Overview of Mac system security and its impact

on digital forensics process

D. Sladović 1, D. Topolčić 1 and D. Delija 2 1 INsig2 d.o.o., Zagreb, Croatia

2 Zagreb university of applied science, Zagreb, Croatia

Danijel.Sladovic@insig2.com, Davorka.Topolcic@insig2.com, damir.delija@tvz.hr

Abstract - Nowadays there are 3 main operating systems

used, and Mac OS is one of them. Until now Apple published

many iterations of their operating system and with that

introduced many new features that are related to system

security. Even though security-related changes go unnoticed, in

the world of digital forensics this presents a challenge. Today

encryption can be implemented on both, hardware and software

level, which can make imaging Mac OS difficult. Besides,

security which is meant to protect, user data is also used by

criminals to restrict access to their computers. This paper will

focus on the differences and problems that occur while

creating a forensic image and extracting data from Mac OS.

On top of that this paper will depict the impact devices

equipped with “T1” or “T2” security chip have on digital

forensic process and remediation methods.

Keywords - Mac OS forensics; forensic image; data

extraction; T1; T2; encryption

I. INTRODUCTION

Through this paper, the reader will be introduced to the field of Mac OS forensics and the problems that a forensic investigator can encounter. Another focal point will be the comparison of Apple’s “T1” and “T2” security chips, their features and benefits for the users, but also what impediments can an investigator encounter while analyzing devices having these chips. The next part will show what the investigator must do if he encounters an unlocked “Apple” device to preserve as much digital evidence as possible. Few software solutions will be tested to see what are their limitations regarding the bypassing of Apple’s security features and what can an investigator do to recover or image a disk if an Apple device (i.e. Macintosh notebook) is protected or locked in different ways. Finally this paper will be summed up with a conclusion according to research and testing of available tools.

II. MAC OS FORENSICS

Digital forensics investigators traditionally deal with Windows machines, but, since the increase of Apple’s popularity, their devices can be seen everywhere, from regular users, enthusiasts to corporate use for music production, photography, video editing, web development, and many more. These are the reasons why every investigator today must have the core skills to analyze Apple devices, or at least be knowledgeable on how to do the triage. A forensic investigator will have to follow a protocol during the examination and acquisition process because every operating system is different, artifacts are located in different locations on the hard drive and all these various artefacts can be useful during an

investigation [1]. Important groups of forensic artifacts found on Mac OS are:

• System artifacts – consist of records related to the system configuration, OS version, Time zone, Language, MAC address, Start-Up folders, etc.

• User Profile – records related to user settings, Keychain, Recent folders, DOCK (persistent apps), Safari browsing history, Apple Mail, USB devices

• Logs – System logs, Network logs, User logs, etc.

Some important steps before seizing or acquiring data from MAC OS devices are:

• get the administrators/users or firmware password, File Vault password, Recovery key, iCloud credentials, Apple Id and password (if possible) in case the device is locked - in some cases that will be the only possible way to create a disk image;

• know how to analyze and acquire data from Hierarchical File System (HFS+) and Apple File System (APFS);

• it is important to find out what the allocation block size is because if the block sizes are not identical data won’t be copied properly which is the main reason for errors appearing during the acquisition (destination drives for the acquisition must be block size aware);

• it is important to create a logical image of the disk while the machine is unlocked and powered on, if FileVault is enabled;

• know how to recognize a Fusion disk is important, because if both disks are not retrieved and imaged data will not be recovered;

• if all disks from a RAID are not found, data can’t be recovered this is why it is important to know how to recognize the use of RAID;

• recover the original charger of the device;

• if the device is unlocked or turned on, it is important to remember to turn off “Secure Boot” and enable booting from external devices on devices that have T2 chips [1,2,3].

III. MAC OS SECURITY

From a forensic standpoint, Apple has built their

reputation around their encryption standard which can

obstruct a forensic investigation. Apple devices are very

powerful when it comes to destroying data or making

them unrecoverable. This is because of their encryption

on the newer machines which is from the start turned on

because of the T2 chip. Another point regarding the Mac

OS encryption (FileVault) is that in case of remote

MIPRO 2020/ISS 1493

wiping only the decryption keys are deleted which leaves

all the data scrambled and unrecoverable.

