Apple T2 Chip Systems: Create Decrypted Physical Images With Cellebrite Digital Collector
Cellebrite is proud to announce the release of the first and only solution to produce a decrypted physical image of the latest Mac systems utilizing the Apple T2 chip in Cellebrite Digital Collector 2019 R1.
Prior logical imaging solutions, including functionality available in the earlier versions of Cellebrite Digital Collector and competing solutions like Sumuri Recon and EnCase, miss critical file system information that only this new level of physical access will be able to provide. To enhance our forensic Mac imaging tool further, we’ve included the following new features:
- Ability to create physical images of Macs with the Apple T2 chip
- Support for imaging APFS Fusion drives
- Capture RAM and targeted collections live on Mojave
- Support added to boot newer hardware
Imaging Devices with the Apple T2 Chips
Starting in 2017, Mac computers have Apple’s T2 security chip providing hardware-assisted encryption for data stored on the system. In these systems, the Apple T2 chip is tightly integrated with the disk controller and contains unique encryption keys. By default, all APFS volumes that contain user data on T2 protected systems are encrypted.
The only way to decrypt the data is to use information embedded in the specific T2 chip that protected that disk, no other T2 chip will work. Currently, it is not possible to extract encryption keys from the T2 chip. If the T2 chip is damaged, data can never be recovered from the drive.
The encryption provided by the T2 chip works in conjunction with FileVault 2. When FileVault 2 is enabled, the Recovery Key or password from any of the user accounts on the system is required at acquisition time to decrypt the data.
Cellebrite Digital Collector 2019 R1 is the only solution that interfaces with the T2 chip to decrypt the filesystem at collection time, providing a decrypted physical image. Since the T2 chip is responsible for all encryption all data must be decrypted during acquisition; it is not possible to decrypt the data at analysis time.
While Cellebrite is in the process of developing a methodology to decrypt unallocated space from T2 systems, that functionality is not yet available. To save time, since the unallocated space cannot be decrypted, there is an option to skip imaging unallocated space.
When a T2 system is booted or attached in target disk mode, Cellebrite Digital Collector identifies the disk controlled by the T2 device with the label APFS Container (T2).
Learn more about Cellebrite Digital Collector.