jewelsasa.blogg.se - Blackbag forensics compared to oxygen forensics

Blackbag forensics compared to oxygen forensics mac os x#

Use the source machine’s own system to create a forensic image by booting from the MacQuisition USB dongle.

If FileVault 2 exists, the examiner can, with use of the password, Keychain file or recovery key, mount the volume in a read-only fashion, allowing for either a triage or collection of the files.

MacQuisition automatically recognizes a combined volume from a Fusion Drive and presents it for imaging.

Extensively log live data acquisition information throughout the collection process.

Choose from 26 unique system data collection options, including active system processes, current system state, and print queue status.

Soundly acquire and save volatile Random Access Memory (RAM) contents to a destination device.

Capture important live data such as Internet, chat, and multimedia files in real time.

LIVE DATA ACQUISITION COLLECT FROM LIVE SYSTEMS

Selectively acquire email, chat, address book, Calendar, and other data on a per-user, per-volume basis.

Thoroughly log data acquisitions and source device attributes throughout the collection process.

Authenticate collected data using any or all MD5, SHA-1, or SHA-256 hash functions.

Preserve valuable metadata by maintaining its association with the original file.

Target and forensically acquire files, folders, and user directories while avoiding known system files and other unneeded data.

TARGETED DATA COLLECTION SELECTIVELY ACQUIRE

Blackbag forensics compared to oxygen forensics mac os x#

Tested and used by experienced examiners for over a decade, MacQuisition runs on the Mac OS X operating system and safely boots and acquires data from over 185 different Macintosh computer models in their native environment, even Fusion Drives. In cases where multiple machines and devices are involved, MacQuistion provides the option to browse and search through data, and preview file contents before any data is collected or deices are imaged. BlackBag has built the only solution that works with the chip to decrypt the file-systems at collection time, empowering examiners to capture the entire physical blocks that hold vital information and not just logical files. Apple’s T2 encryption methodology is unique to each Mac, and crucial data can only be decrypted using the keys stored in that systems T2 chip. MacQuisition is the first and only solution to create physical decrypted images of Apple’s latest Mac computers utilizing the Apple T2 chip. As Apple’s Mac computers continue to grow in popularity among users within organizations, today’s forensic examiners need powerful and proven solutions to help them perform live data acquisition, targeted data collection, and forensic imaging from these computers.

The field of computer forensics investigations is growing, especially as law enforcement and legal entities realize just how valuable these pieces of hardware technology can be when conducting corporate and criminal investigations.