Imaging APFS Snapshots within T2 Chipset Macs

Adding to the complexity for forensic examiners, APFS isn’t the only challenge. An increasing number of Macs now feature T2 Security Chipsets, borrowed from iOS devices. The T2 Security Chipset serves numerous functions, but it’s the encryption of data at rest that troubles forensic examiners the most. This means that files and folders within a Mac’s internal drive are always encrypted. For instance, attempting to create a forensic image or copy of files by removing the internal Solid State Disk (SSD) of a Mac with a T2 Chipset would yield no usable data. To extract usable data from an SSD on a Mac with a T2 Chipset, one must go through the chipset itself.

Furthermore, Macs with T2 Chipsets introduce two additional features to safeguard data on their internal drives: “Secure Boot” and “Prevent Booting from External Media.” Secure Boot permits booting only to a Mac operating system deemed “trusted.” The Mac trusts solely the operating system preinstalled with it. As for “Prevent Booting from External Media,” it functions precisely as its name suggests: the Mac refuses to boot from any external media whatsoever.

To turn off any of these features requires booting the Mac into Recovery Mode which is done by holding down the <Command> + “R” keys upon boot. Once in Recovery Mode, a user will be able to select the Startup Security Utility from the “Utilities” menu. In order to make any changes, an Admin password must be known and entered at this time. If you do not have an Admin password you will not be able to disable the features to allow booting from external media. This means that an examiner will not be able to use a bootable imaging utility without knowing and entering the Admin password and disabling the startup security features. A workaround to image a T2 Chipset Mac is to place the Mac with the T2 Chipset into Target Disk Mode (TDM) by holding down its “T” key upon startup. TDM essentially turns the Mac into an external hard drive. The Mac in TDM can now be connected to another Mac running a bootable imaging utility such as RECON IMAGER. This technique allows the data to be captured logically.

In digital forensics, experts have always recommended imaging the physical disk whenever possible. This recommendation traces its origins back to the days of older file systems and spinning platter disks. With traditional file systems and storage media, deleted data can be recovered from free space, unallocated space, and file slack. However, times have changed, and SSDs are now more commonly used. They also operate differently. Since Mac OS X Lion (10.7), all Apple-installed SSDs have had TRIM enabled. “Trimming” involves wiping the flash memory cells occupied by a file on an SSD once it has been deleted. In simple words, when a file is deleted from an Apple-installed SSD in Mac OS X 10.7 and higher there is no chance of data recovery.

Accessing files previously deleted by the user is only feasible through locating Time Machine Backups, which is macOS’s native backup utility. The user must initiate the process of creating backups using Time Machine. Once activated, Time Machine backs up modified files. By examining older Time Machine backups, it becomes possible to recover files that were previously deleted and subsequently backed up. These deleted files, backed up by Time Machine, remain accessible, unlike truly deleted files. By locating Time Machine backups, one can retrieve files previously deleted by the user but still active.

When the disk used for Time Machine is not available the macOS will create Mobile Backups within macOS Extended volumes and Local Snapshots in APFS volumes. APFS Local Time Machine Snapshots are not accessed the same as they were in macOS Extended volumes. Local Time Machine Snapshots (sometimes referred to as APFS Snapshots) have to be accessed using macOS itself. Previously, when imaging a T2 Chipset via TDM, the information required to mount the local Time Machine snapshots afterward was not captured. The previous version of imaging made it impossible to recover local Time Machine snapshot data and the files previously deleted by the user.

SUMURI, with Version 4 of RECON IMAGER, has developed a solution to image local Time Machine snapshots of Macs with T2 Chipsets using native Mac technologies. Additionally, RECON IMAGER (V4) can be used to capture local Time Machine snapshots when the password is known and Secure Boot can be turned off and also when the password is not known and the Mac with the T2 Chipset is imaged via Target Disk Mode. SUMURI’s RECON IMAGER (V4) is able to acquire all of the data including all the files, the Apple Extended Metadata, and local Time Machine Snapshots. RECON IMAGER (V4) does not need to use hacks or reversed engineered solutions and can still acquire all the data in a logical way. Acquiring the data logically while getting all the data saves space on an examiner’s collection drives.

Additionally, RECON IMAGER (V4) is able to locate and present the snapshots to the examiner in seconds. The examiner then has the ability to choose individual snapshots (specific to a date and time) or all of the snapshots to image. RECON IMAGER (V4) additionally follows traditionally accepted forensic protocols as it is able to hash the source and the output.