1.Introduction #


RECON Imager was developed by SUMURI to provide the digital forensic practitioner with a bootable imaging utility which supports all modern Macintosh computers with Intel processors.  This is accomplished via three macOS based boot environments which have been modified to ensure that there are no writes to internal or externally attached media.

Additionally, RECON Imager helps the practitioner to easily identify Apple File System (APFS) container disks and volumes, FileVault, Fusion and other Core Storage volumes.  

RECON IMAGER has been designed to get as much data as possible to include the Apple Extended Attributes and Local Time Machine Snapshots (APFS Snapshots).

In addition to creating forensic images of physical disks or volumes, RECON Imager can also image Mac RAM without the need for an administrator password within RECON Imager’s boot environment.

RECON Imager also supports imaging Macs with the new T2 Security Chipset via Target Disk Mode or disabling Secure Boot via the Mac’s Recovery Mode.

2.Version Comparisons #

There are two versions of RECON IMAGER – Standard and PRO.  


RECON IMAGER (standard) is based on macOS.  Since it is based on macOS it natively boots Intel Macs.  It also supports Apple proprietary technology such as Apple File System (APFS) container disks and volumes, FileVault, Fusion and other Core Storage volumes.  RECON IMAGER includes the option to image logically which allows an examiner to import Apple data into forensic tools that do not natively support proprietary Apple file systems. This allows you to use any forensic tool to process the data.


RECON IMAGER PRO is also based on macOS and includes all the features of RECON IMAGER (standard).  Additionally, RECON IMAGER PRO includes a new enhanced Logical Imager.  The enhanced Logical Imager functions allow the user to capture and preserve a variety of Mac artifacts automatically.  The collected artifacts can be processed manually or automatically using RECON LAB.

The enhanced Logical Imager also allows the user to create an image or logical copy of individual files or directories selected by the collection agent.  For example, if you are limited to accessing data from a single user it is possible to only select that user’s directory for imaging.

RECON IMAGER PRO also includes the ability to image across a network via SMB.  This allows collections agents to image directly to an evidence server within a lab or to a NAS out in the field.

3.Supported Hardware #

RECON IMAGER works with Intel based Macs and has three boot options installed to support the the largest numbers of Macs.  For specific models supported please see below.


  • MacBook (Early 2015)
  • MacBook (Late 2008 Aluminum, or Early 2009 or newer)
  • MacBook Pro (Mid/Late 2007 or newer)
  • MacBook Air (Late 2008 or newer)
  • Mac mini (Early 2009 or newer)
  • iMac (Mid 2007 or newer)
  • Mac Pro (Early 2008 or newer)
  • Xserve (Early 2009)


  • MacBook (Late 2009 or newer)
  • MacBook Pro (Mid 2010 or newer)
  • MacBook Air (Late 2010 or newer)
  • Mac mini (Mid 2010 or newer)
  • iMac (Late 2009 or newer)
  • Mac Pro (Mid 2010 or newer)


  • MacBook (Early 2015 or newer)
  • MacBook Air (Mid 2012 or newer)
  • MacBook Pro (Mid 2012 or newer)
  • Mac mini (Late 2012 or newer)
  • iMac (Late 2012 or newer)
  • iMac Pro (2017)
  • Mac Pro (Late 2013; Mid 2010 and Mid 2012 models with recommended Metal-capable graphics cards)

4.Before You Start #

Imaging a disk or volume is not as straightforward as imaging other file systems.  We highly recommend that you read the following sections before you begin as it will save you creating an unusable image.

4.1.How Will You Process The Image? #

Before you begin you need to ask yourself in what tool will you use to process the image that is created with RECON IMAGER?

Other than RECON LAB, there are very few forensic tools that support some or all of Apple’s proprietary file systems and/or technologies.  RECON LAB was designed to process a Mac on a Mac so it natively supports Mac images and it’s data.

If you are going to process your image with any other tool other than RECON LAB you will have to be careful in choosing your image format.

4.2.What To Image? #

Once you have decided on the forensic tool that will be used to process the collected data the image format can now be chosen.

RECON IMAGER utilizes macOS so it will automatically detect and present traditional physical disks, logical volumes, Core Storage disks, FileVault volumes, synthesized and virtualized disks and volumes.  Collection agents must be careful to select the correct volume or disk along with the correct image format to get usable forensic image, data or copy.

This manual will include a guide on what to image based on what forensic tool that you choose.  It is recommended that all information in this manual is reviewed.  As always, if unsure, ask before imaging.

4.3.What Image Format Should I Use? #

Selecting the correct image format is crucial to get an image or data that will work with a specific forensic tool.  RECON IMAGER has multiple imaging options to support as many forensic tools as possible.

It is important to understand that not all forensic tools can interpret proprietary Apple file systems and/or volumes.  SUMURI’s RECON LAB is one of the only tools that can mount all Apple file systems and interpret it’s data properly as it is developed on and for macOS.

In order to obtain data that can be used with other tools that do not support proprietary Apple file systems or volumes, one of RECON IMAGER’s logical imaging options must be selected.

