Cellebrite Digital Collector Will Decrypt Physical Images From Macs With T2 Chip
We’re extremely proud to announce that our Mac forensic tool, Cellebrite Digital Collector, will be the first and only solution to produce a decrypted physical image of Apple’s latest Mac systems utilizing the T2 chip.
This essential imaging functionality will be available in the upcoming Digital Collector 2019 R1 release and the output will be seamlessly ingested for analysis by Cellebrite Inspector 2019 R1.
The logical imaging solutions currently on the market, including functionality offered in the previous version of Cellebrite Digital Collector, and competing solutions like Sumuri’s Recon and OpenText’s EnCase, miss critical file system information that only this new level of physical access will be able to deliver.
Every Mac computer, starting in late 2017, relies on Apple’s T2 security chip to offer hardware-assisted encryption for data stored on the system. Apple’s T2 encryption methodology is unique to each Mac, and critical data can only be decrypted using the keys stored in that system’s T2 chip.
Although it is infeasible to extract the encryption keys from the T2 chip at the moment, Cellebrite has built the only solution that works with the chip to decrypt the filesystem at collection time, empowering examiners to capture the entire physical blocks that hold vital information and not just logical files.
In addition, unlike other products that need admin credentials just to obtain logical data, Cellebrite BlackBag can do this without the user’s credentials or a recovery key (credentials are only required if the additional security of FileVault protection is also enabled on the system).
Derrick Donnelly, Chief Scientist at BlackBag (A Cellebrite company), and co-founder explains, “Last year we were the first to provide a complete solution for Apple’s APFS, and now we are first again at updating our tools to fully support the latest hardware from Apple. I am so proud and excited that our customers can rely on BlackBag to provide leading solutions to handle the ever-changing complexities introduced by encryption, especially for Mac. ”
As we prepare to release Cellebrite Digital Collector 2019 R1 and Cellebrite Inspector 2019 R1, investigators will be able to gather all the data exactly as it is stored on the file system, not just what is gathered by completing a logical acquisition through other tools.
Director of Research, Dr. Joe Sylve, BlackBag (A Cellebrite company) at further explains, “These physical images will include file system level artifacts, like APFS Snapshots and extended attributes, that can show details unavailable to investigators since this new hardware has been introduced.”
As Microsoft and Apple both continue to update their systems, Cellebrite will continue to deliver investigators the vital tools they need to reveal the truth in both Windows and Mac OS.