Jamf Nation Community

ImAMacGuy · ‎08-20-2018

One of the things that worried me is data recovery from the Macs with the T2. I saw an article that apple removed the port on the motherboard that allowed them to hook up and recovery data in the stores which only made it seem more unrealistic to be able to recover data.

I finally got some in the lab here and ran it through DEP, created a folder on the desktop, and then finally put a junk text file into the folder to see if I could read it when target booted the machine off a non-T2 machine (in this case a 2016 MBP).

To my amazement the device showed up and I was able to access w/o issue.

Since both machines were signed in with my AD login, I took it to a coworkers 2016 mbp and plugged into their machine and they were able to access the drive and get to the users folder, though not able to get further than that - which is normal.

This begs the question, if the data on the T2s is supposed to be encrypted, how come I can read the drive w/o issue?

sdagley · ‎08-20-2018

@jwojda If you want to prevent unauthorized access to the data on the drive via Target Disk Mode, turn on File Vault 2 or EFI password. The T2 encryption means that someone couldn't unsolder the flash RAM from one motherboard and solder it onto another motherboard to read the contents.

sam_g · ‎08-20-2018

Yes, this can be a little confusing. The data is encrypted by default, but you don't need any special permission to unlock the drive or access the data. You could say that the harddrive is a very secure storage room, but the door is unlocked - allowing anyone to go into the room and access the data. To "lock it," you'll need to enable FileVault. It'll take literally a second to complete that, and from that point on the drive is secure and you need your password to unlock or decrypt the drive.

More info here: https://support.apple.com/en-us/HT208344

roiegat · ‎08-20-2018

Apple still recommends you turn on FileVault. But you're right...if the drive is encrypted, how come we can access it? I think what it seems like is if someone tried to take the hard drive out of the machine physically and put it into another Mac - it wouldn't work.

Just out of curiosity, did it let you put the T2 machine into target mode without turning on the boot utility?

Tribruin · ‎08-20-2018

Think about it this way, when you access the SSD (either through the OS or via TDM), you are still routing data through the T2 controller. All the encryption/decryption is being handed by the T2 controller. You would only see the encrypted data if you tried to access the SSD directly (e.g, in theory removing the SSD from the system board and installing it on another system board.)

Without Filevault enabled, you are have encrypted data, but access is unlimited. As soon as you mount the drive, you can read the data just fine. With Filevault enabled, you are effectively adding a challenge to the mounting process, but you can access the data.

roiegat · ‎08-21-2018

So I just tried to boot up my T2 machine in target mode and it doesn't seem to want to go into target mode with the default settings. So out of the box you don't have the risk of the data on the drive being compromised. You would have to remove the boot utility in order to allow it to occur.

cwaldrip · ‎08-21-2018

For data recovery Apple suggests contacting the usual suspects (DriveSavers, et. al.). And DriveSavers say that they can successfully recover data from a T2 MacBook Pro. By what magic they do this, I don't know (but I can guess it involves a soldering iron and a host machine). And I'll wager its a bit more pricy than a normal mechanical drive.
https://www.drivesaversdatarecovery.com/2018/07/25/digital-trends-if-you-own-a-2018-macbook-pro-you-will-want-to-maintain-data-backups/

Jamf Nation Community

T2 and encryption