5.Key Concepts To Understand #

Before using RECON Imager it is important to understand key concepts about imaging Mac computers.

5.1.Apple File System (APFS) #

Apple File System (APFS)

Apple File System (APFS) is a proprietary file system from Apple and utilized for macOS, iOS, watchOS, and tvOS.  APFS is natively and fully supported on macOS High Sierra (10.13) and above. APFS has limited support in macOS Sierra (10.12).  APFS has no or very little support on Windows operating systems or with Windows forensic tools.  Any support for APFS on Windows and/or Windows forensic tools are using reversed engineered non-native technologies.

RECON IMAGER can create forensic images that can be processed and analyzed with RECON LAB natively.

RECON IMAGER can also create “logical” copies of an APFS drive.  RECON IMAGER’s “logical” image can be imported by any forensic tool that supports adding directories or files (including Windows forensic tools).

5.2.Apple Extended Attributes #

Apple Extended Attributes are special metadata generated within macOS and is indexed to allow searches via the macOS search utility, Spotlight.

Apple Extended Attributes contain extremely valuable information for investigations.  This special metadata cannot be seen in Windows and most Windows forensic tools ignore or have a limited ability to display Apple Extended Attributes.

Images and data collected by RECON IMAGER and processed by RECON LAB provide the most extensive views of Apple Extended Metadata.

Understanding Apple Extended Metadata is critical to investigations.

5.3.Fusion Drives #

Some Mac computers utilize Fusion Drives which are a “marriage” of two or more physical disks which are then seen as a single drive.  Originally, the smaller disk was an SSD (for speed) and the larger disk was typically a traditional spinning platter drive (for low-cost long term storage).  Keep in mind that both disks in a Fusion Drive can be SSDs.

Forensic examiners are traditionally taught to image the physical disks.  This would be true if using most other imaging utilities (such as PALADIN).  In order to properly see the directory structure of a Fusion “disk” when utilizing other imaging solutions to process in traditional forensic tools, you would have to manually mount both images on a Mac and then re-image.  However, this is not necessary when using RECON IMAGER.

In RECON IMAGER a process known as Core Storage “marries” the two disks of the Fusion drive into a “single” disk.  Imaging the “single” disk created by Core Storage will allow you to obtain a forensic image where the files and its directories can easily be seen by most forensic tools.

5.4.Core Storage #

Core Storage is the macOS version of Logical Volume Management (LVM).  Core Storage (or LVM) is used by the Mac as a way of allowing one or more physical disks to be seen as a single new disk.  This was first utilized by Apple to support Fusion drives. However, Core Storage is used by the macOS even if there is only a single disk in the system.

RECON IMAGER will allow you to see traditional physical disks and Core Storage “virtualized” disks.  In most situations, the Core Storage “virtualized” disk “derived from” a Core Storage volume or volumes will be imaged.

5.5.FileVault #

FileVault (version 2) is macOS full volume encryption of which there are no backdoors.  FileVault is mounted and decrypted with the user’s login password or Recovery Key which is created when FileVault was originally enabled.  RECON IMAGER can create a decrypted forensic image of a FileVault volume by providing the user’s login password or the Recovery Key. If the password or the Recovery Key is not known the disk or volume can still be imaged in its encrypted state.  The created image can be processed with RECON LAB if the password or Recovery Key is discovered later.

5.6.T2 Security Chipset #

In many newer Macs, Apple has added a T2 Security Chipset.  The T2 Chipset serves several purposes, however, a couple of them add extra steps in order to collect data or an image.

By default, Macs with T2 Security Chipsets have Secure Boot enabled along with a setting to disable booting to external media.  Both of these settings must be turned off to allow the Mac to boot to RECON IMAGER.  To turn off these settings an admin password must be known.

If the admin password is unknown, the Mac with the T2 Security Chipset can be placed in Target Disk Mode and can be connected to another Mac booted with RECON IMAGER to obtain data.

5.7.Local Time Machine Snapshots (APFS) #

Time Machine is a utility in macOS that is used for creating backups.  Time Machine must be activated by the user and requires a local or remote disk to store the backups (Time Machine disk).  When the Time Machine disk is not available the backups are stored locally.  These backups are known as “Local Time Machine Snapshots” in APFS.

RECON IMAGER has the ability to image Local Time Machine Snapshots in Macs with T2 Security Chipsets and without.

5.8.Apple Boot Camp #

Apple Boot Camp is a technology that assists a Mac user with installing a Windows operating system on a Mac.  Forensic images of the Boot Camp volumes can be created with RECON IMAGER.

6.Booting RECON IMAGER #

As with any new forensic tool, please test and validate RECON IMAGER before using on real evidence.

Additionally, please read all instructions and information included in this manual.  If you should have any questions or concerns please contact us.

6.1.Instant On - Portable Macs #

Be aware that newer MacBooks have an “instant on” feature.

Newer MacBooks will automatically boot when the lid is opened. Additionally, if the lid is already opened and power is connected, or the trackpad or keys are touched the MacBook may also start.

