RECON ITR v26.0
macOS Imaging & Triage — Re-engineered
The most trusted name in macOS forensics, now rebuilt from the ground up for the modern Apple ecosystem.
Native Power. Modern Architecture.
Apple Native Integration: Built using native macOS libraries to ensure the highest level of stability and accuracy on both Intel T2 and Apple Silicon (M1 and beyond).
Optimized Resource Management: Improved memory handling and processing efficiency, specifically designed to manage data sources found in modern investigations.
Forensically Sound by Design: Retains the core forensic principles you trust, now with a more responsive, intuitive UI that streamlines your field-to-lab workflow.
Broad System Support: Seamlessly handle Apple Silicon and Intel T2 Security Chips, APFS File Systems, and Local Time Machine Snapshots.
Intelligent Write-Blocking & Disk Management
RECON ITR provides investigators with robust, built-in software write-blocking capabilities, eliminating the need for additional hardware in many forensic scenarios.
- Bootable Mode Security: By default, RECON ITR’s bootable environment for Intel devices is configured to prevent the auto-mounting of internal and external drives, ensuring volumes remain in a forensically sound state upon connection.
- Live Mode Control: In Live Mode, the investigator can disable native disk arbitration. This allows you to manually select and mount connected disks or partitions as Read-Only, preventing background processes from writing to connected drives during triage.
- Operational Transparency: Please note that during Live-Mode acquisitions, the host’s primary Data volume remains mounted by the active operating system. RECON ITR does not alter the native mount state of the running system disk or prevent background OS processes from writing to it.
Bootable Mode Security
Live Mode Control
Operational Transparency
Targeted Live Volatile Data Collection
- Running Processes & Opened Files
- Active Network & IP Addresses
- Clipboard Content
- Logged Users & Uptime
- System Profile & Mounted Volumes
See RECON ITR in Action
Forensics Simplified. Power Included.
Every new purchase of RECON ITR v26.0 now includes a full license of PALADIN PRO, providing investigators with a comprehensive imaging and triage solution that extends far beyond the Mac. By combining the specialized macOS power of RECON ITR with the cross-platform versatility of PALADIN, you gain the ability to handle Windows and Linux systems within a single, cost-effective workflow. Trusted by Law Enforcement, Military, and Corporate examiners worldwide, this bundle ensures you are equipped for any device you encounter in the field from day one.
Platform Compatibility & Coverage
| Platform | Imaging | Triage |
|---|---|---|
| macOS (Intel) | ✔ | ✔ |
| macOS (Apple Silicon) | ✔ | ✔ |
| iOS Backups | — | ✔ |
| Windows (via PALADIN) | ✔ | ✔ |
| Linux (via PALADIN) | ✔ | ✔ |
Why RECON ITR Swift?
- Active sessions
- Running processes
- Network connections
- System state
- Malware activity
The RECON Ecosystem
RECON ITR v26.0 is engineered to serve as the critical first step in a comprehensive forensic workflow. All forensic images and logical collections generated by the tool are produced in standardized, industry-recognized formats that are ready for import into RECON LAB. This compatibility ensures that the transition from field acquisition to deep-dive laboratory analysis is direct and efficient. Investigators can move their captured data into RECON LAB to leverage advanced analytical tools and automated reporting across data from macOS, iOS, Windows, and Linux.
DEMO REQUEST
Frequently Asked Questions (FAQ)
RECON ITR is the industry-leading macOS imaging, traige, and reporting solution developed by SUMURI. Version 26.0 represents a ground-up re-engineering of the application, transitioning to a native Swift-based architecture for enhanced stability and performance on modern Apple hardware. It remains an all-in-one solution for live triage, bootable imaging, logical imaging, and volatile data collection.
RECON ITR provides native support for the entire modern macOS ecosystem, including:
- Apple Silicon Macs (M1, M2, M3, and M4)
- Intel-based Macs (with the T2 Security Chip)
- APFS File Systems and APFS Snapshots
- FileVault
- Local Time Machine Snapshots
Note: Support for Windows and Linux environments is provided via the included PALADIN PRO.
- Native Architecture: Rebuilt from the ground up to leverage native macOS libraries and data models for maximum accuracy.
- Dual-Mode Imaging: Offers both bootable and live imaging modes to adapt to the specific constraints of your investigation.
- Built-in Write-Blocking: Features integrated software write-blocking and disk arbitration management for forensically sound acquisitions.
- Integrated Triage: Automatically parses thousands of artifacts using hundreds of specialized plugins to provide answers in seconds.
- Preservation: Maintains original metadata and timestamps during logical imaging and targeted collections.
Yes. RECON ITR produces forensic images in industry-standard formats. These images are compatible with RECON LAB for deep-dive analysis and can also be processed by most major third-party forensic suites.
- The RECON ITR tool (with both Live and Bootable modes) installed on a single SSD
- A free copy of PALADIN PRO on a separate USB drive to extend your capabilities to Windows, Linux, and older macOS systems.
Recon ITR Swift is designed for:
- Digital forensic examiners
- Incident response teams
- Law enforcement
- Corporate investigators
- Military & federal agencies
It is built for both novice investigators who need quick answers and advanced examiners who require locked images for deeper artifact analysis later.