Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Overview of Mac system security and its impact
on digital forensics process
D. Sladović 1, D. Topolčić 1 and D. Delija 2 1 INsig2 d.o.o., Zagreb, Croatia
2 Zagreb university of applied science, Zagreb, Croatia
[email protected], [email protected], [email protected]
Abstract - Nowadays there are 3 main operating systems
used, and Mac OS is one of them. Until now Apple published
many iterations of their operating system and with that
introduced many new features that are related to system
security. Even though security-related changes go unnoticed, in
the world of digital forensics this presents a challenge. Today
encryption can be implemented on both, hardware and software
level, which can make imaging Mac OS difficult. Besides,
security which is meant to protect, user data is also used by
criminals to restrict access to their computers. This paper will
focus on the differences and problems that occur while
creating a forensic image and extracting data from Mac OS.
On top of that this paper will depict the impact devices
equipped with “T1” or “T2” security chip have on digital
forensic process and remediation methods.
Keywords - Mac OS forensics; forensic image; data
extraction; T1; T2; encryption
I. INTRODUCTION
Through this paper, the reader will be introduced to the field of Mac OS forensics and the problems that a forensic investigator can encounter. Another focal point will be the comparison of Apple’s “T1” and “T2” security chips, their features and benefits for the users, but also what impediments can an investigator encounter while analyzing devices having these chips. The next part will show what the investigator must do if he encounters an unlocked “Apple” device to preserve as much digital evidence as possible. Few software solutions will be tested to see what are their limitations regarding the bypassing of Apple’s security features and what can an investigator do to recover or image a disk if an Apple device (i.e. Macintosh notebook) is protected or locked in different ways. Finally this paper will be summed up with a conclusion according to research and testing of available tools.
II. MAC OS FORENSICS
Digital forensics investigators traditionally deal with Windows machines, but, since the increase of Apple’s popularity, their devices can be seen everywhere, from regular users, enthusiasts to corporate use for music production, photography, video editing, web development, and many more. These are the reasons why every investigator today must have the core skills to analyze Apple devices, or at least be knowledgeable on how to do the triage. A forensic investigator will have to follow a protocol during the examination and acquisition process because every operating system is different, artifacts are located in different locations on the hard drive and all these various artefacts can be useful during an
investigation [1]. Important groups of forensic artifacts found on Mac OS are:
• System artifacts – consist of records related to the system configuration, OS version, Time zone, Language, MAC address, Start-Up folders, etc.
• User Profile – records related to user settings, Keychain, Recent folders, DOCK (persistent apps), Safari browsing history, Apple Mail, USB devices
• Logs – System logs, Network logs, User logs, etc.
Some important steps before seizing or acquiring data from MAC OS devices are:
• get the administrators/users or firmware password, File Vault password, Recovery key, iCloud credentials, Apple Id and password (if possible) in case the device is locked - in some cases that will be the only possible way to create a disk image;
• know how to analyze and acquire data from Hierarchical File System (HFS+) and Apple File System (APFS);
• it is important to find out what the allocation block size is because if the block sizes are not identical data won’t be copied properly which is the main reason for errors appearing during the acquisition (destination drives for the acquisition must be block size aware);
• it is important to create a logical image of the disk while the machine is unlocked and powered on, if FileVault is enabled;
• know how to recognize a Fusion disk is important, because if both disks are not retrieved and imaged data will not be recovered;
• if all disks from a RAID are not found, data can’t be recovered this is why it is important to know how to recognize the use of RAID;
• recover the original charger of the device;
• if the device is unlocked or turned on, it is important to remember to turn off “Secure Boot” and enable booting from external devices on devices that have T2 chips [1,2,3].
III. MAC OS SECURITY
From a forensic standpoint, Apple has built their
reputation around their encryption standard which can
obstruct a forensic investigation. Apple devices are very
powerful when it comes to destroying data or making
them unrecoverable. This is because of their encryption
on the newer machines which is from the start turned on
because of the T2 chip. Another point regarding the Mac
OS encryption (FileVault) is that in case of remote
MIPRO 2020/ISS 1493
wiping only the decryption keys are deleted which leaves
all the data scrambled and unrecoverable.
