mean that the password will be required, but this is not always possible.
It is also possible to put the Mac you are investigating into Target Disk Mode (TDM), use a different Mac to boot into MacQuisition, connect the two Macs and acquire an image this way. Note that when you place a T2 computer into TDM, this allows the Mac to be read/write. At the time of writing, I believe that BlackBag with their MacQuisition tool are the only technical vendor to offer the facility to acquire a physical image of a T2 chip Mac.
MacQuisition is forever evolving and keeping up with the pace of new Apple Technology and will always be a fit for purpose tool, which allows you to extract and acquire data from Macs seamlessly. It is easy to use and follow, even for an examiner with little experience of Apple systems.
The team at BlackBag are very friendly and approachable and are very keen to listen to their customers’ needs and suggestions, and incorporate these within the new releases.
I would definitely recommend the use of MacQuisition to anyone who needs to image an Apple device.
About The Reviewer
Jade James BSc (Hons) is currently a Cyber Security and Forensics Postgraduate Student. She has previous professional digital forensic experience from working at the UK’s Serious Fraud Office, IntaForensics, the Home Office Centre for Applied Science and Technology, and the City of London Police. Jade has gained experience from conducting computer and mobile device examinations as well as drone forensics, and has been involved with ISO 17025 and Quality Standards both as a Digital Forensic Practitioner and Quality Manager.