A. T1 security chip

Apple T1 chip, model number “APL1023” is an

ARMv7 System on a Chip (SoC) that was introduced in

2016 and its main purpose was to handle the processing

for the “Touch ID” sensor in the first MacBook Pro that

was equipped with the Touch Bar. As previously

mentioned, the T1 chip is based on 32-bit ARMv7 SoC

from Apple which is running “bridgeOS” variant of

“watchOS”. The T1 chip was also used to lock sensitive

components like the built-in microphones and cameras. It

was also used for the “System Management Controller”

(SMC) which is responsible for heat and power

management, battery charging and the sleep and wake up

functionality of the Mac OS. T1 is also used to check if

MacOS is running on genuine Apple hardware.

T1 has a built-in “Secure Enclave” that stores the

user’s fingerprint or “Touch ID”. It even protects security

keys against malware attacks because it is designed to

prevent brute force attacks on the chip and its secure

enclave [4].

B. T2 security chip

Apple T2 chip, model number “APL1027” was

introduced in October 2018. The T2 chip is made to act

as a co-processor, it is based on the Apple A10 processor

which is a 64-bit ARMv8 processor that can be found in

the iPhone 7 and 7 Plus. The difference in the A10 and

T2 processors is that the T2 has only one T801x core.

This processor, as the T1 has, a separate Secure Enclave

Processor (SEP). The T2 processor is used to implement

the” Secure Boot” feature. Since the T2 chip has better

performance than the T1 chip, it also handles more tasks

such as early boot tasks. It is securing data storage at-rest,

it encrypts data on the SSD using dedicated AES

hardware that has a 256-bit key tied to a unique identifier

in the chip itself, which does not affect the SSD’s

performance. To make the data on the Mac OS more

secure in cases when the attacker has physical access to

the machine Apple placed the T2 security chip between

the CPU and the storage, CPU no longer has direct access

to the data through the PCIe/NVMe path which

ultimately makes imaging the disks harder for forensic

investigators. Flash storage is placed on an isolated bus,

and the user data can only be accessed by the “Direct

Memory Access” (DMA) crypto engine [4]. Because of

the T2 chip encryption and physical placement, when the

“FileVault” is enabled, the encryption is done fast and by

the T2 chip enabling the user to normally use the mac OS

during the encryption process. The decryption key is a

combination of the Macintosh’s unique hardware ID and

user-provided passphrase, which adds another layer of

encryption on top of the regular T2 chips encryption.

Additional features of the T2 chip are:

• encryption is on by default;

• it prevents booting from external device unless

the security options are not changed (changing

security options requires administrator password);

• the live-boot drive cannot be imaged;

• a Macintosh with T2 chip can be booted into

“Target disk mode” and connected to another

Macintosh computer that is booted to acquisition

software (MacQuisition, Recon Imager);

• Macintosh with T2 chip can be imaged by

selecting the physical drive or the APFS

container;

• if File Vault is off, the T2 Macintosh logical data

can be browsed through.

In case of repairs, the Mac OS goes through a

hardware check to ensure genuine parts have been used

for replacement [5].

C. Firmware password

The firmware password is a type of hardware-level security that prevents people from resetting the user’s password or reinstalling OS X without authenticating themselves first. Ultimately this means that digital forensic investigators will not be able to access any features that will allow them to boot from external bootable media and create a disk image of the Mac OS.

Features that are protected by the firmware password:

• blocked function to start up from optical disk (use “C” key);

• blocked function to start up from the diagnostic volume of the install DVD (use “D” key);

• blocked the function to start up from a NetBoot server (use “N” key);

• blocked function to start up from Target Disk Mode (only for machines that offer this feature), so-called “T” key;

• blocked function to start in Verbose mode (activated by pressing the “command + V” keys during startup);

• blocked function to start in single-user mode (Command+S);

• block the reset of Parmeter RAM (PRAM) which is accessed using the Command+option+P+R key combination;

• a password is required to execute commands in Open Firmware mode (this mode is entered with the Command+option+O+F key combination);

• blocks the Safe Boot mode function by prompting for a password (the mode is accessed by pressing the “Option” key during startup) [6].

