How Apple’s Big Sur Impacts Your Analysis

Version11.2  |  Digital Collector, Cellebrite Inspector  |  March 11, 2021

This news fell straight from the Apple® tree. macOS Big Sur 11.2 is the latest and greatest version of Apple’s macOS operating system which features a refreshed design, a new Control Center, a revamped Messages app, a Maps overhaul, a fix for MacBook Pro charging issues, a built-in translator for Safari, improved Bluetooth connectivity, and security updates too!  

Security Updates: Under Lock & Key

Not long ago, when Apple released macOS 10.15, we were introduced to the concept of a system volume that’s read-only and hidden to the user, but this time around it’s been expanded to enhance security to the system volume.

Known as the Sealed System Volume (SSV), each file on the volume is hashed and kept in a tree of hashes (known as a Merkle tree). If the SSV’s seal does not match the hash saved in the volume metadata during boot, the computer will not boot. Likewise, if a file’s accessed and the file’s hash doesn’t match what’s expected, it won’t launch.

How Does This Impact Your Analysis?

The SSV is secured and cannot be viewed either by Digital Collector or when analyzing your case in Inspector. During analysis, SystemVersion.plist describes the current version of the operating system; this plist is found in the system volume and the artifact is duplicated in other areas of the disk, including the Preboot volume. 

As the Mac operating system progresses, changes will be made to various files throughout the system which can affect your analysis.

Big Sur and Cellebrite Digital Collector

Digital Collector, formerly known MacQuisition, still enables you to use all the same features on Windows computers, which includes: 

  • Triage Data – Digital Collector can be used live on macOS Big Sur computers to triage data. Volumes can be browsed and files or folders can be selected and copied to an .L01, sparseimage, or to a folder structure.
  • Imaging – Imaging Mac computers is unchanged with Digital Collector. This is the only solution to fully decrypt data from T2 chip Mac computers, but live imaging of macOS Big Sur physical disks is not possible because 3rd party kernel extensions are blocked.
  • Volume Structure – An examiner can image the physical device or the APFS container. It is worth noting that the SSV appears without a volume name and is shown as 0 bytes.

For additional information on this macOS release, including user manuals and datasheets, please log-in to your MyCellebrite account