What is Missing from Logical Acquisitions?

Over the past couple of weeks, I have attended several international events and customer meetings where I’ve heard the same thing over and over – people still believe that the ‘logical imaging’ of T2 chip Macs, “is as good as it needs to be!”

This is simply not true and all of us who value the acquisition of the most forensically sound data should always seek to achieve a physical decrypted image from Apple’s post-2017-released Macs.

If you do not use the latest version of Cellebrite Digital Collector, you will miss a great deal of potential evidence.  The Mac file system is built to protect data; it is not willing or able to give you all of the data that resides on the disk.  Since the creation of a logical image relies on the file system, data will be missed.

This data may include the following:

  • Data from the APFS “Free Queue”: These are allocated blocks on the drive that are not referenced in the file system. As a result, they will not be acquired as part of a logical acquisition.  Hundreds of files can be recovered from the Free Queue.

  • “Dataless Snapshots”: APFS uses backups, similar to Volume Shadow Copies in Windows, known as “APFS Snapshots.”  What is not so well known is that these can sometimes be un-mountable “Dataless Snapshots” that are not given up by APFS as part of a logical acquisition.  Testing at Cellebrite has proven that thousands of unique files can be recovered from the erroneously named “Dataless Snapshots,” including entire iPhone Backups.

  • Data stored in unallocated space: If you have a user that has decided that T2 chip encryption is sufficient and has turned off FileVault 2, data from the unallocated space, known as “Shared Pooled Space” within the APFS container, may be recoverable even on SSD drives with TRIM enabled.  This data will not be acquired as part of any logical imaging process.

  • Data in File Slack: File Slack can still contain data relevant to an investigation.  There are tools available that enable users to hide data between the end of a file and the end of the file’s allocated blocks.  Once again, if you have only managed to create a logical acquisition of data from a T2 chip Mac, you will not get this data.

Cellebrite Digital Collector allows you to obtain a physical decrypted image, the most comprehensive acquisition available for T2 Mac computers.  Prior to the release of Cellebrite Digital Collector 2019 R1, logical acquisitions were the only option.  The data listed above potentially contains relevant information that could not be acquired otherwise.  A physical decrypted image acquired using Cellebrite Digital Collector collects this data.  

Learn more about Cellebrite Digital Collector.

Share this post