The firmware password makes the process of disk imaging even harder for the examiner. In case when the firmware password cannot be obtained from the suspect, it can be impossible for even the most skilled forensic investigator to image the suspect's Macintosh computer. This is because Mac OS will not allow any boot from any other device, except the one containing the OS, even with “Secure boot” and “External boot” protection turned off.

The BIOS chip that containes the firmware password

can in some cases be replaced with another chip that is specifically programmed to work on the machine. It is also possible to remove the password using a method called “SPEG programming”. It allows the programmer to remove the password from the BIOS chip without desoldering it. But these two methods are not forensically

1494 MIPRO 2020/ISS

sound because, in both cases, the Mac OS is reset to its factory settings and all data is lost [8].

Another method of possibly removing or bypassing the firmware password is by using the “Matt Card” to bypass the built-in EFI ROM permanently. The “Matt Card” is an alternative to removing and exchanging the EFI ROM chip with a preprogrammed one. This “card” can be plugged into a connector on the motherboard and, as long as it is connected, the firmware password will not be needed. To use the “Matt Card” the investigator must turn off the Macintosh computer, plug in the correct “Matt Card” for the motherboard in the locked Macintosh computer and power on the computer. This hardware is used by Macintosh repair businesses to gain access to Macintosh devices but can be in some cases useful while imaging the devices [16].

D. Secure Enclave

As mentioned earlier, the secure enclave is a hardware-based key manager that is isolated from the main CPU which creates an additional security layer. The “Secure Enclave” contains the keychain decryption key and can be accessed only by authorized applications. The benefit of using “Secure Enclave” is that, after the user stores a private key to the “Secure Enclave”, the handling of the key is done only by the “Secure Enclave” which ultimately makes it hard for a key to become compromised. When applications are handled by the “Secure Enclave”, the user receives only the operation outputs such as cryptographic signature verification outcome or encrypted data. The only downside of this whole process is that by using “Secure Enclave” to handle these operations the stored password have to be decrypted and saved in plain text to the system memory.

The benefits of the “Secure Enclave” are balanced because of few restrictions. The “Secure Enclave”:

• is a hardware feature of the A7 series processor. It is only supported by iOS devices that have the A-series processor and Macintosh computers equipped with the Touch bar required for the Touch ID feature;

• it stores only 256-bit elliptic curve private keys which can be used to create and verify cryptographic signatures or for elliptic curve Diffie-Hellman key exchange;

• preexisting keys cannot be imported. The keys used by the “Secure Enclave” must be created inside it. This is the fundamental principle that makes the “Secure Enclave” secure from attacks.

This is another example of how the Apple security features make a locked Macintosh computer hard to investigate or to retrieve evidence from, especially when the subject of the investigation requires authentication or decryption keys [7].

E. FileVault

FileVault is a disk encryption program available for

Mac OS X 10.3. and later. It performs on-the-fly

encryption on volumes of a Macintosh computer. When

FileVault was first introduced, it only encrypted the user's

“Home” directory, but it had a lot of implementation

problems and also had a lot of bugs. It was fully

redesigned and published in 2011 with macOS X 10.7

(“Lion”). FileVault 2 was introduced with the

functionality of full-disk encryption (FDE) and when it is

enabled the entire contents of a drive becomes encrypted.

In case of shutdown, all data becomes unrecoverable until

the password is entered again. FileVault 2 made it

possible to remotely wipe the disk in case of laptop loss.

That is possible because FileVault 2 relies on the

encryption key and, when a user wipes the drive secured

with FileVault 2, it erases the key and makes all the data

unobtainable for anyone. Another interesting fact about

FileVault 2 is that even if the Macintosh machine is run

in “Guest mode” it can remotely wipe the machine in

case of theft or loss [14].

Apple Macintosh devices equipped with T2 chips

have an additional security feature inherited from the iOS

devices - the delay after a specific amount of incorrectly

input passwords. Similar to iOS in which the device gets

disabled after 9 attempts of entering the password, the

Macintosh machines have a maximum of 30 attempts of

entering the user password with delays specified in

Figure 1. And if a user or investigator uses up 30 attempts

to log in without success than rebooting the Macintosh

computer into Mac OS Recovery grants 10 more attempts

to log in. If that is not sufficient enough, then the user or

investigator has 30 attempts per each additional method

of decryption which are: iCloud recovery, FileVault

recovery key, institutional key. When all the attempts are

exhausted, the “Secure Enclave” will no longer process

any decryption attempts of the volume and the volume

remains useless or unrecoverable and can only be erased

to allow a clean system to be installed on it. Using this

method Apple is making brute force attacks useless [15].

