![]() An investigator can’t use another system to decrypt the data, and T2 or M1 chips can’t be removed, meaning decryption with a password or recovery key must happen when the Mac is acquired. The investigator must have the original T2 or M1 system to encrypt the data to decrypt that data. With the T2 and M1 chipsets, additional hardware information is required to decrypt and access data. A recovery key or the user’s password is the only information required to decrypt the device. Once the software encryption is overcome, all the data is still stored on the disk and available. ![]() Prior to 2017, Macs primarily utilized software encryption-security enhancements that allow a user to protect against access to data but do nothing to encrypt the data on the disk. Collecting data in this manner will produce more beneficial evidence than logical collection.Ĭhallenge # 3 : UNDERSTANDING SOFTWARE VS. Physical acquisition in combination with a digital forensics tool like Exterro Forensic Toolkit (FTK) can help investigators grant access to system data (users, disks, etc.), user files (chats, emails, desktop information, internet usage, etc.), and system files (logs, OS information, etc.). Performing a physical acquisition grants additional (and vital) pieces of information including: While live data acquisition will offer file data and metadata, there will be some information missing. However, if the FileVault2 password or Recovery Keys aren’t available, live data acquisition is the only option for performing a forensic collection. Without a T2 or M1 chip in the device, the hardware is not encrypted, meaning there are ways to work around Apple’s security. ![]() Full disk encryption means that the device’s hardware is encrypted, which would create significant problems for the investigator. Read more about securing Apple products on-scene in the Best Practices section below.Īttempting to image a Mac without a T2 or M1 chip can lead to concerns if the user has enabled FileVault2, a complete disk encryption program. Securing the device as quickly as possible on the scene because examining a “live Mac” that’s open may be your only chance to collect data without needing a password. However, much of the more in-depth (and valuable) information is unavailable using this method (more on that below). Utilizing this method, the investigator gains copies of file data and limited metadata, as the file system interfaces to collect the data. Logical imaging (live data acquisition).This is what you want: The ability to interface with the system’s T2 or M1 chip at acquisition to decrypt data protected by this chipset security and create a decrypted physical image of the hard The data is collected as it logically exists on the disk. Physically acquired data from a decrypted Mac.You can acquire a bit-by-bit physical image of protected drives, but these are largely useless because they won’t offer you any critical data or insight due to hardware encryption. Physically acquired data from an encrypted Mac.New Apple devices are enabled with SecureBoot, which can be disabled, but it’s not a forensically sound way to image the device.įor Apple devices with these higher-security chips, there are a few ways to acquire data: There’s no more booting into the system outside of a licensed version of unmodified MacOS. Without the password, you could be dead in the water-on new Macs. With this increased security on new M1 and T2 chipsets, the investigator must have the user admin password. Apple devices with this new M1 and T2 encryption chips have encryption enabled by default, so digital forensic investigators cannot freely collect data and physical images from these Macs. Apple’s APFS file system features protection but is easier to bypass if there’s a potential software integration the investigator can use. Moving to these processors means a couple of significant changes for digital forensics. Apple has returned to building its chips, which are structured around an ARM processor-like the chips used in devices such as smartphones, tablets, and wearable mobile technology. Apple previously made its chipsets before utilizing Intel’s Core chips. One of the reasons an individual may choose to buy an Apple device over others is that the built-in security options are more robust and challenging to bypass. With digital forensic professionals seeing more Mac laptops and other Apple devices more often, we created this guide to identify a few challenges that law enforcement and digital investigators may encounter and provide solutions and best practices for tackling these obstacles both in the field and the lab.Ĭhallenge # 1 : FILEVAULT2-ENABLED SYSTEMS For law enforcement, finding and dealing with Apple devices in the field can create confusion and headaches without first understanding some critical differences between Operating systems (HFS+, APFS, and Windows file systems).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |