As little as 10 years ago, the overwhelming majority of digital crimes were committed via laptop or desktop computers. Today, it’s a different story. Cell phones and their advanced encryption are becoming the tool of choice for bad actors.

That said, it’s still vital for digital forensic investigators to know how to access data from computers; particularly because much of the data for applications is created on computers. And when investigating certain criminal activities, such as crimes against children, computers are still frequently used by suspects due to their vast storage capacities.

The Journey to Where We Are Today Empty heading

As 30-year forensic expert and Cellebrite VP of Engineering, Enterprise Solutions Drew Fahey notes, accessing information from computers in the early days of digital forensics was easy. Encryption was not yet widespread and the common practice was to simply pull the plug and conduct “dead box” forensics. You literally pulled the hard drive out, stuck it in a duplicator or imager, and you’d get an exact copy of what was on the drive. From there, it was easy to throw that copy into the software product of your choice for analyzing and you would have your data.

The digital forensic landscape changes quickly, however, and as time went on, computers became much more complicated.

Apple began transitioning to Intel chips in all of its designs, which made it more difficult to acquire a Mac. T2 chips were introduced with encryption so you could image the hard drive, but if you didn’t decrypt it on the fly, you’d be left with an encrypted image that you could try to break with software, but it would be very difficult. So digital investigators needed to refine their skills and devise ways to work around this.

Today, Apple has made accessing data from its computers even more difficult with the incorporation of T2 technology into the M series computers. Adding to this is the release of their new APFS file system, which does not allow external boot media. In short, it doesn’t matter if it’s a computer or cell phone, Apple does not want anyone accessing data on its devices other than the owner of that data. So how can investigators get the information they need to solve crimes?

Two Ways to Access Apple Datasets Empty heading


When collecting data from Apple laptops, investigators have two options: live collection or traditional “dead box” forensics collection where you turn the system off, boot it into a secure environment and collect the data. Here’s how these two options work.

Live collection: If you’re in a live environment, you don’t need the admin-level password. If the system is up and running, you can collect logically whatever you need, in terms of specific files and folders.

Dead box: If you’re collecting live, but you’re not logged into a user’s profile or an admin profile, there’s not much you can collect. In this instance, you could turn the system off, reboot it and hopefully the computer will be in a state where it will allow booting from external devices.

If it has FileVault enabled, however, you will need to decrypt it then and there on that system because the cryptography is built into the T2 or M-series chip. To gain access, you will need to have either the admin-level credentials or the file credentials for the user.

There is one other option if none of the above solutions work. In the past, you could put an Intel system into “target disk mode.” That system would then act as an external drive and you could access the files.

M-series computers don’t really have a target disk mode. You can still do it, but you have to go through the recovery boot process and basically put the computer into “share mode.”

So you’re going through all this recovery, putting the computer into a share mode and you can access it. In essence, it’s like an SMB share over the network and you can grab files that way as well. If this fails, then you need to think more creatively.

Getting a subpoena to access Apple data is difficult, so if you can’t get the data off the computer, can you get it from the owner’s iPhone or their cloud account? The data’s there, you just need to find a way to access it.

Solving the Data Recovery Challenge on the Windows Side Empty heading


The good news for investigators working on Windows-driven computers is that NTFS hasn’t changed much over the years – plus, most of the world’s market still runs on Windows. What’s important to understand is that there’s a symbiotic relationship between the operating systems, the hardware and the file systems. When you’re dealing with computers, there are a lot of file systems that you have to understand and there are nuances of differences to each one.

For instance, TPM (trusted platform module) actually came out in 2003. The TPM chip is very similar to how Macs work, with BitLocker actually holding the security keys to essentially decrypt any of the data that’s encrypted. If you can gain access to the system, you can decrypt it. If the data is not protected or encrypted, then you can do your standard collection through Windows.

In the past, hard drives could be physically removed for data collection. But today, laptops dominate and their flash-based drives are soldered onto the motherboard, making them nearly impossible to remove. To gather forensic evidence, you need to boot that system into a forensically-sound environment to collect the data. And it’s far easier to do this on Windows than Mac. Either way, you’re going to have to have some sort of credentialing, whether that’s the user’s credentials, admin-level credentials or some other sort of key.

When out in the field, many investigators wonder whether it’s even worth grabbing old computers. The answer is: Grab them! Why? Because it is far easier to gather data from older devices that have less security blockers. Passwords you may discover from these old devices may also allow you to access newer devices since people tend to use the same passwords across multiple devices throughout the years.

The Superior Tool for Acquiring Computer Data Empty heading


Every investigator’s toolbox should include Cellebrite Digital Collector since it supports the widest range of Apple and Windows computers and laptops. Formerly called BlackBag MacQuisition, it was rebranded to reflect its powerful ability to support Windows 10 and Windows 11 systems. The latest Apple Silicon M-series chips are supported, along with T2 and nearly all historic Macs dating back to around 2011.

The Challenges of Data


Data analysis also comes with its challenges.

Macs have undergone tremendous changes over the years with many of the innovations aimed at protecting user data. The big question for those investigating Macs is when does your software do the analysis?

Many software systems claim they can analyze Mac data, but it’s important to know whether those systems account for file system case sensitivity, which can impede their ability to interpret data fully and properly.

The most important thing in dealing with Macs is understanding the file systems. APFS, while relatively new, has been around for several years and more people are beginning to understand it.

The big problem depends on what you’re trying to go after. For example, in the eDiscovery realm, there is a great need to understand the native Mac applications. A bigger issue is with things like unified logs.

The way Apple developed unified logs makes it very difficult to extrapolate information because they contain so much data. And if the application doesn’t properly support unified logs, you’re never going to get the full picture from it. This is where a solution like Cellebrite Inspector, formerly BlackBag BlackLight, can help.

Cellebrite Inspector typically runs better on a Mac than it does on Windows, but it is uniquely cross-platform, the only solution like this in the industry. There are some programmatic differences, but technically there is no reason why you can’t analyze a Mac on Windows.

Anything that is telling you the truth and essentially journaling and knowing what’s happening on the system when all activities are occurring is so important in forensics. This is why it’s critical to go back and double check your work and your tool. This way, if you’re called in to testify in a case, you can’t be called into question about only doing part of your due diligence, which can lead to problems making the case stick.

What makes analysis particularly difficult is that, depending on the file system or operating system you’re dealing with, there’s a different epoch or start time for that system. For some unknown reason, Apple engineers like to actually record multiple epochs in the same database and table.

So, when you’re extracting data and examining it, you may find yourself asking: Wait a minute, this timestamp doesn’t make any sense. This is when you need to go back and double check your work because a lot of software will make assumptions, and those assumptions could be wrong.

Filtering Your Data


Unified logs contain vast amounts of information, which is why solutions with strong filtering capabilities, like Cellebrite Inspector, are invaluable. If you’re looking for a particular activity that happened on a specific date, it can help you isolate the incident by the date. This will allow you to disregard nearly all of the data you don’t care about. Then you can start building your own filters.

What makes Cellebrite Inspector unique is its key filtering for typical metadata-type information. It expands upon those capabilities so you can filter by critical keywords, names, applications and fingerprinting.

Criminals are getting smarter and cleaning up their electronic devices or not even using their computers around the time of the crime, which will drive you crazy because you may feel like you’re missing something. This is why it’s so important to bring all your data in first and when you start building your picture and notice you’re missing something, ask: Why is it missing? There’s always a reason; the challenge is simply figuring that out.

One of the things that crossed over when Apple was expanding its iOS, iPad and macOS platforms was the Biome data, which can hold some great artifacts. The challenge is that it’s encoded and encrypted differently, so you simply must account for that.

Analyzing Windows Data


While Windows has fundamentally remained the same, encryption is more ubiquitous in the operating system. This becomes an issue if you don’t have the key or the wherewithal to actually access the computer when you’re doing the analysis.

Mobile apps, and their crossover onto desktop devices, are also complicating things as apps on your phone can be synched to the same apps on your computer. This is why having a deep understanding of mobile devices is important and why savvy investigators are getting mobile training. Looking ahead, the path is clear: if you know mobile, you’ll survive. If you don’t know mobile, it’s imperative to learn it.

The Big Data Challenge


Whether it’s a murder, homicide or a child abuse case that involves multiple victims, when law enforcement goes in, there is simply so much data that must collected and analyzed. This is one of the big reasons investigators have never been able to fully solve their backlog issues and why so many burn out over time.

With so much data to go through, investigators must ask themselves what the real ROI (return on investment) is for their time and resources. If the case really requires every bit of information is analyzed, or if there is a way to streamline the process to get “just enough” data to solve the case while avoiding burnout.

Share this post