Make sure that you are prepared to interrupt the boot process by holding down the ALT/OPTION key in any of these situations.

6.2.Firmware Password #

Mac has the ability to set a boot level password to prevent booting to any source other than the installed macOS.  This is known as a Firmware Password which can be enabled or disabled by the user in the Mac’s Recovery Mode.

Before booting a Mac please familiarize yourself with the macOS Firmware Password option.

If a user has set the Firmware Password no startup commands other than the ALT/OPTION key will work.  If you encounter anything that looks like a “lock” when starting with the ALT/OPTION key then the Firmware Password is set.  

You must enter the Firmware Password PIN  or passcode in order to see the boot options (this includes RECON IMAGER if it is attached).

Apple Certified Technicians have the ability to disable a Firmware Password.

6.3.Connecting RECON IMAGER #

  • Make sure that you start with the Mac powered off.  
  • Identify how many ports and what type of ports which are available on the Mac before you start.  
  • If there is only one port make sure you use a high quality hub to add additional ports.  Keep in mind that it is known that using low quality or non-Apple certified adapters can damage the Mac.
  • If using traditional spinning platters make sure that the hub used has power connected or that your drive has its own power supply.  
  • RECON IMAGER can be inserted into any open port on the Mac itself or via a hub.

6.4.Connecting Your Destination Drive #

See the notes listing in “Connecting RECON IMAGER” regarding adapters, hubs, and power.

It is recommended that the formatting or initialization of the destination drive be done using RECON IMAGER if possible.

Once the destination drive is prepared using RECON IMAGER it should be removed test that it mounts on the examination system.  This step is recommended as formatting with one tool or environment may be different from another.  Some operating systems may not recognize or work well with the partitioning scheme created with a different operating system.

After verifying that the destination drive can be seen by the examination system reconnect it to the system to be imaged.

6.5.Starting RECON IMAGER #

With the Mac off, connect RECON IMAGER to an open port, press the power key and then immediately hold down the OPTION/ALT key.  

All boot options, including three from RECON IMAGER, should be displayed.  Please review the supported hardware documented in this manual for assisting in choosing the correct version of RECON IMAGER.

Select the boot option that supports the Mac that is being booted:



The Mac will start to boot after the selection.  Be patient as this may take a couple of minutes to boot.  You will see the Apple Boot Logo during the boot to RECON IMAGER.

After RECON IMAGER has completed booting you will see the window below.  Select the RECON IMAGER application and click the “Continue” button.

7.Using RECON Imager #

When RECON IMAGER loads there will be five options presented for the standard version and seven for RECON IMAGER PRO. 

  • Disk Manager  – Displays traditional, virtual and synthesized disks and volumes.
  • Disk Imager  – The disk imaging interface.
  • RAM Imager  – The RAM imaging interface.
  • Network Share (PRO) – The interface for configuring SMB network connections to send forensic images to a destination over the network.
  • Logical Imager (PRO) – The interface for automated imaging of macOS artifacts or selective imaging of files and folders.
  • Shut Down  – Safely powers down the Mac.
  • License Agreement  – Displays SUMURI’s License Agreement and Change Logs.

7.1.Disk Manager #


The Disk Manager allows you to see all connected devices to the Mac in a software write-blocked environment.   Each system can vary, however, the Disk Manager will all traditional, virtual or synthesized physical disks or logical volumes.

Below are descriptions of the column names used in the Disk Manager:

  • Device – the disk and partition (slice) identifier
  • Model – hardware model
  • Size – size of the disk/partition
  • Type – disk or volume type
  • Name – volume name
  • File System – the file system of the partition
  • Derived From – list of the parent volumes for virtualized or synthesized disks
  • Encrypted – YES, if FileVault is on – NO, if FileVault is off
  • Mode – displays the read-write status

The RECON IMAGER Disk Manager uses the following color scheme for quick identification:

  • Parent disk (i.e. “disk0”)  – grey
  • Mounted and Read-Only (i.e. “disk0s3”) – green
  • Mounted and Read-Write – red
  • Apple Core Storage Logical Volume Family (i.e. “disk2s2” and “disk3s2”)  – orange
  • Mounted Fusion Disk (i.e. “disk4”)- yellow
  • APFS Volume Unlocked – (i.e. “disk1s1”) – olive green
  • APFS Non-Encrypted Volume – (i.e. “disk1s2”) – brown

7.1.1.Refresh To Detect Changes #

If a drive is attached or disconnected anytime after RECON IMAGER has been started the “Refresh” button must be clicked to search for new drives or remove drives that were previously detected.

7.1.2.Formatting a Collection Drive #

RECON IMAGER can format a collection drive within Disk Manager.  BE CAREFUL to select the correct drive to format.  

From the Disk Manager tab select the drive to format and choose “Format”.


The collection drive can be formatted with an APFS, macOS Extended (HFS+) or exFAT file system.



Once the collection drive has been formatted it is always good practice to attach the destination drive to the examination system to see if it will be detected properly.  Although, the file system is correct the examination system may not recognize the partition scheme used in formatting.  This is especially true of older operating systems.

