This essential imaging functionality will be available in the upcoming MacQuisition 2019 R1 release and the output will be seamlessly ingested for analysis by BlackLight 2019 R1.
The logical imaging solutions currently on the market, including functionality offered in the previous version of MacQuisition, and competing solutions like Sumuri’s Recon and OpenText’s EnCase, miss critical file system information that only this new level of physical access will be able to deliver.
Every Mac computer, starting in late 2017, rely on Apple’s T2 security chip to offer hardware-assisted encryption for data stored on the system. Apple’s T2 encryption methodology is unique to each Mac, and critical data can only be decrypted using the keys stored in that systems T2 chip. Although it is infeasible to extract the encryption keys from the T2 chip at the moment, BlackBag has built the only solution that works with the chip to decrypt the filesystem at collection time, empowering examiners to capture the entire physical blocks that hold vital information and not just logical files.
In addition, unlike other products that need admin credentials just to obtain logical data, BlackBag can do this without the user’s credentials or a recovery key (credentials are only required if the additional security of FileVault protection is also enabled on the system).
As Microsoft and Apple both continue to update their systems, BlackBag will continue to deliver investigators the vital tools they need to reveal the truth in both Windows and Mac OS.