IV. IMAGING MAC COMPUTERS

Imaging a Macintosh computer is, as in all branches of

digital forensics, a very important step. Unlike the

Windows machines that everybody is used to image, Mac

OS can present a greater challenge to the forensics

investigator. That is because of all the security features

that these machines are equipped with, such as secure

boot, external boot, user and firmware password. Because

of all these security measures the best-case scenario for a

forensic investigator is to find a powered on and unlocked

Macintosh computer. The investigator will then have

access to all, or most of the data, from the machine. For

example, the newest Macintosh computers give the

investigator a chance to image the hard drives on it, but

without the user’s password the “Physical memory” or

RAM can’t be imaged using even specialized tools such

as “MacQuisition”. Today all Mac OS users are required

by the OS to secure their computers with a password. On

top of that systems newer than Mac OS version 10.7 do

Figure 1. Macintosh delays between password attempts[15]

Figure 2.

MIPRO 2020/ISS 1495

not allow auto logging by default which makes it harder

to acquire a forensic image of a machine. Since the

release of macOS 10.14 Mojave, Apple implemented

Fusion Drives for the APFS file system. This

functionality can combine two different drives such as

SSDs and HDDs that have a different capacity (SSD

128GB, 1,2,3 GB HDD) combining their capacity. The

important fact about “Fusion drive” is that it creates a

separate virtual disk or, so-called an “APFS Container”

(shown in Figure 2), with the combined capacity of both

the disks married. The important fact to remember

regarding the imaging of these drives is that the forensic

investigator must choose to image the container as the

source disk and the AFF4 image format [10].

A. MacQuisition disk imaging

MacQuisition [10] is a forensic acquisition and imaging software that supports many Mac OS, it also has the functionality to image “Physical memory” or RAM from a live machine. It is capable of running within the OS X boot environment. MacQuisition is also the first forensic tool capable of creating a physical image of Macintosh equipped with the Apple T2 chip. MacQuisition supports booting in a forensically safe environment and can acquire data from over 185 different Macintosh computer models in the native environment and can even image “Fusion Drives” [11].

During testing, MacQuisition proved to be an excellent tool to image a powered off or live Mac machine. During a live acquisition (when the Mac OS is unlocked) MacQuisition first prompts for the user password. After entering the password MacQuisition instantly detects that full disk encryption is enabled and lists the encrypted drives (like in Figure 3) which is a good reminder for the investigator to create a logical image of drives while they are unlocked. A RAM dump can also be created but only in case the investigator knows the user password and MacQuisition can only do a logical image of the machine, even though BlackBag states that they can create a physical image of a T2 equipped Macintosh, it is only possible to do so while the machine is shut down. That is because the T2 chip is used for real-time decryption by the operating system.

If performing a postmortem acquisition, the

investigator must know at least the user password to be able to image the drives. The drives on T2 equipped Macintosh computers are encrypted by default. Also, if File Vault 2 is enabled it can be imaged, but the investigator has to provide the File Vault password, recovery key, or the keychain file of the Mac OS to decrypt and image the disk. The encrypted disk can then be imaged. Using MacQuisition the investigator can make a logical or physical copy of the suspect's disk. For

another scenario, which includes the Macintosh to have “Secure Boot” enabled, the investigator will not be able to boot any forensic software due to “Secure Boot” and will be prompted to restart to the macOS X or to access the recovery mode using the key combination “Command+R” to disable the “Secure Boot” and “External Boot” option. To successfully boot the machine using a forensic software, the investigator will have to know the user password that protects the “Startup Security Utility” and disable all the security features in it.

B. Recon Imager data acquisition

Recon Imager [19] is another commercial forensic

tool made to image Mac OS. It is a bootable imaging

utility that supports all modern Intel-based Apple

computers, including the newest Macintosh computers.