It is recommended to use HFS+ (macOS Extended Journaled) or APFS as the format for the collection drive as these file systems can preserve Apple Extended Metadata.

To mount Apple native file systems within Windows consider using applications such as HFS+ for Windows by Paragon.

7.1.3.Decrypting A FileVault Volume #

RECON IMAGER can decrypt a FileVault 2 encrypted volume if the passcode or the Recovery Key is known.  To decrypt, highlight the FileVault volume within Disk Manager and select “Decrypt”.

A window will appear allowing the entry of the user’s password or the Recovery Key.  Once the password or key is entered select “Decrypt.”  After a few moments, the decrypted FileVault volume will display within the Disk Manager window.

If the FileVault volume was on a macOS Extended file system (HFS+) a new decrypted volume will mount with a new disk number.

If the FileVault volume was on an APFS file system no new volumes will mount.

7.1.4.System Date and Time #

For convenience, the system’s detected date and time will appear in the bottom of the RECON IMAGER window.  This can be used to check to see if the reported system clock is accurate.


7.2.Disk Imager #


The RECON IMAGER Disk Imager allows the imaging of any internal disk(s) or volumes of any attached storage media including Macs in Target Disk Mode.  The options presented in the Disk Imager will change depending on what Image Type (output format) is selected.

7.2.1.Source #

The Source field allows you to select the source device (i.e. the suspect’s hard drive) to be imaged. 

If the drive was recently attached, select Refresh to identify any newly connected disks.

WARNING – Please be familiar with imaging Apple file systems.  There are many factors which will affect your selection in the source and the choice of an output format.  An incorrect choice will lead to an unusable image.  Please follow the best practices suggested in this manual for different imaging scenarios.

7.2.2.Image Type #

RECON IMAGER supports a variety of image output formats in order to allow the data to be imported into any modern forensic tool.  Before selecting the Image Type be sure to check that forensic tool to be used for processing can support the output that you are generating.  Many forensic tools do not natively support Apple’s proprietary file systems.  SUMURI’s RECON LAB can process all Apple file systems without conversion and without losing important artifacts such as Apple Extended Metadata.

RECON IMAGER can produce output in the following formats:

  • DMG (dmg): The native disk image format for macOS and what is highly recommend for image output.  This image output is also a raw image that can be imported into any modern forensic tool.
  • DD (RAW):  Bit-for-bit forensic copy of the source medium which is also a raw image.
  • EWF (E01): Expert Witness Format – Version 1.
  • EWF2 (Ex01): Expert Witness Format Version 2.
  • SMART (S01): ASR Data’s version of EWF bitstream image.
  • Logical (Sparseimage):  A native macOS image format that is dynamic and can only be used within the Mac environment.
  • Logical (Folder):  A logical data extraction of the file system which is able to be used in both Mac and Windows forensic tools.
  • Logical (Tar):  A logical archive of the file system that can be used in most forensic tools.
  • Logical (DMG-RW): A native macOS image format that is static and can only be used within the Mac environment.

7.2.3.Compression Options #

Compression options are available for the Expert Witness formats (.E01, .Ex01) and ASR Data’s SMART image format (.S01).

  • none: No compression (fastest)
  • fast: Compression is minimal while imaging speed is maximized (fast).
  • best: Compression is the most efficient, however, the imaging process will be prolonged (slowest).

7.2.4.Processing Local Time Machine Snapshots (APFS) #

RECON IMAGER has the ability to identify Local Time Machine Snapshots (APFS Snapshots) in advance of imaging.  If Local Time Machine Snapshots exist a window will appear allowing the user to select all or individual snapshots for imaging.

Once selected RECON IMAGER will process the Local Time Machine Snapshots at the time of imaging to dramatically reduce the size of the collection as compared to physical imaging.

RECON IMAGER’s Advance Snapshot Processing finds all files previously deleted by the user and modified files within the snapshots selected.  Additionally, as with previous versions of RECON IMAGER, Apple Extended Attributes are still captured.

7.2.5.Destination #

RECON IMAGER has the ability to image to two destinations at the same time.  If a second destination is required just select the checkbox to activate the dropdown.

RECON IMAGER also allows you to choose and/or create directories to send the images to by clicking “Select Directory.”

7.2.6.Image Name #

Use the “Image Name” field to provide a unique name for your image output.  The label provided will be the name for the parent folder containing the image output and any logs.

Other than the Logical Image (Folder) option the name provided in the “Image Name” field will also be used for the image output files.

7.2.7.Segment Size #

RECON IMAGER allows for certain image outputs to be segmented if required.  If the image output selected supports segmenting within RECON IMAGER the “Segment Size” checkbox will be active. 

To set the segment size check the box next to “Segment Size” and enter the size in MBs.

Segmenting is not available for the .dmg image output or any of the logical imaging formats.

7.2.8.Evidence Descriptor Fields #

Before imaging, optional identifying information about your source may be entered.

