The Mac Acquisition kit intends to capture data from Apple laptops using the SuperImager Plus Forensic Portable or Rugged units with its Thunderbolt 4.0 or a network port.
The TB/Mac Kit includes: - USB to 2.5Gigabit/s Ethernet adapter (USB3.0 or USBc)
- Mac M1/M2 special remote capture agent downloadable
- Ethernet Crossover cable (shared with remote capture KIT)
- 1394 B to B Cable
1) A Mac with a 1394 port will be connected to the Thunderbolt 3.0 Expansion Box ( installed 1394 controller) using the 1394B to B extension cable. The Thunderbolt 3.0 Expansion Box will be connected to the SuperImager T4 port. The Mac will be set to be in target mode to capture a raw image. 2) A Mac with an M1/M2 CPU and a Thunderbolt 3.0 port will be connected using a USB to 2.5Gigabit/s Ethernet adapter, a crossover cable plugged into the SuperImager Ethernet port, and the M1/M2 USB agent application. The user can capture using files, and folders. Thunderbolt 3.0 Expansion Box and 1394 controller are optional.
Remote capturing data from Macbooks laptops with M1/M2 CPU. (In beta testing).
1. Capturing data from Macbook with 1394 port (T1/T2 Security chip) is accomplished via the 1394 interface. The user needs to disable the security feature on the Mac and put the Mac in target mode. Then, connect the Mac to the TB expansion via 1394 interface (with some adapters and cables). The Thunderbolt box needs to have 1394 controller, and it needs to be connected to the SuperImager Plus unit via the Thunderbolt 4.0 port
2. Remote Capture for laptop with Intel base CPU has existed for many years, using a network crossover between the laptop and the SuperImager Plus unit.
3. Remote Capture for Mac with M1/M2 CPU. Those laptops cannot be put in a target mode, and they act as share network devices, so capturing data is similar to the Remote Capture in 2.
There are some settings that need to be done on the Macbook side, like disabling security features and enabling “Superuser” to have access to the device. (see instruction below)
After that, the Mac needs to connect to the SuperImager via 1) a network cross-over cable 2) or connecting both Mac and the SuperImager Plus to the same network. (The user will have to establish the network setting and communication). For Mac and SuperImager with Thunderbolt 3/0/4.0 port, the user can use a Thunderbolt to 10Gigabit/s adapters on both sides for a fast connection.
Once the communication is established, the user can run all the forensic capturing methods from DD/E01/raw to Triage capture. Be aware that some Macbooks are formatted with 4k so for raw image, with will be advised to use target /destination drives that are physically formatted 4k.
Here is the procedure:
1. Preparing the USB flash drive with the remote agent
2. Insert the USB into your MAC
3. Open Disk Utility
4. Erase and format it to MacOS
Unzip the supplied agent zip file onto it
1.
2. For the agent to have full access to the file system, disable the System Integrity Protection (SIP)
Starting with OS X El Capitan, Apple, Inc introduced System Integrity Protection (SIP), a security feature that protects the essential parts of OS data on the system disk from unwanted alterations. It increases the level of system security but, at the same time, severely restricts access to files on the disk.
a) Restart your Mac computer
b) Simultaneously press and hold the Command and R keys during startup and boot the computer into the MacOS Recovery mode
c) In the Utilities menu select Terminal
d) In the Terminal, type in "csrutil disable" and press Enter. There should be a message that System Integrity Protection was successfully disabled
e) Restart your Mac computer
1. Establish a network connection between the Mac and the SuperImager unit to make sure that both units are located on the same local network.
The Mac can be connected to the network via WiFi or a USB to Ethernet adapter, or a Thunderbolt to Ethernet adapter. The Ethernet connection can either use the local router with DHCP or a cross-over RJ45 cable with manual IP addresses.
1. Start the agent in full access mode
2. Insert and mount the USB flash drive with the agent
3. Open Terminal
4. In the Terminal type sudo open
5. Drag the MC_RemoteCapture agent to the Terminal window, and the path to the application will be displayed
6. Press Enter, and the agent should start and display the local IP address and the internal SSD
1. On the SuperImager unit, follow the instructions for the Selective Capture operation if file level capture is desired or Mirror/LinuxDD/Encase Capture if capturing the entire physical image.
|
