The Mac Acquisition kit intends to capture data from apple laptops using the SuperImager Plus Forensic Portable or Rugged units with the use of a Thunderbolt 3.0 port or a network port. The Kit includes Thunderbolt 2.0 to 1394 adapters, supporting Mac with 1394 or TB2.0 ports to support old Macbook with T1/T2 chips: The connection from the Macbook to the SuperImager Plus unit is via TB Expansion Box with a 1394 controller installed inside the TB Expansion Box. The Mac must be booted into "Target Mode," and the encryption must be disabled.
The Kit is also supplied with USB3.0 to 1 Gigabit Ethernet adapter, crossover cable, and a Mac special remote capture agent on a USB stick to support Macbook with M1/M2 chips: The Mac cannot be put in a target mode, so capturing data achieved by using a remote agent. The user can capture raw images, files, and folders using the USB3.0 to 1Gigabit/s Ethernet adapter network crossover cable.
Remote capturing data from Macbooks laptops with M1/M2 CPU. (In beta testing).
1. Capturing data from Macbook with T1/T2 is done via the 1394 interface. The user needs to disable the security feature on the Mac and put the Mac in target mode. Then, connect the Mac to the TB expansion via 1394 interface (with some adapters and cables). The Thunderbolt box needs to have 1394 controller, and it needs to be connected to the SuperImager Plus unit via the Thunderbolt 3.0/4.0 port
2. Remote Capture for laptop with Intel base CPU has existed for many years, using a network cross-over between the laptop and the SuperImager Plus unit
3. The new thing is Remote Capture for Mac with M1/M2 CPU. Those laptops cannot be put in a target mode, and they act as share network devices, so capturing data is similar to the Remote Capture in 2.
There are some settings that need to be done on the Macbook side, like disabling security features and enabling “Superuser” to have access to the device. (see instruction below)
After that, the Mac needs to connect to the SuperImager via 1) a network cross-over cable 2) or connecting both Mac and the SuperImager Plus to the same network. (The user will have to establish the network setting and communication). For Mac and SuperImager with Thunderbolt 3/0/4.0 port, the user can use a Thunderbolt to 10Gigabit/s adapters on both sides for a fast connection.
Once the communication is established, the user can run all the forensic capturing methods from DD/E01/raw to Triage capture. Be aware that some Macbooks are formatted with 4k so for raw image, with will be advised to use target /destination drives that are physically formatted 4k.
Here is the procedure:
1. Preparing the USB flash drive with the remote agent
2. Insert the USB into your MAC
3. Open Disk Utility
4. Erase and format it to MacOS
Unzip the supplied agent zip file onto it
1.
2. For the agent to have full access to the file system, disable the System Integrity Protection (SIP)
Starting with OS X El Capitan, Apple, Inc introduced System Integrity Protection (SIP), a security feature that protects the essential parts of OS data on the system disk from unwanted alterations. It increases the level of system security but, at the same time, severely restricts access to files on the disk.
a) Restart your Mac computer
b) Simultaneously press and hold the Command and R keys during startup and boot the computer into the MacOS Recovery mode
c) In the Utilities menu select Terminal
d) In the Terminal, type in "csrutil disable" and press Enter. There should be a message that System Integrity Protection was successfully disabled
e) Restart your Mac computer
1. Establish a network connection between the Mac and the SuperImager unit to make sure that both units are located on the same local network.
The Mac can be connected to the network via WiFi or a USB to Ethernet adapter, or a Thunderbolt to Ethernet adapter. The Ethernet connection can either use the local router with DHCP or a cross-over RJ45 cable with manual IP addresses.
1. Start the agent in full access mode
2. Insert and mount the USB flash drive with the agent
3. Open Terminal
4. In the Terminal type sudo open
5. Drag the MC_RemoteCapture agent to the Terminal window, and the path to the application will be displayed
6. Press Enter, and the agent should start and display the local IP address and the internal SSD
1. On the SuperImager unit, follow the instructions for the Selective Capture operation if file level capture is desired or Mirror/LinuxDD/Encase Capture if capturing the entire physical image.
|