In newer Macs, Apple added the T2 security chipset as an additional level of protection for the data contained on a Mac device.įirmware Password.
FileVault volumes can be decrypted or unlocked with a local administrator’s password or a recovery key which is created when FileVault is originally enabled. It has a limited support in MacOS Sierra (10.12).įileVault is MacOS full volume encryption solution. APFS is fully supported in MacOS High Sierra (10.13) and above. Part 1: Introduction.īefore we dig into the forensic analysis process, we need to first understand some key concepts about Mac computers and technologies.ĪPFS (Apple File System) is a proprietary filesystem developed by Apple and used in many Apple software products, including MacOS. Hopefully, I can save you hours of research when those hours will be critical for you.
This article is written by someone who is not an expert in forensics for people who are also not experts in forensics, but they would be the first responders to an incident if something was to go wrong. If you can imagine yourself in such a situation, welcome to this material. On top of that, this is actually the first time you’re doing forensics on a Mac device. The problem is: you have no forensic tools for MacOS, no idea how to take an image or where to collect artifacts (important pieces of information). Damn, what if other computers in the company are infected as well? You need answers and you need them fast. “I have to be really careful about what I install or click, MacOS is not virus-proof” - no MacOS user ever.Īfter a short conversation, you suspect that it might be a RAT (remote administration tool).
0 kommentar(er)