  • Case Number – Relevant case number.
  • Evidence Number – Unique evidence/log number.
  • Examiner – Individual creating the image.
  • Custodian Name – Custodian of the evidence.
  • Machine Serial – Serial Number of the booted device.
  • Description – Description of the media being imaged.
  • Notes – Any additional information relevant to the investigation.

7.2.9.Hashing and Verification #

Traditional Image Types

An MD5 and SHA-1 hash of the SOURCE will be calculated for the following image types:

  • dd (RAW)
  • EWF (E01)
  • EWF2 (Ex01)
  • SMART (S01)
  • DMG (dmg)

For the traditional image types listed above, there is an option of selecting “Verify after creation” within Disk Imager.

If “Verify after creation” is selected an MD5 and SHA-1 will be calculated for the OUTPUT.

A summary of the hashing will be displayed in a pop-up window at the completion of the imaging and can also be found in the logs within the image output folder.

Logical Image (Folder)

For the Logical Image – Folder option a hash can be calculated for both the “Source” files and of the files copied to the “Destination”.

Logical Image (Tar)

For the Logical Image – Tar option a hash can be calculated for both the “Source” files and of the .tar image created on the “Destination”.

Logical Image (Sparseimage and DMG-RW)

For the Logical Image – Sparseimage and DMG-RW option a hash can be calculated for both the “Source” files and of the files copied to the “Destination”.

Be advised that the hashing of every individual file during a “Logical” image WILL TAKE TIME.

8.APFS Imaging #

Many forensic tools do not natively support APFS. By creating a “traditional” image your forensic tool may not see the data.

Traditional forensic tools that can mount APFS volumes may still have limitations such as:

  • no access to Apple Extended Metadata
  • limited access to Apple Extended Metadata
  • limited parsing of Apple Extended Metadata
  • inability to utilize proper timestamps

RECON LAB from SUMURI is the first and only tool that can identify and properly parse Apple Extended Metadata and its timestamps.

Apple Extended Metadata is extremely important in macOS investigations.  Ignoring Apple Extended Metadata is equivalent to a doctor performing surgery after only seeing a small portion of an entire battery of test results and scans.

There are two ways to image APFS.  The first is to process with RECON LAB in order to see all the Apple Extended Attributes and timestamps.  The second is for importing into traditional forensic tools.

8.1.APFS Imaging to Process with RECON LAB #


Source – Select the physical disk containing the APFS Container and volumes.  On a single internal drive, this is usually “disk0”.  Be careful not to select the APFS synthesized container disk.

Image Type – DMG

Another benefit of processing with RECON LAB is that you do not have to decrypt before imaging.

8.2.APFS Imaging to Process in Other Tools #


Source – Select the volume containing the user data within the APFS synthesized container disk.

Typically, there are four volumes (the User volume, Preboot, Recovery, VM).  Select the User volume and be aware the name can vary.  The default volume name is usually “Macintosh HD”.

Image Type – You have two options.

Option-1: Logical Image (Folder) – this is a logical copy of the files from the source to the destination.  Be aware that the “Date Added” timestamp will change as you are adding data to a new volume.

Option-2: Logical Image (Tar) – this is a logical copy of the files from the source placed into a .tar archive to preserve timestamps.  This option will take longer then Option-1.  Make sure your forensic tool supports adding a .tar archive file.


Use the Disk Manager to select the APFS container volume with the user data as described above and select the “Decrypt” button.  Use the password or Recovery Key option to decrypt the FileVault volume.

Once decrypted follow the steps listed above for imaging.

9.Core Storage Imaging - Single Disk #


Source – Select the physical disk which is usually “disk0”.  This can be identified in the Disk Manager.

Image Type – DMG (remember, this is also a raw image and can be imported into other tools).


Use the Disk Manager to select the physical disk as described above and select the “Decrypt” button.  Use the password or Recovery Key option to decrypt the FileVault volume.

Once decrypted a new disk will mount.  In Disk Imager select the newly mounted decrypted disk to image.

Source – Select the newly decrypted mounted disk.

Image Type – DMG (remember, this is also a raw image and can be imported into other tools).

10.Fusion Drive Imaging #


Mode – Refer to Section 3 to determine whether to use Mode A, B, or C.  Most Sierra and higher typically will use Mode-C.

Source – Select the virtualized physical disk which is usually derived from disk0s2 and disk1s2.  This can be identified in the Disk Manager.

Image Type – DMG (remember, this is also a raw image and can be imported into other tools).


Use the Disk Manager to select the virtualized physical disk with the user data as described above and select the “Decrypt” button.  Use the password or Recovery Key option to decrypt the FileVault volume.

Once decrypted a new disk will mount.  In Disk Imager select the newly mounted decrypted disk to image.

Mode – Refer to Section 3 to determine whether to use Mode A, B, or C.  Most Sierra and higher typically will use Mode-C.

Source – Select the newly decrypted mounted disk.

Image Type – DMG (remember, this is also a raw image and can be imported into other tools).


