Examining Mac Data from Hardware With the Apple T2 Chip
Apple grabbed the attention of forensic examiners everywhere when they released hardware with new T2 chip technology in December 2017. Many examiners are asking “How does the T2 chip impact examining data from this new hardware?”
At the time of this article, the T2 chip is included in the iMac Pro and most 2018 MacBook Pro models. This Apple Support page provides the list of Macs with Apple T2 chip.
After conducting tests with the new hardware, we discovered two primary issues that can impact a forensic examination, the Secure Boot feature, and built-in SSD encryption.
Issue 1: Secure Boot
With the introduction of the T2 chip, Apple added the Secure Boot feature, ensuring only a legitimate and trusted operating system can load at startup. By default, Mac hardware with T2 chip is shipped from Apple with the “Full Security” Secure Boot setting and disallows booting from external media.
This means in order to boot an external device such as Digital Collector or another imaging tool, the Secure Boot setting must be switched to “Allow booting from external media” and “No Security”. Switching these settings requires using the Startup Security Utility and entering an admin account password. Instructions can be found on Apple’s site here and here.
If the admin password is unknown, the examiner is limited to:
- Conduct a logical Data Collection while the source Mac is running live and logged into a user account.
- Place the source Mac into Target Disk Mode and attach it to another Mac (host), then conduct a logical Data Collection.
Note- as Target Disk Mode is not write-protected, we recommend booting the host Mac to Cellebrite Digital Collector or using SoftBlock (write-blocking software) so that the source Mac is attached as read-only.
Issue 2: Built-in SSD Encryption
Mac hardware that has the Apple T2 chip integrates security into both software and hardware to provide encrypted-storage capabilities. Apple explains more here.
For forensic examiners, this means the T2 chip from the original hardware is needed to decrypt the data, which impacts examining a physical image. A physical image of the SSD from a Mac with a T2 chip has encryption that is different than FileVault 2 encryption.
Since the data from a physical image is outside of its original hardware, the built-in encryption from the T2 chip cannot be decrypted. At this time, this forces examiners to conduct logical acquisitions of Macs with Apple T2 chip while the data is in a decrypted state.
In addition to the physical disk being encrypted by default, a user can opt to add another level of protection by turning on FileVault 2 encryption. This requires the examiner to unlock FileVault 2 first, using original hardware, in order for its T2 chip to decrypt the data.
Don’t worry, we’ve got you covered! Cellebrite Digital Collector 2018 R1 and newer supports logical Data Collections of Mac computers with the Apple T2 chip. A Digital Collector user can conduct a Data Collection in the following states:
- While the Mac is running live, the data is in a decrypted state and can be collected to a folder on the destination drive, sparse image, or DMG. We recommend formatting the drive/image as APFS or HFS+ to preserve the most metadata.
- If the Secure Boot setting allows booting to external media, then boot to Digital Collector and logically collect the decrypted data. Note- if FileVault 2 is enabled, the password or recovery key will need to be entered to decrypt the additional encryption before collecting the data.
- If the Secure Boot setting does not allow booting to external media or you are acquiring the latest MacBook Pro, then place the Mac in Target Disk Mode. Attach the source Mac while in Target Disk Mode to a host Mac that can be booted to Digital Collector and perform the Data Collection using the host Mac.
Note: the host Mac will need to have either a USB 3.0 port, USB-C port, Thunderbolt 2 port, or Thunderbolt 3 port to be compatible with Target Disk Mode for the newer Macs. Be prepared to unlock FileVault 2 for the source Mac if it is enabled.
Digital Collector version 2018 R1 and newer supports booting to the iMac Pro models when Secure Boot setting is switched to allow booting from external media. The upcoming version 2018R2 will support booting to the new 2018 MacBook Pro models if the Secure Boot setting has also been switched.
Learn more about Cellebrite Digital Collector.