INTRODUCTION

For law enforcement, finding and dealing with Apple devices in the field can create confusion and headaches without first understanding some critical differences between Operating systems (HFS+, APFS and Windows file systems). With digital forensic professionals seeing more Mac laptops and other Apple devices more often, we created this guide to identify a few challenges that law enforcement and digital investigators may encounter and provide solutions and best practices for tackling these obstacles both in the field and the lab.

C H A L L E NG E # 1 :

FILEVAULT2-ENABLED SYSTEMS

One of the reasons an individual may choose to buy an Apple device over others is that the built-in security options are more robust and challenging to bypass. Apple previously made its chipsets before utilizing Intel’s Core chips. Apple has returned to building its chips, which are structured around an ARM processor—like the chips used in devices such as smartphones, tablets, and wearable mobile technology.

Moving to these processors means a couple of significant changes for digital forensics. Apple’s APFS file system features protection, but is easier to bypass if there’s a potential software integration the investigator can use. Apple devices with this new M1 and T2 encryption chips have encryption enabled by default, so digital forensic investigators cannot freely collect data and physical images from these Macs.

With this increased security on new M1 and T2 chipsets, the investigator must have the user admin password.

Without the password, you could be dead in the water—on new Macs. There’s no more booting into the system outside of a licensed version of unmodified MacOS. New Apple devices are enabled with SecureBoot, which can be disabled, but it’s not a forensically sound way to image the device.

For Apple devices with these higher-security chips, there are a few ways to acquire data:

  • Physically acquired data from an encrypted Mac. You can acquire a bit-by-bit physical image of protected drives, but these are largely useless because they won’t offer you any critical data or insight due to hardware encryption.
  • Physically acquired data from a decrypted Mac. This is what you want: The ability to interface with the system’s T2 or M1 chip at acquisition to decrypt data protected by this chipset security and create a decrypted physical image of the hard The data is collected as it logically exists on the disk.
  • Logical imaging (live data acquisition). Utilizing this method, the investigator gains copies of file data and limited metadata, as the file system interfaces to collect the data. However, much of the more in-depth (and valuable) information is unavailable using this method (more on that below).

SOLUTION:

Securing the device as quickly as possible on the scene because examining a “live Mac” that’s open may be your only chance to collect data without needing a password. Read more about securing Apple products on-scene in the Best Practices section below.

C H A L L E NG E # 2 :

Attempting to image a Mac without a T2 or M1 chip can lead to concerns if the user has enabled FileVault2, a complete disk encryption program. Full disk encryption means that the device’s hardware is encrypted, which would create significant problems for the investigator. Without a T2 or M1 chip in the device, the hardware is not encrypted, meaning there are ways to work around Apple’s security. However, if the FileVault2 password or Recovery Keys aren’t available, live data acquisition is the only option for performing a forensic collection.

While live data acquisition will offer file data and metadata, there will be some information missing. Performing a physical acquisition grants additional (and vital) pieces of information including:

  • File slack
  • File attributes
  • Raw data blocks
  • All APFS snapshots

SOLUTION:

Physical acquisition in combination with a digital forensics tool like Exterro Forensic Toolkit (FTK) can help investigators grant access to system data (users, disks, etc.), user files (chats, emails, desktop information, internet usage, etc.), and system files (logs, OS information, etc.). Collecting data in this manner will produce more beneficial evidence than logical collection.

C H A L L E NG E # 3 :

UNDERSTANDING SOFTWARE VS. HARDWARE ENCRYPTION

Prior to 2017, Macs primarily utilized software encryption—security enhancements that allow a user to protect against access to data but do nothing to encrypt the data on the disk. Once the software encryption is overcome, all the data is still stored on the disk and available. A recovery key or the user’s password is the only information required to decrypt the device.

With the T2 and M1 chipsets, additional hardware information is required to decrypt and access data. The investigator must have the original T2 or M1 system to encrypt the data to decrypt that data. An investigator can’t use another system to decrypt the data, and T2 or M1 chips can’t be removed, meaning decryption with a password or recovery key must happen when the Mac is acquired. Macs from 2020 onward feature M1 chips; investigators must build into their processes methods to ensure on-site decryption is possible.

SOLUTION:

Gain access to the Administrator Password. Sometimes, the Administrator passwords are available in the machine’s RAM—making it a worthwhile endeavor to image the RAM of any Mac you’re investigating (more on that below). Passwords are necessary to decrypt files in some non-T2 systems, depending on whether FileVault has been enabled. Investigators also need the password to parse non-T2 file systems.

IMAGING THE RAM

Ensure that imaging the RAM is part of any investigating process because there may be valuable data inside. Mac RAM can be compressed up to 1.5x, meaning that there will be more available than there might seem. It may help uncover Administrator passwords or FileVault passwords to help further the investigative process.

BEST PRACTICES FOR MAC COLLECTION & IMAGING:

   

SECURING THEM AC ON-SCENE

There are a few considerations to keep in mind on the scene:

  • Examiner safety: Check for booby traps or other physical protections may have been created by the product owner as a potential obstacle to securing an Apple device.
  • Encryption: An open and exposed device could lock without warning—or a potential power loss or sleep mode—meaning the opportunity to acquire evidence may disappear unless the investigating team can obtain the Some physical devices can be inserted into a Mac to block encryption. It’s also possible that the system is configured to recognize one of these tools and lock itself automatically.
  • Remote locking and wiping: Anytime a device is connected to the internet, there exists the potential that it could be remotely locked or wiped. Anyone with the password and capability to remotely log into the device can lock or wipe Investigators must consider whether to remove network connections. There are pros and cons to each; if a download is in progress, for example, investigators will want to consider what’s happening—and whether to stop it or let it finish.

Devices may be syncing with other applications or cloud storage spaces, like iCloud, Dropbox, which may affect an investigation.

GET THE PASSWORDS

As we covered in the solution for Challenge #3, the password is of paramount importance—and it might be the only chance investigators have of acquiring critical evidence. There are situations in which FileVault2 has not been activated, but those are rare events. If a device is

encrypted and a FileVault2 or other encryption password is unknown, live data acquisition is the only option.

Keep in mind that the Administrator password will allow the user to run the system at an elevated privilege level. As an Administrator, investigators can access certain areas of storage that would generally be prohibited. Accessing the live system under restricted modes will only allow access to those specific user account files.

PERFORM A PHYSICAL ACQUISITION IF

POSSIBLE, AND TRACK FORENSIC CHANGES

As mentioned in Challenge #2, physical acquisition yields the best results from a data depth perspective. But after you’ve acquired the Mac, actions you take—investigating a live Mac—will be changes to that are logged in the system. Making changes to evidence is not a good practice, but in exceptional circumstances may be unavoidable. Ensuring that a documented process for tracking changes is in place can ensure that when investigators are questioned in court, they can explain what they did and why—with documented validation to back it up.

CONCLUSION

When it comes to digital forensic investigations, utilizing verifiable and reproducible results by using the Exterro FTK suite of solutions is an ideal solution. Exterro FTK Enterprise allows remote and covert collections from Mac operating systems. It is the only tool on the market to deploy a remote Mac agent without manual intervention by the endpoint user. Our partnership with Jamf® deployment provides greater visibility into activity on all: endpoints, network shares, including those running on macOS® Catalina, or Mojave. Exterro FTK Enterprise is one single solution that offers in-network collection, Mac collection, off-network collection, and cloud data source collection—all in one product.

If you’d like to see Enterprise in action, contact us to set up a demo!

Source: www.cyberdefensemagazine.com