Use the Disk Manager to identify the logical volume of the APFS Fusion drive.  The logical volume will be displayed underneath the APFS Synthesized Volume (disk2 in the image below).  The examiner will have to decrypt the volume (disk2s1in the image below) if the Mac has FileVault enabled.  A physical image of macOS Mojave Fusion drives at this time are not mountable, only logical images are mountable.

Mode – For APFS Fusion drives Mode C is required.

Source – Select the Fusion virtualized logical disk (it will be found along with the Preboot, Recovery, and VM volumes).

Image Type – Any Logical Option.  The sparse image or DMG-RW format is best with Mac-Based Forensic tools such as RECON Lab while TAR format is best for usage in Windows-Based Forensic tools.

11.Imaging A Mac With A T2 Chipset #

Newer Macs have been shipping with proprietary T2 chipsets which add extra layers of security.  One of these new security features prevents booting from external media.  This “secure boot” is enabled by default and can only be turned off in Recovery Mode and with an admin password.  We strongly recommend that you take your own Mac with you to incident response scenes.

In the event that the examiner has attempted to boot a T2 Chipset Mac with RECON Imager without disabling Secure Boot or booting from external media, the following screen might appear:

Two methods are currently recommended for imaging a Mac with a T2 Chipset:

Target Disk Mode (TDM)

  1. Place the Mac with the T2 chipset into Target Disk Mode (TDM) by holding down the “T” key when starting the computer.  You should see symbols for the connection interfaces available displayed on the screen.
  2. Connect the T2 chipset Mac in TDM to a powered-down Mac that is capable of supporting High Sierra or above with a Thunderbolt cable.  This is the Mac that will be used for imaging.
  3. Connect a destination drive for the image output and the RECON IMAGER USB.
  4. Boot your Mac with RECON IMAGER connected by holding down the ALT/OPTION key.
  5. Once RECON IMAGER has booted you should see the disks and volumes of the Mac in TDM within RECON IMAGER’s Disk Manager.
  6. Follow the instructions in this manual to create a logical image of the T2 chipset Mac.

Disable Secure Boot and Booting to External Media

  1. Ensure your RECON Imager USB is updated to latest version.
  2. Boot the suspect’s Mac into macOS Recovery Mode (press & hold Command and R keys after pressing power button).
  3. On the top toolbar, select Utilities. Then click on Startup Security Utility.
  4. You’ll be prompted to enter an administrator password.

Here are the steps necessary to configure the Startup Security Utility:

  1. Change the Secure Boot Option to No Security.
  2. Change the External Boot Option to Allow booting from external media.
  3. Shutdown the Mac under normal means.

Then complete the next steps to boot into Mode-C Recon Imager:

  1. Plug in the RECON Imager USB.  Power up the suspect’s Mac and press down the ALT/Option key.  Boot from the Mode C – Recon Imager Volume.
  2. Once RECON IMAGER has booted you should see the disks and volumes of the Mac within RECON IMAGER’s Disk Manager.
  3. Follow the instructions in this manual to create a logical image of the T2 chipset Mac in question.

12.Imaging Mac RAM #

RECON IMAGER allows you to image Mac RAM can without the need for an admin password.  The RAM Imager only works within the RECON IMAGER boot environment.

To image Mac RAM on a live running system please use RECON TRIAGE which can be found on our website at SUMURI.com.

There are a lot of factors to obtaining a successful image of Mac RAM.  Typically, when the power is turned off RAM will begin to dissipate.  However, in our testing, if you are able to “restart” a running Mac and boot immediately to RECON IMAGER to image the RAM using the RAM Imager you will most likely obtain usable data.

If the Mac has been powered down you may or may not be able to obtain a usable image of Mac RAM from the previous session.  In our testing, we have been able to recover data from desktop Macs that are still plugged in.  For portable Macs, it appears that once it has been powered off, regardless if it is still plugged in, no usable RAM image is obtained.

We will describe the steps for imaging Mac RAM given the best case scenario below.

Mac is on and you have access to the Desktop

  1. Plug in your RECON IMAGER drive and your destination drive.
  2. Use the Apple Menu (upper left) to select “Restart”.
  3. Hold down the Alt/Option key during the restart to display boot options.
  4. Select the RECON IMAGER option which supports the Mac that you are booting.
  5. Use the RAM Imager to immediately image the RAM.

The RAM image that is created can be processed using RECON LAB or another tool of your choice.

Mac is on and you do not have access to the Desktop

Some older Macs can be restarted by force.  This does not work with Macs that have a Touch Bar.

  • Command + Control + Power Button – Forces a restart your Mac.
  • Command Control + Media Eject button – Quits all apps and restarts the Mac.

12.1.RAM Imager Interface #

  1. To image the RAM from within RECON IMAGER select the RECON IMAGER tab.
  2. Click “Refresh” to repoll any attached devices.
  3. Choose your “Destination” drive.
  4. Provide your image with a name in the “Label” field.
  5. Optional – Fill out the case information.
  6. Click “Start”.

Keep in mind that Mac RAM is protected by design which can sometimes lead to unsucessful imaging.


RECON IMAGER PRO is an enhanced version of RECON IMAGER which provides the following extra features:

Selective Logical Imaging – Ability to select an image specific user accounts, folders and/or files.  This is useful if the scope of your data collection has been limited or to save time by grabbing only the data you need.

Automatic Artifact Extraction – RECON IMAGER PRO will automatically recover files and data related to a variety of macOS artifacts.

For example, if you want to extract Safari artifacts there is no need to manually locate the data.  RECON IMAGER PRO will automatically find files containing Safari artifacts and place them into the image to be processed later.

Network Imaging – RECON IMAGER has the ability to image to a destination on a network configured via SMB.

13.1.RECON IMAGER PRO Interface #

To use Logical Imager select the volume where the files of interest are stored in the “Source” dropdown.  Fill in any of the optional case information and click “Select” to open the full Logical Imager interface.


  • Artifact Selection – Selecting any or all of these artifacts will automatically recover the files containing information related to the selected artifact during the logical imaging.  Once created the resulting image can be added to RECON LAB for automated processing or you can process manually.
  • User List – Allows for the selection of individual users or all users on the volume selected.  Selected artifacts will be captured for the users selected.
  • File System Tree – Use this interface to select any files and/or directories to be included in the logical image.  Once a file or directory is selected click “Add” to include it in the logical image. Use “Remove” to remove a file or directory from the list.
  • Destination – Use this dropdown box to select your destination drive.  If you are using the “Logical” image type you should use a destination drive formatted as macOS Extended or APFS to preserve the Apple Extended Metadata which is important for your investigation.
  • Logical Image Type – This is the format you would like to use to create your logical image.  
    • Sparse Image will put your selected files into a .sparseimage file.  This file can be natively mounted on a Mac and can be processed by RECON LAB depending on what was selected for imaging. 
    • DMG-RW will put your selected files into a .dmg file.  This file can be natively mounted on a Mac and can be processed by RECON LAB depending on what was selected for imaging. 
    • Folder copies selected plugins artifacts, directories, and files to the destination logically.  If you want to preserve Apple Extended Attributes make sure the destination drive is formatted APFS or macOS Extended.  Choosing the “Logical (Folder)” image type will allow you to import the data collected into most forensic tools.
    • TAR is a compressed logical data image that maintains native timestamps; able to be used in Mac or Windows forensic tools.
  • Image Name – Name for your forensic image.
  • Source Hash – This option will conduct a “pre-hash” of the files selected before the imaging.
  • Destination Hash – This option will hash the image output.
  • Mount – used for mounting a destination volume to select or create a directory
  • Start – begins the imaging process.

Keep in mind hashing may extend the imaging time.

14.Shutdown #


To shutdown RECON IMAGER just select the “Shutdown” button in the menu. You will be presented with a confirmation before the shutdown begins.

15.Updating RECON IMAGER #

RECON IMAGER comes with one full year of updates. After your license has expired you will be required to purchase an additional year in order to continue to receive updates. RECON IMAGER will not “lock” if your license expires.

You can find your expiration date by clicking on the “License Agreement” button.

RECON IMAGER updates and this documentation can be found here:


Please ensure that you verify the downloaded files by a hash value (i.e. MD5 and/or SHA1 Hash Values).  This can be done from the terminal running the md5 or shasum command:

Please follow the instructions below EXACTLY in order to properly update RECON IMAGER.

  1. You must have a Mac running macOS 10.13 or higher in order to perform the update.
  2. You also must be an Admin user and know your login password to perform the update. If you are a single user on a Mac you are an Admin. When RECON IMAGER prompts you for the password please enter your Mac login password to give the updater permission to run.
  3. To update RECON Imager download the latest dmg file from the above link.
  4. Double-click on the dmg file to mount the volume.  A window will open up that contains the RECON_Imager_Updater.app file. Drag the RECON_Imager_Updater.app to your desktop.
  5. Connect the RECON Imager USB to be updated to your Mac.
  6. Double-click on the RECON_Imager_Updater.app and follow the instructions provided by the application.

In the event that a license is renewed, a SUMURI representative will email the updated license file to the examiner.  The examiner simply has to delete the old license file(s) from the RECON Imager partitions (Mode A, B, C or RECON Imager Newer Macs & RECON Imager Default); the license file(s) are located at the root of the partitions.  The new license file(s) will then be added to the root of the RECON Imager partitions.

16.Support - Getting Help #

For support and troubleshooting please fill out a support ticket at SUMURI’s Help Desk:


SUMURI is located in Delaware, USA and our offices are open 0900 – 1700 EST (9AM – 5 PM).  SUMURI offices are closed during US Federal Holidays.

Help Tickets are typically handled during regularly scheduled business hours as soon as possible.

For comments or feature requests please email us at:


17.Terms and Conditions #


Copyright 2019 – SUMURI LLC



This RECON IMAGER is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. This RECON IMAGER  is licensed, not sold.

End User License Agreement

This End User License Agreement (‘EULA‘) is a legal agreement between you (either an individual or a single entity) and SUMURI LLC with regard to the copyrighted software (herein referred to as RECON IMAGER  or ‘software’) provided with this EULA.   The RECON IMAGER  includes computer software, the associated media, any printed materials, and any ‘online’ or electronic documentation. Use of any software and related documentation (‘software’) provided to you by RECON IMAGER  in whatever form or media, will constitute your acceptance of these terms, unless separate terms are provided by the software supplier, in which case certain additional or different terms may apply. If you do not agree with the terms of this EULA, do not download, install, copy or use the software. By installing, copying or otherwise using the RECON IMAGER, you agree to be bound by the terms of this EULA.  If you do not agree to the terms of this EULA, SUMURI LLC is unwilling to license the RECON IMAGER  to you. 

Eligible License – This software is available for license solely to software owners, with no right of duplication or further distribution, licensing, or sub-licensing.

License Grant – SUMURI LLC grants to you a personal, non-transferable and non-exclusive right to use the copy of the software provided with this EULA. You agree you will not copy or duplicate the software. You agree that you may not copy the written materials accompanying the software. Modifying, translating, renting, copying, transferring or assigning all or part of the software, or any rights granted hereunder, to any other persons and removing any proprietary notices, labels or marks from the software is strictly prohibited.  Furthermore, you hereby agree not to create derivative works based on the software.  You may not transfer this software.

Copyright –  The software is licensed, not sold.  You acknowledge that no title to the intellectual property in the software is transferred to you. You further acknowledge that title and full ownership rights to the software will remain the exclusive property of SUMURI LLC and/or its suppliers, and you will not acquire any rights to the software, except as expressly set forth above. All copies of the software will contain the same proprietary notices as contained in or on the software. All title and copyrights in and to the RECON IMAGER  (including but not limited to any images, photographs, animations, video, audio, music, text and ”applets,” incorporated into the RECON IMAGER), the accompanying printed materials, and any copies of the RECON IMAGER, are owned by SUMURI LLC.  The RECON IMAGER is protected by copyright laws and international treaty provisions.  You may not copy the printed materials accompanying the RECON IMAGER.

Reverse Engineering – You agree that you will not attempt, and if you are a corporation, you will use your best efforts to prevent your employees and contractors from attempting to reverse compile, modify, translate or disassemble the software in whole or in part. Any failure to comply with the above or any other terms and conditions contained herein will result in the automatic termination of this license and the reversion of the rights granted hereunder to SUMURI LLC.

Disclaimer of Warranty – The software is provided ‘AS IS‘ without warranty of any kind. SUMURI LLC and its suppliers disclaim and make no express or implied warranties and specifically disclaim the warranties of merchantability, fitness for a particular purpose and non-infringement of third-party rights. The entire risk as to the quality and performance of the software is with you. Neither SUMURI LLC nor its suppliers warrant that the functions contained in the software will meet your requirements or that the operation of the software will be uninterrupted or error-free. SUMURI LLC is not obligated to provide any updates to the software for any user who does not have a software maintenance subscription.

Limitation of Liability – SUMURI LLC’s entire liability and your exclusive remedy under this EULA shall not exceed the price paid for the software, if any.  In no event shall SUMURI LLC or its suppliers be liable to you for any consequential, special, incidental or indirect damages of any kind arising out of the use or inability to use the software, even if SUMURI LLC or its supplier has been advised of the possibility of such damages, or any claim by a third party.

Rental – You may not loan, rent, or lease the software.

Transfer – You may not transfer the software to a third party, without written consent from SUMURI LLC and written acceptance of the terms of this Agreement by the transferee. Your license is automatically terminated if you transfer the software without the written consent of SUMURI LLC. You are to ensure that the software is not made available in any form to anyone not subject to this Agreement. A transfer fee of $150 USD will be charged to transfer the software (not applicable to transfers associated with orders from distributors, or resellers or intra-company transfers).

Upgrades – If the software is an upgrade from an earlier release or previously released version, you now may use that upgraded product only in accordance with this EULA.  If the RECON IMAGER is an upgrade of a software program which you licensed as a single product, the RECON IMAGER may be used only as part of that single product package and may not be separated for use on more than one computer.

OEM Product Support – Product support for the RECON IMAGER is provided by SUMURI LLC.  For product support, please call SUMURI LLC.  Should you have any questions concerning this, please refer to the address provided in the documentation.

No Liability for Consequential Damages – In no event shall SUMURI LLC or its suppliers be liable for any damages whatsoever (including, without limitation, incidental, direct, indirect special and consequential damages, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use or inability to use this ‘SUMURI LLC‘ product, even if SUMURI LLC has been advised of the possibility of such damages.  Because some states/countries do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

Indemnification By You – If you distribute the software in violation of this Agreement, you agree to indemnify, hold harmless and defend SUMURI LLC and its suppliers from and against any claims or lawsuits, including attorney’s fees that arise or result from the use or distribution of the software in violation of this Agreement.

Jurisdiction – The parties consent to the exclusive jurisdiction and venue of the federal and state courts located in the State of Delaware, USA, in any action arising out of or relating to this Agreement. The parties waive any other venue to which either party might be entitled by domicile or otherwise.

Suggest Edit