A. T1 security chip
Apple T1 chip, model number “APL1023” is an
ARMv7 System on a Chip (SoC) that was introduced in
2016 and its main purpose was to handle the processing
for the “Touch ID” sensor in the first MacBook Pro that
was equipped with the Touch Bar. As previously
mentioned, the T1 chip is based on 32-bit ARMv7 SoC
from Apple which is running “bridgeOS” variant of
“watchOS”. The T1 chip was also used to lock sensitive
components like the built-in microphones and cameras. It
was also used for the “System Management Controller”
(SMC) which is responsible for heat and power
management, battery charging and the sleep and wake up
functionality of the Mac OS. T1 is also used to check if
MacOS is running on genuine Apple hardware.
T1 has a built-in “Secure Enclave” that stores the
user’s fingerprint or “Touch ID”. It even protects security
keys against malware attacks because it is designed to
prevent brute force attacks on the chip and its secure
enclave [4].
B. T2 security chip
Apple T2 chip, model number “APL1027” was
introduced in October 2018. The T2 chip is made to act
as a co-processor, it is based on the Apple A10 processor
which is a 64-bit ARMv8 processor that can be found in
the iPhone 7 and 7 Plus. The difference in the A10 and
T2 processors is that the T2 has only one T801x core.
This processor, as the T1 has, a separate Secure Enclave
Processor (SEP). The T2 processor is used to implement
the” Secure Boot” feature. Since the T2 chip has better
performance than the T1 chip, it also handles more tasks
such as early boot tasks. It is securing data storage at-rest,
it encrypts data on the SSD using dedicated AES
hardware that has a 256-bit key tied to a unique identifier
in the chip itself, which does not affect the SSD’s
performance. To make the data on the Mac OS more
secure in cases when the attacker has physical access to
the machine Apple placed the T2 security chip between
the CPU and the storage, CPU no longer has direct access
to the data through the PCIe/NVMe path which
ultimately makes imaging the disks harder for forensic
investigators. Flash storage is placed on an isolated bus,
and the user data can only be accessed by the “Direct
Memory Access” (DMA) crypto engine [4]. Because of
the T2 chip encryption and physical placement, when the
“FileVault” is enabled, the encryption is done fast and by
the T2 chip enabling the user to normally use the mac OS
during the encryption process. The decryption key is a
combination of the Macintosh’s unique hardware ID and
user-provided passphrase, which adds another layer of
encryption on top of the regular T2 chips encryption.
Additional features of the T2 chip are:
• encryption is on by default;
• it prevents booting from external device unless
the security options are not changed (changing
security options requires administrator password);
• the live-boot drive cannot be imaged;
• a Macintosh with T2 chip can be booted into
“Target disk mode” and connected to another
Macintosh computer that is booted to acquisition
software (MacQuisition, Recon Imager);
• Macintosh with T2 chip can be imaged by
selecting the physical drive or the APFS
container;
• if File Vault is off, the T2 Macintosh logical data
can be browsed through.
In case of repairs, the Mac OS goes through a
hardware check to ensure genuine parts have been used
for replacement [5].
C. Firmware password
The firmware password is a type of hardware-level security that prevents people from resetting the user’s password or reinstalling OS X without authenticating themselves first. Ultimately this means that digital forensic investigators will not be able to access any features that will allow them to boot from external bootable media and create a disk image of the Mac OS.
Features that are protected by the firmware password:
• blocked function to start up from optical disk (use “C” key);
• blocked function to start up from the diagnostic volume of the install DVD (use “D” key);
• blocked the function to start up from a NetBoot server (use “N” key);
• blocked function to start up from Target Disk Mode (only for machines that offer this feature), so-called “T” key;
• blocked function to start in Verbose mode (activated by pressing the “command + V” keys during startup);
• blocked function to start in single-user mode (Command+S);
• block the reset of Parmeter RAM (PRAM) which is accessed using the Command+option+P+R key combination;
• a password is required to execute commands in Open Firmware mode (this mode is entered with the Command+option+O+F key combination);
• blocks the Safe Boot mode function by prompting for a password (the mode is accessed by pressing the “Option” key during startup) [6].
The firmware password makes the process of disk imaging even harder for the examiner. In case when the firmware password cannot be obtained from the suspect, it can be impossible for even the most skilled forensic investigator to image the suspect's Macintosh computer. This is because Mac OS will not allow any boot from any other device, except the one containing the OS, even with “Secure boot” and “External boot” protection turned off.
The BIOS chip that containes the firmware password
can in some cases be replaced with another chip that is specifically programmed to work on the machine. It is also possible to remove the password using a method called “SPEG programming”. It allows the programmer to remove the password from the BIOS chip without desoldering it. But these two methods are not forensically
1494 MIPRO 2020/ISS
sound because, in both cases, the Mac OS is reset to its factory settings and all data is lost [8].
Another method of possibly removing or bypassing the firmware password is by using the “Matt Card” to bypass the built-in EFI ROM permanently. The “Matt Card” is an alternative to removing and exchanging the EFI ROM chip with a preprogrammed one. This “card” can be plugged into a connector on the motherboard and, as long as it is connected, the firmware password will not be needed. To use the “Matt Card” the investigator must turn off the Macintosh computer, plug in the correct “Matt Card” for the motherboard in the locked Macintosh computer and power on the computer. This hardware is used by Macintosh repair businesses to gain access to Macintosh devices but can be in some cases useful while imaging the devices [16].
D. Secure Enclave
As mentioned earlier, the secure enclave is a hardware-based key manager that is isolated from the main CPU which creates an additional security layer. The “Secure Enclave” contains the keychain decryption key and can be accessed only by authorized applications. The benefit of using “Secure Enclave” is that, after the user stores a private key to the “Secure Enclave”, the handling of the key is done only by the “Secure Enclave” which ultimately makes it hard for a key to become compromised. When applications are handled by the “Secure Enclave”, the user receives only the operation outputs such as cryptographic signature verification outcome or encrypted data. The only downside of this whole process is that by using “Secure Enclave” to handle these operations the stored password have to be decrypted and saved in plain text to the system memory.
The benefits of the “Secure Enclave” are balanced because of few restrictions. The “Secure Enclave”:
• is a hardware feature of the A7 series processor. It is only supported by iOS devices that have the A-series processor and Macintosh computers equipped with the Touch bar required for the Touch ID feature;
• it stores only 256-bit elliptic curve private keys which can be used to create and verify cryptographic signatures or for elliptic curve Diffie-Hellman key exchange;
• preexisting keys cannot be imported. The keys used by the “Secure Enclave” must be created inside it. This is the fundamental principle that makes the “Secure Enclave” secure from attacks.
This is another example of how the Apple security features make a locked Macintosh computer hard to investigate or to retrieve evidence from, especially when the subject of the investigation requires authentication or decryption keys [7].
E. FileVault
FileVault is a disk encryption program available for
Mac OS X 10.3. and later. It performs on-the-fly
encryption on volumes of a Macintosh computer. When
FileVault was first introduced, it only encrypted the user's
“Home” directory, but it had a lot of implementation
problems and also had a lot of bugs. It was fully
redesigned and published in 2011 with macOS X 10.7
(“Lion”). FileVault 2 was introduced with the
functionality of full-disk encryption (FDE) and when it is
enabled the entire contents of a drive becomes encrypted.
In case of shutdown, all data becomes unrecoverable until
the password is entered again. FileVault 2 made it
possible to remotely wipe the disk in case of laptop loss.
That is possible because FileVault 2 relies on the
encryption key and, when a user wipes the drive secured
with FileVault 2, it erases the key and makes all the data
unobtainable for anyone. Another interesting fact about
FileVault 2 is that even if the Macintosh machine is run
in “Guest mode” it can remotely wipe the machine in
case of theft or loss [14].
Apple Macintosh devices equipped with T2 chips
have an additional security feature inherited from the iOS
devices - the delay after a specific amount of incorrectly
input passwords. Similar to iOS in which the device gets
disabled after 9 attempts of entering the password, the
Macintosh machines have a maximum of 30 attempts of
entering the user password with delays specified in
Figure 1. And if a user or investigator uses up 30 attempts
to log in without success than rebooting the Macintosh
computer into Mac OS Recovery grants 10 more attempts
to log in. If that is not sufficient enough, then the user or
investigator has 30 attempts per each additional method
of decryption which are: iCloud recovery, FileVault
recovery key, institutional key. When all the attempts are
exhausted, the “Secure Enclave” will no longer process
any decryption attempts of the volume and the volume
remains useless or unrecoverable and can only be erased
to allow a clean system to be installed on it. Using this
method Apple is making brute force attacks useless [15].
IV. IMAGING MAC COMPUTERS
Imaging a Macintosh computer is, as in all branches of
digital forensics, a very important step. Unlike the
Windows machines that everybody is used to image, Mac
OS can present a greater challenge to the forensics
investigator. That is because of all the security features
that these machines are equipped with, such as secure
boot, external boot, user and firmware password. Because
of all these security measures the best-case scenario for a
forensic investigator is to find a powered on and unlocked
Macintosh computer. The investigator will then have
access to all, or most of the data, from the machine. For
example, the newest Macintosh computers give the
investigator a chance to image the hard drives on it, but
without the user’s password the “Physical memory” or
RAM can’t be imaged using even specialized tools such
as “MacQuisition”. Today all Mac OS users are required
by the OS to secure their computers with a password. On
top of that systems newer than Mac OS version 10.7 do
Figure 1. Macintosh delays between password attempts[15]
Figure 2.
MIPRO 2020/ISS 1495
not allow auto logging by default which makes it harder
to acquire a forensic image of a machine. Since the
release of macOS 10.14 Mojave, Apple implemented
Fusion Drives for the APFS file system. This
functionality can combine two different drives such as
SSDs and HDDs that have a different capacity (SSD
128GB, 1,2,3 GB HDD) combining their capacity. The
important fact about “Fusion drive” is that it creates a
separate virtual disk or, so-called an “APFS Container”
(shown in Figure 2), with the combined capacity of both
the disks married. The important fact to remember
regarding the imaging of these drives is that the forensic
investigator must choose to image the container as the
source disk and the AFF4 image format [10].
A. MacQuisition disk imaging
MacQuisition [10] is a forensic acquisition and imaging software that supports many Mac OS, it also has the functionality to image “Physical memory” or RAM from a live machine. It is capable of running within the OS X boot environment. MacQuisition is also the first forensic tool capable of creating a physical image of Macintosh equipped with the Apple T2 chip. MacQuisition supports booting in a forensically safe environment and can acquire data from over 185 different Macintosh computer models in the native environment and can even image “Fusion Drives” [11].
During testing, MacQuisition proved to be an excellent tool to image a powered off or live Mac machine. During a live acquisition (when the Mac OS is unlocked) MacQuisition first prompts for the user password. After entering the password MacQuisition instantly detects that full disk encryption is enabled and lists the encrypted drives (like in Figure 3) which is a good reminder for the investigator to create a logical image of drives while they are unlocked. A RAM dump can also be created but only in case the investigator knows the user password and MacQuisition can only do a logical image of the machine, even though BlackBag states that they can create a physical image of a T2 equipped Macintosh, it is only possible to do so while the machine is shut down. That is because the T2 chip is used for real-time decryption by the operating system.
If performing a postmortem acquisition, the
investigator must know at least the user password to be able to image the drives. The drives on T2 equipped Macintosh computers are encrypted by default. Also, if File Vault 2 is enabled it can be imaged, but the investigator has to provide the File Vault password, recovery key, or the keychain file of the Mac OS to decrypt and image the disk. The encrypted disk can then be imaged. Using MacQuisition the investigator can make a logical or physical copy of the suspect's disk. For
another scenario, which includes the Macintosh to have “Secure Boot” enabled, the investigator will not be able to boot any forensic software due to “Secure Boot” and will be prompted to restart to the macOS X or to access the recovery mode using the key combination “Command+R” to disable the “Secure Boot” and “External Boot” option. To successfully boot the machine using a forensic software, the investigator will have to know the user password that protects the “Startup Security Utility” and disable all the security features in it.
B. Recon Imager data acquisition
Recon Imager [19] is another commercial forensic
tool made to image Mac OS. It is a bootable imaging
utility that supports all modern Intel-based Apple
computers, including the newest Macintosh computers.
Recon Imager is based on a Mac OS environment,
modified to be forensically sound and ensures write
protection for internal and external media. Like
MacQuisition, Recon Imager also has the functionality to
identify Apple File System (APFS) containers and disk
volumes, FileVault, Fusion drives and Core storage
volumes. Recon Imager has 3 different versions or modes
that provide support for Macintosh computers with
different hardware. Another functionality of Recon
Imager is the possibility of imaging RAM without the
need to type in the user or administrator password. The
image of RAM will only contain residual data from
previous sessions because the RAM imaging
functionality is accessed from the boot environment. And
the amount of data left in the RAM can differ, depending
on the size of available memory and software that was
run on the machine [12, 13].
V. RECOVERING DATA FROM FILEVAULT
As mentioned earlier, to recover user’s data from an
encrypted FileVault disk the best-case scenario is to have
the user’s password. The password can be recovered
during the interview with the user or suspect, or by
finding it written down somewhere. The investigator has
everything needed to gain access to users’ data. If
password could not be acquired, the next step is to search
for the recovery key which enables the investigator to
decrypt the disk using recovery mode accessed by
pressing and holding “Command+R” keys. Another
option is to recover the key from the iCloud backup and
decrypt the drive. The next scenario would be to use the
keychain from the suspect’s Mac OS and decrypt the
drive with it. If the locked Macintosh is a part of a
company network, which has a group policy set to enable
FileVault by default, it is very likely that the system
administrator has set the policy to save all the passwords
centrally. This means that the administrator potentially
Figure 2. Recognizing and imaging a “Fusion Disk”[9]
Figure 2. Recognizing and imaging a “Fusion Disk”[9]
Figure 2. Recognizing and imaging a “Fusion Disk”[9]
Figure 3. MacQuisition Full Disk Encryption detection
1496 MIPRO 2020/ISS
can provide the password to unlock the Mac, with the
assumption he is not involved in the crime. The last
solution would be to look for another user with an
“Administrator” account that has a known password, or
an easier way would be to guess the password using the
users hint. All the passwords can be changed from the
“User & Groups” settings and using this method the
suspect's account can be unlocked. This method can be
used for cases that take place in a company and a less
likely scenario would include cases where private people
are involved. If the investigator cannot use any of the
previously mentioned methods, he will be forced to
recover the password using different recovery methods -
brute force attack, dictionary attack, etc. The biggest
problem with recovering the key in all brute force attacks
is that it takes too long, even with a high-end computer.
A. FileVault Cracker
The first tool to try recovering the FileVault
password with would be “FileVault Cracker” which is an
open-source tool made to recover the encrypted drive
password using a dictionary attack on it. This tool was
developed as a private project and it is not finished which
means that some bugs or errors can occur during use. It
can be used to recover passwords from “CoreStorage”
drives using HFS+ file system. The software is available
on GitHub [17], written by the user “mac made”. It is an
XCode project that must be compiled or published to
work. The software has a simple and intuitive user
interface (Figure 4) and the only thing that is required
from the user is to enter the encrypted drives UUID.
FileVault Cracker already has a dictionary file in it,
which the user can change easily using the user interface.
Additional settings are to generate case variants for words
up to 20 characters, to generate common derivations for
words up to 20 characters and to choose the number of
threads the software will use while recovering the
password.
B. John the Ripper and Hashcat
The tools John the ripper and Hashcat can also be
used to recover FileVault2 passwords. This chapter will
in short explain how to recover a FIleVault2 password on
“HFS+” and “APFS” file systems.
To start the recovery of FileVault 2 password on
“HFS+” file system some requirements have to be
fulfilled:
• this will work for target systems on a MacBook
Air running macOS v10.12.6;
• attacker machine has to be an iMac running Mac
OS 10.14.2;
• the investigator must download and compile
“fvde2john” and “Hashcat” on iMac.
The next step in this process is to run the MackBook Air
in “Target Disk Mode” (this means that the Macintosh
device is working as an external drive), the target device
must be connected to the iMac machine via thunderbolt,
FireWire, or USB. When the two machines are
connected, the investigator can run the command
“diskutil list” on the iMac to see all available disks.
After the investigator has found the target disk (which is
marked as external), the next step is to identify the
“Apple_Boot Recovery HD” drive. Then the “Recovery
HD” drive must be mounted using “diskutil mount
/dev/disk_s_”. The name of the disk can be found in
the “IDENTIFIER” column. The next command to run is
“find /Volumes/Recovery\ HD -name Encry*” to
find the file containing the string “Encry” in itself. To
gain the hash of the encrypted volume the next command
must be executed “sudo./fvdetools/fvdeinfo -
e/Volumes/Recovery\HD/com.apple.boot.S/Syst
em/Library/Caches/com.apple.corestorage/Enc
ryptedRoot.plist.wipekey -p don't-know
/dev/disk2s2”. The MacBook can then be unmounted
and “hashcat” run using the next command “./hashcat/hashcat -a 0 -m 16700 -o
found.txt hash.txt wordlist.txt” which will
recover the decryption password. The recovery process
duration can vary depending on the simplicity and length
of the password and encryption algorithm [18].
In the next few lines the recovering the FileVault 2
password from an APFS file system will be explained.
This process can be used on a MacBook Pro running
MacOS v10.14.2 which will also be the target machine.
For this method of password recovery, the attacking
machine is running Ubuntu 19.04. For this process to be
successful “apfs-fuse” must be installed, which is a driver
for read-only interpreting data and recognizing disks
using the APFS file system. After the “apfs-fuse” driver
is successfully installed, which will be indicated with the
message “[100%] Built target apfs-fuse” in the Ubuntu
“terminal”, the next step is to put the source or the
suspect's machine in to “Target Disk Mode” and connect
it to the Ubuntu machine. Using Ubuntu “terminal” the
investigator must determine which disk name belongs to
the encrypted drive. The correct drive is going to be
determined using the command “cat
/proc/partitions” through the “terminal” window.
The output of the terminal will look like Figure 5. When
the name of the encrypted drive is determined, the
investigator is ready to acquire the encrypted disc’s hash
value. The hash value will be generated using the
command ”sudo ./apfs-dump-quicq /dev/sdb
log.txt” in which “sdb” represents the name of the
encrypted disk. The values used to create hash can be
found next to the identifiers “Salt”, “Iterat’s”, “KEK
Wrpd”. These values will look similar to Figure 6. To
arrange the hash to be recognized by “hashcat”, the
values next to identifiers will be combined respectively
with the prefix “$fvde$2$16$”. Between each value (Salt,
Figure 4. FileVault Cracker
Figure 4. FileVault Cracker
MIPRO 2020/ISS 1497
Iterat’s, KEK Wrpd) will be a “$” sign connecting them
into a hash value. When the hash was created the
recovering of the password using “hashcat” can be
started. If “hashcat” is not installed on the Ubuntu
machine, the first step is to install it. The command “hashcat -a 0 -m 18300 -o found.txt
hash.txt wordlist.txt” can be used to start the
password recovery. This particular command is using
hashcat’s dictionary attack to recover the FileVault 2
password from an APFS drive [18].
VI. CONCLUSION
Through this paper, most of the issues and
impediments that the investigator has to overcome have
been covered. And the whole process of bypassing the
security system will only allow the investigator to acquire
or image a drive of Mac OS. The T1 and T2 security
chips and their functionality have been covered. Because
of these security upgrades which made it harder for
investigators to deal with Apple or specifically Macintosh
devices, all this information lead to the conclusion that
the best and easiest way of acquiring data is when the
Apple device is found turned on and unlocked. As shown
in one of the examples, even when the Mac OS is
unlocked, the physical memory cannot be imaged without
entering the user’s password which is in the world of
Windows forensic almost a trivial task. The recovery of
FileVault2 passwords is a difficult task to do by itself,
even on the older Macintosh machines that do not have
the T2 security chip. It is well known in the forensic
community that a password longer than 10 characters is
impossible to recover it using brute force attacks. And the
use of uppercase, lowercase and special signs in
passwords make the recovery exponentially more
difficult. The T2 security chip plays a big role in the
security of Apple devices and digital forensics, mostly
because of the security features that prevent the
acquisition of disks on Apple machines. The biggest
problems for forensic investigators is the placement of
the T2 chip. It is placed between the CPU and the disk on
a secure bus, which makes it impossible to acquire and
decrypt data without using the T2 chip for decryption. All
in all, Apple's security and encryption is getting stronger
with every new iteration. And even now there are only
few solutions that can recover data from Apple devices
that are encrypted, which makes the forensic
investigation of such devices impossible for an
investigator who don’t know how to use these solutions.
VII. REFERNCES
[1] Niranjan Reddy, Mac OS Forensics, Practical Cyber Forensics, Apress, Berkeley, CA, pp 101-132, July 16, 2019
[2] Sarah Edwards, Sans: Mac and iOS Forensic Analysis and Incident Response (2020). Retrieved from: https://www.sans.org/course/mac-and-ios-forensic-analysis-and-incident-response
[3] Kevin J. Ripa, Computer Evidence Recovery, Forensic Acquisition of Mac Computers (Mar 8, 2016). Retrieved from : http://www.computerpi.com/forensic-acquisition-of-mac-computers/
[4] Pepijn Bruienne, Duo Secutiry, Apple iMac Pro and Secure Storage (may 2,2018). Retrieved from: https://duo.com/blog/apple-imac-pro-and-secure-storage
[5] John Martellaro, The Mac Observer, How Apple’s T2 Security Chip Affects Your Disk Storage (Jan 10, 2019). Retrieved from: https://www.macobserver.com/tips/deep-dive/apple-t2-security-chip-disk-storage/
[6] Forensic Focus, MackBook Air firmware password (Jun 23, 2014). Retrieved from: https://www.forensicfocus.com/Forums/viewtopic/t=11911/
[7] Apple Develoer, Storing Keys in the Secure Enclave (2020). Retrieved from: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave
[8] ALLservice, Service Forum, Unlocking firmware, PIN & icloud. Apple iMac, Macbook (Apr 09, 2013). Retrieved from: https://www.allservice.ro/forum/viewtopic.php?t=2724&sid=36bd813863cfa6bad9c56a69e4df4ea7
[9] Ashley Hernandez, BlackBag, Insights Blog, Apple T2 Chip Systems: Create Decrypted Physical Images With MacQuisition (May 08,2019). Retrieved from: https://www.blackbagtech.com/blog/apple-t2-chip-decrypted-image/
[10] BlackBag Technoligies, MacQuisition 2019 R1.2 (May 30,2019). Retrieved from: https://www.blackbagtech.com/software-downloads/releaseNotes/mq2019r1_2.pdf
[11] BlackBag Technoligies, MacQuisition Quick Start Guide (2020). Retrieved from: https://www.blackbagtech.com/macquisition-quick-start-guide/
[12] Sumuri, Recom Imager (2020). Retrieved from: https://sumuri.com/recon-imager-manual/
[13] Sumuri,YouTube ,Recom Imager – Booting up and Interface Overview (Apr 21, 2017). Retrieved from: https://www.youtube.com/watch?v=9H-V4226Gb0
[14] Glenn Fleishman, Macworld, How to encrypt your Mac with FileVault 2, and why you absolutely should (Feb 5, 2015). Retrieved from: https://www.macworld.com/article/2880039/how-to-encrypt-your-mac-with-filevault-2-and-why-you-absolutely-should.html
[15] Der Flouder, T2, FileVault and brute force attack protection (Nov 01, 2018). Retrieved from: https://derflounder.wordpress.com/2018/11/01/t2-filevault-and-brute-force-attack-protection/
[16] CMIzapper, Technology for your Mac repair business, Matt Cards (2020). Retrieved from: http://www.cmizapper.com/products/mattcard.html
[17] GitHub, FileVaultCracker (Oct 17, 2018). Retrieved from: https://github.com/macmade/FileVaultCracker
[18] tinnyapps.org, Cracking FileVault 2 (HFS+ or APFS) (May 27, 2019). Retrieved from: https://tinyapps.org/docs/cracking-filevault.html
[19] Sumuri, Recom Imager (2020). Retrieved from: https://sumuri.com/software/recon-imager/
[20] Openwall, John the ripper password cracker (2020), Retrieved from : https://www.openwall.com/john/
[21] GitHub, hashcat , (2020). Retrieved from : https://github.com/hashcat/hashcat
Figure 5. Identifying the target drive name
Figure 5. Identifying the target drive name
Figure 6. Identifying the target drive name
Figure 6. Identifying the target drive name
1498 MIPRO 2020/ISS