Recon Imager is based on a Mac OS environment,

modified to be forensically sound and ensures write

protection for internal and external media. Like

MacQuisition, Recon Imager also has the functionality to

identify Apple File System (APFS) containers and disk

volumes, FileVault, Fusion drives and Core storage

volumes. Recon Imager has 3 different versions or modes

that provide support for Macintosh computers with

different hardware. Another functionality of Recon

Imager is the possibility of imaging RAM without the

need to type in the user or administrator password. The

image of RAM will only contain residual data from

previous sessions because the RAM imaging

functionality is accessed from the boot environment. And

the amount of data left in the RAM can differ, depending

on the size of available memory and software that was

run on the machine [12, 13].

V. RECOVERING DATA FROM FILEVAULT

As mentioned earlier, to recover user’s data from an

encrypted FileVault disk the best-case scenario is to have

the user’s password. The password can be recovered

during the interview with the user or suspect, or by

finding it written down somewhere. The investigator has

everything needed to gain access to users’ data. If

password could not be acquired, the next step is to search

for the recovery key which enables the investigator to

decrypt the disk using recovery mode accessed by

pressing and holding “Command+R” keys. Another

option is to recover the key from the iCloud backup and

decrypt the drive. The next scenario would be to use the

keychain from the suspect’s Mac OS and decrypt the

drive with it. If the locked Macintosh is a part of a

company network, which has a group policy set to enable

FileVault by default, it is very likely that the system

administrator has set the policy to save all the passwords

centrally. This means that the administrator potentially

Figure 2. Recognizing and imaging a “Fusion Disk”[9]

Figure 2. Recognizing and imaging a “Fusion Disk”[9]

Figure 2. Recognizing and imaging a “Fusion Disk”[9]

Figure 3. MacQuisition Full Disk Encryption detection

1496 MIPRO 2020/ISS

can provide the password to unlock the Mac, with the

assumption he is not involved in the crime. The last

solution would be to look for another user with an

“Administrator” account that has a known password, or

an easier way would be to guess the password using the

users hint. All the passwords can be changed from the

“User & Groups” settings and using this method the

suspect's account can be unlocked. This method can be

used for cases that take place in a company and a less

likely scenario would include cases where private people

are involved. If the investigator cannot use any of the

previously mentioned methods, he will be forced to

recover the password using different recovery methods -

brute force attack, dictionary attack, etc. The biggest

problem with recovering the key in all brute force attacks

is that it takes too long, even with a high-end computer.

A. FileVault Cracker

The first tool to try recovering the FileVault

password with would be “FileVault Cracker” which is an

open-source tool made to recover the encrypted drive

password using a dictionary attack on it. This tool was

developed as a private project and it is not finished which

means that some bugs or errors can occur during use. It

can be used to recover passwords from “CoreStorage”

drives using HFS+ file system. The software is available

on GitHub [17], written by the user “mac made”. It is an

XCode project that must be compiled or published to

work. The software has a simple and intuitive user

interface (Figure 4) and the only thing that is required

from the user is to enter the encrypted drives UUID.

FileVault Cracker already has a dictionary file in it,

which the user can change easily using the user interface.

Additional settings are to generate case variants for words

up to 20 characters, to generate common derivations for

words up to 20 characters and to choose the number of

threads the software will use while recovering the

password.

B. John the Ripper and Hashcat

The tools John the ripper and Hashcat can also be

used to recover FileVault2 passwords. This chapter will

in short explain how to recover a FIleVault2 password on

“HFS+” and “APFS” file systems.

To start the recovery of FileVault 2 password on

“HFS+” file system some requirements have to be

fulfilled:

• this will work for target systems on a MacBook

Air running macOS v10.12.6;

• attacker machine has to be an iMac running Mac

OS 10.14.2;

• the investigator must download and compile

“fvde2john” and “Hashcat” on iMac.

The next step in this process is to run the MackBook Air

in “Target Disk Mode” (this means that the Macintosh

device is working as an external drive), the target device

must be connected to the iMac machine via thunderbolt,

FireWire, or USB. When the two machines are

connected, the investigator can run the command

“diskutil list” on the iMac to see all available disks.

