MacQuisition From BlackBag

Reviewed by Jade James

MacQuisition is a simple but effective tool used for imaging and data collection of iMacs, MacBooks, and Mac Pros & Minis. This tool is solely for the use with Macs, but although it is a niche product MacQuisition has many benefits.The latest release of MacQuisition is 2018 R1.2, which is contained within a 120GB or 1TB dongle/drive. This in itself is extremely useful as it allows you to image directly to the dongle. It can also act as a collector and is ideal for data collection in situ. Booting into a dongle eliminates the need to dismantle the system to access drives, which could be problematic and could potentially result in the loss of data. The 120GB version comes with USB2.0 and USB C connector cables, allowing for use with the latest MacBook Pros and iMac Pros.

The latest release comes with the following features:

● Formatting and imaging to NTFS drives
● Unlocking APFS with FileVault2 encryption
● Capturing RAM and data collections live on High Sierra 10.13
● Creating logical data containers for collections
● Support for APFS formatted drives with or without encryption, including logical file collection

MacQuisition provides a powerful 3-in-1 solution for:


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


● Live data acquisition
● Targeted data collection
● Forensic imaging

Live data collection is a very effective feature of MacQuisition as it allows you to collect data from a live system, which means you won’t lose volatile data by switching the system off in order to boot into MacQuisition. This also allows for the live capture of Random Access Memory (RAM), which could be beneficial in a forensic investigation. However, caution should be taken whilst accessing a live system as there is nothing to stop you from writing to the system.

Targeted data collection gives you the opportunity to pre-select artefacts of interest to speed up the acquisition process and cut down on unnecessary imaging. You can select from a range of user files and folders, including internet history, email, chat messages, pictures and contacts, and it gives you an indication of the collection size which is useful. You also have the option of hashing the logical image with MD5, SHA-1 or SHA256.

The latest version of MacQuisition will automatically recognise if there is a Fusion drive (Apple’s name for a hybrid drive: a combination of a conventional HDD and a NAND Flash storage or SSD). If FileVault2 is apparent, MacQuisition will use the password, Keychain file or recovery key to mount the volume in a read-only state, then you can decide to triage or conduct data collection. Imaging is made easy with the option to image to the dongle acting as a collector, but even using the best compression you will have difficulty imaging a drive larger than 128GB, unless you have the 1TB SSD version of MacQuisition. Imaging to an external source is simple enough and you have the option within MacQuisition to mount and format a drive so that it is appropriate for imaging.

Using MacQuisition

If the system is turned off, you simply connect MacQuisition and power on the system whilst holding down the ‘Alt’ or ‘Option’ key. You will be presented with three choices: MacQuisition2018R1.2; MacQuisition Secondary; or MacQuisition Legacy.

Selecting MacQuisition2018R1.2 will bring you to the main menu, where you will find a variety of different options to choose from. First you can enter the case details and check that the system time and date are correct for the logs.

The tools tab allows you to mount a device as either read-only or read/write; erase and format a device in either hfsx, HFS+, MS-DOS (FAT 32) or NTFS; launch the terminal to use a command line interface for MacQuisition (recommended for advanced users only); and hash a device or image file. Before imaging you will need to have a suitable device to image to, as MacQuisition can only image to the formats mentioned above.

Data collection allows you to select predefined items to create a logical image of the system, including system data (such as kernel version, system hostname, etc.), user files (user directories and files per user) and system files (OSX volumes and files per volume). MacQuisition first prepares the data for collection by gathering path and metadata.

If there are different email accounts, you will be prompted to ‘copy alias only’, ‘copy target’ or ‘convert alias’. The data collection can be contained within a folder or as a ‘sparse image’ (a disk image file used on MacOS that grows in size as the user adds data to the image, taking up only as much disk space as is stored in it).

Creating a forensic image is simple enough: select the image device tab, then choose to acquire a physical or logical image by selecting either the physical device or a particular partition. There is a choice of output format (raw, DMG, E01 – uncompressed, empty block compression, fast compression, and best compression), various segment sizes (640MB, 1GB, 2GB, 4GB, 8GB, and custom) and you can choose which hash algorithm you would like to use. It is very easy to differentiate between the source device and partitions.

Booting into MacQuisition on a live system is straightforward: you connect the dongle and navigate to the application, and it will run as a program on the device. From here the setup is exactly the same. This process is ideal for on-scene investigations or simple triage.

Summary

MacQuisition is a useful tool for the collection and forensic imaging of digital data on Macs. It is straightforward to use, and if you do need guidance, there is documentation available within the software to support you. If you are familiar with Linux-based systems, you will find MacQuisition easy to use, as the underlying coding for Mac OS X and Linux are separate branches of UNIX and MacQuisition has been created specifically for use on Mac OS X.

The only added functionality that I would like to see in future releases is the ability to take screenshots while examining a device. Currently, you are only able to take screenshots while booted into MacQuisition on a live system, which means the screenshots are saved to the desktop of the source device. It would be really useful in the production of examiner notes if you could take screenshots during examination as well. Overall however I would recommend this tool to all examiners and investigators.

About The Reviewer

Jade James BSc (Hons) is currently a Digital Forensic Investigator at the Serious Fraud Office. She has previous professional Digital Forensic experience from working at IntaForensics, Home Office Centre for Applied Science and Technology and the City of London Police. Jade has gained experience from conducting Computer, Mobile devices examinations, Drone Forensics and has been involved with ISO 17025 & Quality Standards both as a Digital Forensic Practitioner and Quality Manager.

About BlackBag

BlackBag Technologies develop forensic acquisition, triage, and analysis software for Windows, Android, iPhone/iPad, and Mac OS X devices. Find out more about their products and training options at blackbagtech.com.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:39 pm

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_SE7Cl5jkigk

Maximising Data Collection With SaaS Innovations

Forensic Focus 10th June 2024 12:42 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles