Forensics Software

Dwetzel94
New Contributor

We are currently using an existing forensics software on our Windows machines and would like to find another solution for the Macs because our current software does not work with FileVault. Does anyone use forensics software on their Macs along with Filevault?

5 REPLIES 5

donmontalvo
Esteemed Contributor III

If "does not work with FileVault" means the tool can't work if the Mac is at the FileVault login window, I doubt any tool will work.

--
https://donmontalvo.com

mm2270
Legendary Contributor III

Yeah, any tool, forensics or not, is going to be stopped by a FDE encrypted Mac, otherwise it would be a pretty big hole in the security model.
Our corporate investigation team also needs to get past FV2 when they get a Mac in for forensics. They are one of the very few groups we give the Institutional recovery key to so they can unlock any Casper encrypted Macs after booting to an alternate volume without needing to pull the individual key for.

Once the drive is unlocked, any Mac application made for forensics should be able to scan and read the drive though.

Dwetzel94
New Contributor

By "does not work with FileVault" I mean that our forensics team would like to get into the encrypted machine without having to decrypt it (changing the bit count and thus disqualifying it from litigation). Allowing the forensics team to have the institutional recovery key has been considered but they also want the option to remotely access the drive. @mm2270 What software does your corporate investigation team use for forensics?

mm2270
Legendary Contributor III

I don't actually know, so I would need to ask them. Since something like that could be considered sensitive information I'll post back with my email address, or maybe you can post yours and when I find out I can send you the information. I just don't want anyone here getting upset that I'm publicly announcing the software that our CIS folks use.

Can you explain what you mean when you say they'd like to be able to remotely access the drive? How exactly do they envision to do this? The drive must be unlocked and mounted in the file system before they can access it in any way once its encrypted with FileVault.

As for the encrypted drive, you only need to unlock it, not decrypt it. They are two different things. As far as I know, our CIS guys are OK with unlocking/mounting but not decrypting the drive. They would prefer not to need to mount any volumes at all to scan it, but that's not really a possibility.

Dwetzel94
New Contributor

Completely understandable. dwetzel94@gmail.com

I am not sure exactly what they mean either. When you email me I will respond with a better explanation of exactly what they are looking to do.

Thanks.