After the investigator has found the target disk (which is

marked as external), the next step is to identify the

“Apple_Boot Recovery HD” drive. Then the “Recovery

HD” drive must be mounted using “diskutil mount

/dev/disk_s_”. The name of the disk can be found in

the “IDENTIFIER” column. The next command to run is

“find /Volumes/Recovery\ HD -name Encry*” to

find the file containing the string “Encry” in itself. To

gain the hash of the encrypted volume the next command

must be executed “sudo./fvdetools/fvdeinfo -

e/Volumes/Recovery\HD/com.apple.boot.S/Syst

em/Library/Caches/com.apple.corestorage/Enc

ryptedRoot.plist.wipekey -p don't-know

/dev/disk2s2”. The MacBook can then be unmounted

and “hashcat” run using the next command “./hashcat/hashcat -a 0 -m 16700 -o

found.txt hash.txt wordlist.txt” which will

recover the decryption password. The recovery process

duration can vary depending on the simplicity and length

of the password and encryption algorithm [18].

In the next few lines the recovering the FileVault 2

password from an APFS file system will be explained.

This process can be used on a MacBook Pro running

MacOS v10.14.2 which will also be the target machine.

For this method of password recovery, the attacking

machine is running Ubuntu 19.04. For this process to be

successful “apfs-fuse” must be installed, which is a driver

for read-only interpreting data and recognizing disks

using the APFS file system. After the “apfs-fuse” driver

is successfully installed, which will be indicated with the

message “[100%] Built target apfs-fuse” in the Ubuntu

“terminal”, the next step is to put the source or the

suspect's machine in to “Target Disk Mode” and connect

it to the Ubuntu machine. Using Ubuntu “terminal” the

investigator must determine which disk name belongs to

the encrypted drive. The correct drive is going to be

determined using the command “cat

/proc/partitions” through the “terminal” window.

The output of the terminal will look like Figure 5. When

the name of the encrypted drive is determined, the

investigator is ready to acquire the encrypted disc’s hash

value. The hash value will be generated using the

command ”sudo ./apfs-dump-quicq /dev/sdb

log.txt” in which “sdb” represents the name of the

encrypted disk. The values used to create hash can be

found next to the identifiers “Salt”, “Iterat’s”, “KEK

Wrpd”. These values will look similar to Figure 6. To

arrange the hash to be recognized by “hashcat”, the

values next to identifiers will be combined respectively

with the prefix “$fvde$2$16$”. Between each value (Salt,

Figure 4. FileVault Cracker

Figure 4. FileVault Cracker

MIPRO 2020/ISS 1497

Iterat’s, KEK Wrpd) will be a “$” sign connecting them

into a hash value. When the hash was created the

recovering of the password using “hashcat” can be

started. If “hashcat” is not installed on the Ubuntu

machine, the first step is to install it. The command “hashcat -a 0 -m 18300 -o found.txt

hash.txt wordlist.txt” can be used to start the

password recovery. This particular command is using

hashcat’s dictionary attack to recover the FileVault 2

password from an APFS drive [18].

VI. CONCLUSION

Through this paper, most of the issues and

impediments that the investigator has to overcome have

been covered. And the whole process of bypassing the

security system will only allow the investigator to acquire

or image a drive of Mac OS. The T1 and T2 security

chips and their functionality have been covered. Because

of these security upgrades which made it harder for

investigators to deal with Apple or specifically Macintosh

devices, all this information lead to the conclusion that

the best and easiest way of acquiring data is when the

Apple device is found turned on and unlocked. As shown

in one of the examples, even when the Mac OS is

unlocked, the physical memory cannot be imaged without

entering the user’s password which is in the world of

Windows forensic almost a trivial task. The recovery of

FileVault2 passwords is a difficult task to do by itself,

even on the older Macintosh machines that do not have

the T2 security chip. It is well known in the forensic

community that a password longer than 10 characters is

impossible to recover it using brute force attacks. And the

use of uppercase, lowercase and special signs in

passwords make the recovery exponentially more

difficult. The T2 security chip plays a big role in the

security of Apple devices and digital forensics, mostly

because of the security features that prevent the

acquisition of disks on Apple machines. The biggest

problems for forensic investigators is the placement of

the T2 chip. It is placed between the CPU and the disk on

a secure bus, which makes it impossible to acquire and

decrypt data without using the T2 chip for decryption. All

in all, Apple's security and encryption is getting stronger

with every new iteration. And even now there are only

few solutions that can recover data from Apple devices

that are encrypted, which makes the forensic

investigation of such devices impossible for an

investigator who don’t know how to use these solutions.

VII. REFERNCES

[1] Niranjan Reddy, Mac OS Forensics, Practical Cyber Forensics, Apress, Berkeley, CA, pp 101-132, July 16, 2019

[2] Sarah Edwards, Sans: Mac and iOS Forensic Analysis and Incident Response (2020). Retrieved from: https://www.sans.org/course/mac-and-ios-forensic-analysis-and-incident-response

[3] Kevin J. Ripa, Computer Evidence Recovery, Forensic Acquisition of Mac Computers (Mar 8, 2016). Retrieved from : http://www.computerpi.com/forensic-acquisition-of-mac-computers/

[4] Pepijn Bruienne, Duo Secutiry, Apple iMac Pro and Secure Storage (may 2,2018). Retrieved from: https://duo.com/blog/apple-imac-pro-and-secure-storage

[5] John Martellaro, The Mac Observer, How Apple’s T2 Security Chip Affects Your Disk Storage (Jan 10, 2019). Retrieved from: https://www.macobserver.com/tips/deep-dive/apple-t2-security-chip-disk-storage/

[6] Forensic Focus, MackBook Air firmware password (Jun 23, 2014). Retrieved from: https://www.forensicfocus.com/Forums/viewtopic/t=11911/

[7] Apple Develoer, Storing Keys in the Secure Enclave (2020). Retrieved from: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave

[8] ALLservice, Service Forum, Unlocking firmware, PIN & icloud. Apple iMac, Macbook (Apr 09, 2013). Retrieved from: https://www.allservice.ro/forum/viewtopic.php?t=2724&sid=36bd813863cfa6bad9c56a69e4df4ea7

[9] Ashley Hernandez, BlackBag, Insights Blog, Apple T2 Chip Systems: Create Decrypted Physical Images With MacQuisition (May 08,2019). Retrieved from: https://www.blackbagtech.com/blog/apple-t2-chip-decrypted-image/

[10] BlackBag Technoligies, MacQuisition 2019 R1.2 (May 30,2019). Retrieved from: https://www.blackbagtech.com/software-downloads/releaseNotes/mq2019r1_2.pdf

[11] BlackBag Technoligies, MacQuisition Quick Start Guide (2020). Retrieved from: https://www.blackbagtech.com/macquisition-quick-start-guide/

[12] Sumuri, Recom Imager (2020). Retrieved from: https://sumuri.com/recon-imager-manual/

[13] Sumuri,YouTube ,Recom Imager – Booting up and Interface Overview (Apr 21, 2017). Retrieved from: https://www.youtube.com/watch?v=9H-V4226Gb0

[14] Glenn Fleishman, Macworld, How to encrypt your Mac with FileVault 2, and why you absolutely should (Feb 5, 2015). Retrieved from: https://www.macworld.com/article/2880039/how-to-encrypt-your-mac-with-filevault-2-and-why-you-absolutely-should.html

[15] Der Flouder, T2, FileVault and brute force attack protection (Nov 01, 2018). Retrieved from: https://derflounder.wordpress.com/2018/11/01/t2-filevault-and-brute-force-attack-protection/

[16] CMIzapper, Technology for your Mac repair business, Matt Cards (2020). Retrieved from: http://www.cmizapper.com/products/mattcard.html

[17] GitHub, FileVaultCracker (Oct 17, 2018). Retrieved from: https://github.com/macmade/FileVaultCracker

[18] tinnyapps.org, Cracking FileVault 2 (HFS+ or APFS) (May 27, 2019). Retrieved from: https://tinyapps.org/docs/cracking-filevault.html

[19] Sumuri, Recom Imager (2020). Retrieved from: https://sumuri.com/software/recon-imager/

[20] Openwall, John the ripper password cracker (2020), Retrieved from : https://www.openwall.com/john/

[21] GitHub, hashcat , (2020). Retrieved from : https://github.com/hashcat/hashcat

Figure 5. Identifying the target drive name

Figure 5. Identifying the target drive name

Figure 6. Identifying the target drive name

Figure 6. Identifying the target drive name

1498 MIPRO 2020/ISS