Evimetry for a Filevault'd Mac

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

35 minutes
Video Transcription
All right. Welcome to handling bit locker and fire. All file vault to encrypted drives with elementary and mount image Pro. That's gonna be a lot of fun.
All right,
So speaking of Max, let's Ah, let's take a look at actually doing that. So, uh, in the most recent, uh, Apple OS X operating systems, they've switched over to, of course, the A P s fest file systems to get this whole virtualized file system, things like that. Um, and encryption has definitely turned on
by default, which means typically, it's It's a little bit harder to image and things like this.
You can use a variety of tools for this. We are going to use every metre and just collect the whole thing without doing anything fancy front. But you can use something like Mac position, which is from Black Bag technologies. Will will be looking at that in future courses. Um, also, there's, ah,
another product out there who's escaping me at the moment. Similar. But it mounts ah on the Mac and allows you to provide a password. Ah, as you go ahead and do the collection. Strangely enough, neither one of them actually produce an unencrypted image for its
It's kind of obnoxious the way it's handled nowadays, Um, but, uh, you know, so there's ways to do do that sort of thing, But but all of these thes newer Mac operating system's going to use the A P FS file system.
so, uh, actually collecting a forensic image of a fall vault encrypted a PF disc in elementary is absolutely no different than doing your standard every day. Ever met Tree Dead Boot acquisition? Um, it's just it's just the same old, same old, same old
In the end, it applies to your bit Lockard volumes to you. Just
go ahead and acquire the whole disk in a, uh,
in a full linear acquisition. And you deal with the encryption after the fact again, Like I said, super important to make sure that you got you know, either the bit locker recovery key or the admin password for the Mac ahead of time. Because, of course, you don't want to get back here
your forensics lab or or wherever you're working on this and and find out that then that you don't have that data. There might only be one opportunity for that
So since we're talking about acquiring a back, let's just go over here and do this.
So I have ah, the metro controller set up here on my windows system. I have it connected to a device out there, which is actually a nice little Mac book air. I have, ah, 128 gig drive in. That, of course, is showing is 1 13 as you can see down here,
typical apple SST
in. They're gonna be quite quick, things like that. And, uh, that whole system is five. All encrypted.
Um, there's not much to that. And then, of course, I have my my blessed target disk attached to that machine there. So in standard fashion, I'm gonna go ahead and acquire that.
No. Forget to look upon repository first.
There you go. I've got to make sure I actually give it a place to write to.
Boom. All right, so now we got a repository. Good. Now we go ahead, acquire our disk,
we're gonna choir a disk. All right?
A one tag, one standard stuff. Got my name in there,
and we're going to say
Mac book air
that c
apple s s d.
Alright. Ah, like I said, never, never, never, never rely on this. These fields is your evidence collection, always to your evidence collection separately. So we're gonna go ahead and collect all that. Um, we're gonna add that toe. Our local repository. You know, your friend Brian likes to keep Is
his image names simple and clear. So I'm just gonna change my image name, too.
Case number A 001 item number tag juan dot Fforde. Keep it simple. We're gonna, of course, verify the image. We're going to do a full linear. We're gonna let it do snappy compression, because that's one of the advantages here. We'll do the shot wanting for all of that, and everything should be good.
We hit the okay button,
and off it goes like it's it's typical dead boot acquisition that we're doing across the network. Um, doesn't Doesn't take a lot of work.
Um, so we're actually going from ah,
from an SSD to a ah, to an SSD. So this is gonna happen pretty darn fast. You see over here in the corner when it's saying about 34 minutes there, Teoh, acquire that disk, so we're gonna get pretty good speed on doing that,
and we'll just let that go ahead and finish itself out. But you're not. You're not gonna expect anything different here than you would expect with any other dead boot acquisition, even though the
target, uh, disk on that Apple Mac book air is I said, fully fall ball to encrypted. So we'll let that finish out here
feel free to drink coffee at this point
and coming in on the last few seconds. They're super fun, isn't it?
And then it should kick over into verifying exactly as expected. And verification, of course, runs really fast.
I just noticed they, uh the way I hooked up the dead booting. I hooked up the
storage hard drive over a USB hub. Never an optimal solution there. Should
I hope to have direct with the computer was safe to say,
probably a full minute or something off the acquisition.
All in all, it still, you know, averaging 250 some
meg per second, A good, solid acquisition time. But we probably double that by hooking it up directly.
So it's always good to know your hardware and, uh, you know, test out these different scenarios on that to try and make sure you're getting the optimal throughput on this stuff.
Definitely. USB hub in there is gonna gonna slow it down.
Right? Coming quickly on our verification here
into one and verified bang. And we get the pop up
and everything was good, So Ah, good. Acquisition 113. Gig to get three minutes 51 seconds, actually, an average rate of 4 99 So, uh huh didn't Didn't slow us down as much as I really thought it was there. Then, of course, it went ahead. And Vera Pride, the disk, and that was all good.
Um, nose, it's a much smaller image. 30 gig out of 100 13 ***. You're seeing a lot of that?
No, that empty space compression going on there. That's really pays off. And ah, everything checked out. Fine. You go ahead and
and, uh, copy out this block map Ash here for your records, but we're gonna move on.
So that's all it takes to go ahead and ah, grab a fully file vault encrypted, Mac. Hard drive image. Just just really not a difficult thing to do. There
Up Next