As if APFS wasn’t adding enough complexity for forensic examiners, more and more Macs are now including T2 Security Chipsets. The T2 Security Chipset was borrowed from iOS devices. It serves many functions, however, the one that troubles forensic examiners is that it encrypts data at rest. This means that the files and folders contained within the internal drive of a Mac are always encrypted. For example, if it were possible to remove the internal Solid State Disk (SSD) of a Mac with a T2 Chipset in an attempt to create a forensic image or copy of files you would not get any usable data.
To get usable data from an SSD on a Mac with a T2 Chipset you will need to go through the chipset itself.
Additionally, Macs with T2 Chipsets include two new features to protect data on its internal drive. These features are “Secure Boot” and “Prevent Booting from External Media.”
Secure Boot only allows the Mac to boot to a Mac operating system which is “trusted”. The only Mac operating system that the Mac will trust is the one that comes preinstalled with the Mac itself.
“Prevent Booting from External Media” is exactly as described. The Mac will not boot from any external media… period.
To turn off any of these features requires booting the Mac into Recovery Mode which is done by holding down the <Command> + “R” keys upon boot. Once in Recovery Mode, a user will be able to select the Startup Security Utility from the “Utilities” menu. In order to make any changes, an Admin password must be known and entered at this time. If you do not have an Admin password you will not be able to disable the features to allow booting from external media.
This means that an examiner will not be able to use a bootable imaging utility without knowing and entering the Admin password and disabling the startup security features.
A workaround to image a T2 Chipset Mac is to place the Mac with the T2 Chipset into Target Disk Mode (TDM) by holding down its “T” key upon startup. TDM essentially turns the Mac into an external hard drive. The Mac in TDM can now be connected to another Mac running a bootable imaging utility such as RECON IMAGER. This technique allows the data to be captured logically.
In digital forensics, it has always been recommended to image the physical disk if possible. This dates back to the days of older file systems and spinning platter disks. With traditional file systems and storage media, it is possible to recover deleted data from free space, unallocated space, and file slack. Times have changed and SSDs are used more commonly. They also work differently.
Since Mac OS X Lion (10.7), all Apple-installed SSDs have TRIM enabled. “Trimming” involves wiping the flash memory cells occupied by a file on an SSD once it has been deleted.
In simple words, when a file is deleted from an Apple installed SSD in Mac OS X 10.7 and higher there is no chance of data recovery when trimming has taken place.
Apple APFS documentation states, “TRIM operations are issued asynchronously from when files are deleted or free space is reclaimed.”
Accessing files previously deleted by the user is only possible by locating Time Machine Backups. Time Machine is the macOS’s native backup utility. Creating backups using Time Machine has to be started by the user. Once enabled, Time Machine will make backups of files that are modified. By examining older Time Machine backups it is possible to find files that were previously deleted by having been backed up. Deleted files that were backed up by Time Machine are not “really” deleted files as they are accessible just like any other file. Find the Time Machine backups and you can find files “previously” deleted by the user but still “active.”
When the disk used for Time Machine is not available the macOS will create Mobile Backups within macOS Extended volumes and Local Snapshots in APFS volumes. APFS Local Time Machine Snapshots are not accessed the same as they were in macOS Extended volumes. Local Time Machine Snapshots (sometimes referred to as APFS Snapshots) have to be accessed using macOS itself.
Previously, when imaging a T2 Chipset via TDM, the information required to mount the local Time Machine snapshots afterward was not captured. The previous version of imaging made it impossible to recover local Time Machine snapshot data and the files previously deleted by the user.
SUMURI, with Version 4 of RECON IMAGER, has developed a solution to image local Time Machine snapshots of Macs with T2 Chipsets using native Mac technologies. Additionally, RECON IMAGER (V4) can be used to capture local Time Machine snapshots when the password is known and Secure Boot can be turned off and also when the password is not known and the Mac with the T2 Chipset is imaged via Target Disk Mode.
SUMURI’s RECON IMAGER (V4) is able to acquire all of the data to include all the files, the Apple Extended Metadata, and local Time Machine Snapshots. RECON IMAGER (V4) does not need to use hacks or reversed engineered solutions and can still acquire all the data in a logical way. Acquiring the data logically while getting all the data saves space on an examiner’s collection drives.
Additionally, RECON IMAGER (V4) is able to locate and present the snapshots to the examiner in seconds. The examiner then has the ability to choose individual snapshots (specific to a date and time) or all of the snapshots to image.
RECON IMAGER (V4) additionally follows traditionally accepted forensic protocols as it is able to hash the source and the output.