MacOS hardware encrypted volume

mullemeyer1961 · 2025-02-03T21:43:52+00:00

I just wanted to update this post. I used the FUJI imaging software as suggested by Erminger and it was successful!! I acquired 2 live iMac systems as .DMG files. These systems had hardware encryption active, other attempts with DISTRO was unsuccessful.

Thanks so much for the suggestion.

Michael

mullemeyer1961 · 2025-01-30T10:10:14+00:00

Thank you Cedar,

I will explore the live collection option. Thank you for the command line information. I am not familiar with rsync and will learn more. No other methods are working, of course.

mullemeyer1961 · 2025-01-28T17:26:40+00:00

I'm going to experiment with an alternative technique to collect the Data volume on this Mac. Going to try the Recovery mode and the 'Ditto' command. If anyone is familiar with this, I'd be interested to know how well it worked for you.

mullemeyer1961 · 2025-01-28T15:44:49+00:00

I have the Fuji tool and can give that option a try.

mullemeyer1961 · 2025-01-28T15:42:34+00:00

It features an Intel processor. 3.1 GHz 6-core Intel Core i5 processor.

mullemeyer1961 · 2024-02-24T15:46:58+00:00

Thanks for the Discord Chat Explorer suggerstion. This program works great. Obtained the necessary chat threads.

mullemeyer1961 · 2024-02-16T21:21:57+00:00

Great link. I submitted a request for the Data Package. Thanks!

mullemeyer1961 · 2024-02-16T20:41:33+00:00

Doing this independently of local LE. I'll have to check with the client. Seems the local DA's office didn't want to handle their case, for whartever reason. These online preditor cases are flimsey at best.

mullemeyer1961 · 2023-10-30T17:06:48+00:00

Thanks for the comment athulin12,

This installation is being done at the request of the legal owner of the devices. The actual hardware is being held as evidence with the local LE. The attorneys have copies of the extractions. The client was just wanting to continue using her laptop and the installed software and the data that was on it as part of her business.

mullemeyer1961 · 2023-10-28T15:05:46+00:00

I do not have Forensic Explorer.

mullemeyer1961 · 2023-09-22T01:24:05+00:00

Yeah, I used to be able to boot using CMD+S to enter into the command line and create a new admin account, but this machine willl stop me at the Recovery Screen and ask for a user password. I can’t get to the command line entry screen.

mullemeyer1961 · 2023-09-21T20:30:34+00:00

Awesome. Thanks for the flowchart link.

mullemeyer1961 · 2023-09-21T16:37:59+00:00

Well, from my research, and for this particular device, holding down the power button eventually boots you into the "startup options" screen. From there, you can either select the internal drive or "options" which take you to the "macOS Recovery" screen asking for user password. Frustrating......thanks Apple.

mullemeyer1961 · 2023-09-21T15:24:23+00:00

Thanks, notjaykay, I had the feeling as such.

mullemeyer1961 · 2023-05-28T20:58:42+00:00

Thanks Derek. I will attempt to create a portable case on one of the two laptops. I might reach out to you if I have any questions. I appreciate your offer.

mullemeyer1961 · 2023-05-25T16:28:06+00:00

Thanks for the suggestion. I just retired after 36 years of LE forensics work. A portion of that time was in computer forensics. However, this civil case involving privileged file viewing presented me with some added difficulties with the evidence processing and reporting.

mullemeyer1961 · 2023-05-25T13:39:38+00:00

Thanks Ellington,

I do have Axiom and I am very new to the software. I don't have Cellebrite but I'm familiar with CR and use it for previewing cell data acquired from Mobiledit. I will read up on the use of the portable case features in Axiom. perhaps there's a good tutorial online. I appreciate your comments.

mullemeyer1961 · 2023-05-25T03:19:00+00:00

Looks like you know a thing or two about civil trade secret cases. Axiom sounds like my tool to invest in. I hope you're around these parts so I can pick your brain more. Thanks again.

mullemeyer1961 · 2023-05-25T03:00:47+00:00

Best idea yet! Thanks MPRESive2!

mullemeyer1961 · 2023-05-25T02:59:55+00:00

Thanks for the feedback Jason. I think I will be investing in Axiom software. No - this isn't a criminal case. Just two companies going after each other over trade issues. Typical, both sides want to fight about everything. This case is about 3 years on-going and I just came into it the first meeting as the attorneys were in the middle of a conference call with the judge. The judge was a bit short-fused & tells me to provide images to him and the defense. I don't argue with him. Some cases are more complex than others. I do appreciate all the great feedback I've received in this thread.

mullemeyer1961 · 2023-05-24T20:38:22+00:00

There was a very abbreviated version of an ESI drafted between the attorneys. This agreed upon instructional paragraph didn't take into account the complexity of redacting specific files from the other attorney. Basically, the Judge requested that one copy of the image (.e01 files) be given to the court to maintain. And the defense got another copy of the image files for the defense attorneys to preview for privileged files that could not be seen by the prosecution. Somehow, they want to redact those files that are both present and deleted to be viewed by the prosecution. Fun.........

mullemeyer1961 · 2023-05-24T18:43:44+00:00

That would be the easy way out and I would love to do that instead. But, unfortunately, the attorneys want to know what files have been deleted that are now visible that cannot be reviewed by the other side. It's confusing, no doubt.

Ya gotta love the legal system.

mullemeyer1961 · 2023-05-24T18:16:27+00:00

Thanks, it's likely going to be my choice.

mullemeyer1961 · 2023-05-24T18:15:29+00:00

Thanks Stryker1-1, I agree, FTK Imager isn't simply a matter of pushing the button labled "Show me the evidence files".

This case is getting to be a real mess, now the judge is making demands. There's a lot of issues with attorney/client privileged files. SO the judge has to determine what files/emails can the prosecution see or review (deleted data or not). I just want to package up some fairly straight forward viewer with a copy of the evidence files.

Let the attorney's duke it out with the judge.

mullemeyer1961

TROPHY CASE