# macOS Data Acquisition Guide

**Methods:** 11 | **Generated:** 2026-03-07

---

## Physical Acquisition

### External Boot dd Image (Intel Mac)

Boot an Intel Mac from external forensic media and use dd/dc3dd to create a raw disk image. This is the most forensically sound approach for Intel-based Macs without T2 chips.

**Tools:** dd, dc3dd, Forensic boot USB

**Prerequisites:**
- Intel Mac without T2 chip (pre-2018 models)
- Bootable forensic USB media
- Physical access to the target Mac

**Steps:**
1. Prepare a bootable Linux forensic USB (CAINE, SIFT, Paladin).
2. Power off the target Mac and connect the forensic boot USB.
3. Hold Option key during boot and select the external media.
4. Identify the target disk: diskutil list or lsblk
5. Run: dc3dd if=/dev/diskX of=/evidence/mac.dd hash=sha256 log=acquisition.log
6. Wait for imaging to complete and verify hashes.

**Pros:** Forensically sound -- target disk is not mounted read-write | Raw format compatible with all forensic tools | Full bit-for-bit image including unallocated space
**Cons:** Does not work on T2 or Apple Silicon Macs (SSD is bound to the security chip) | Requires physical access and reboot of the target | FileVault encryption must be addressed separately
**Notes:** For T2-equipped Intel Macs and Apple Silicon, the internal SSD cannot be accessed via external boot due to hardware encryption. Use Target Disk Mode, Share Disk, or logical acquisition instead.

### Target Disk Mode (Intel Mac)

Use Target Disk Mode to present an Intel Mac internal drive as an external disk to a forensic workstation connected via Thunderbolt or FireWire.

**Tools:** Target Disk Mode, FTK Imager, dd

**Prerequisites:**
- Intel-based Mac (any era)
- Thunderbolt or FireWire cable
- FileVault recovery key if encryption is enabled
- Forensic workstation (Mac or Linux with APFS support)

**Steps:**
1. Connect the target Mac to the forensic workstation via Thunderbolt/USB-C cable.
2. Power on or restart the target Mac while holding the T key.
3. The target disk appears as an external volume on the forensic workstation.
4. Image the disk using FTK Imager, dd, or your preferred imaging tool.
5. If FileVault is enabled, you will need the recovery key to unlock the volume.
6. Verify hashes upon completion.

**Pros:** Hardware-level disk access without booting the target OS | Works through Thunderbolt at high transfer speeds | No software installation on the target
**Cons:** Only available on Intel Macs (replaced by Share Disk on Apple Silicon) | T2-equipped Macs require the user password or recovery key for FileVault | Requires physical access and a Thunderbolt cable
**Notes:** Target Disk Mode is deprecated on Apple Silicon. For M1/M2/M3 Macs, use Share Disk mode via Apple Configurator 2 or macOS Recovery.

### Share Disk (Apple Silicon)

Apple Silicon Macs use Share Disk mode (replacing Target Disk Mode) accessed through DFU mode or macOS Recovery to present the internal disk to another Mac.

**Tools:** Apple Configurator 2, USB-C cable

**Prerequisites:**
- Host Mac with Apple Configurator 2 installed
- USB-C cable (specific port requirements vary by model)
- FileVault recovery key or user credentials
- Physical access to the target Mac

**Steps:**
1. Connect the target Apple Silicon Mac to another Mac via USB-C.
2. Put the target Mac into DFU mode (power off, then hold power button with specific key combinations).
3. On the host Mac, open Apple Configurator 2.
4. The target appears as a DFU device -- use Advanced > Share Disk.
5. The target internal disk mounts on the host Mac.
6. Image the mounted volume using dd, dc3dd, or forensic imaging tools.
7. Unlock FileVault volume if prompted (requires credentials or recovery key).

**Pros:** Only way to get disk-level access on Apple Silicon Macs | Access through DFU mode bypasses the target OS entirely | USB-C connection provides reasonable transfer speeds
**Cons:** Requires another Mac running Apple Configurator 2 | FileVault credentials or recovery key required | DFU mode procedure can be finicky | APFS volume structure adds analysis complexity
**Notes:** Document the exact DFU entry procedure for each Mac model as it varies (M1 vs M2 vs M3). Apple Silicon uses hardware-bound encryption, making Share Disk the only viable physical acquisition path.

## Logical Acquisition

### SUMURI Recon ITR Logical Acquisition

SUMURI Recon ITR (Imaging, Triage, and Recovery) is a macOS-native forensic tool that performs logical acquisitions of Mac systems, including APFS volumes and FileVault-encrypted disks.

**Tools:** SUMURI Recon ITR

**Prerequisites:**
- SUMURI Recon ITR license
- Compatible Mac hardware for running the tool

**Steps:**
1. Install SUMURI Recon on a forensic Mac or bootable media.
2. Connect to the target Mac or boot the target from Recon media.
3. Select the target volumes for acquisition.
4. Choose output format (DMG, E01, or raw).
5. Start the logical acquisition.
6. Verify hashes upon completion.

**Pros:** Native macOS support including APFS and FileVault | Can boot as forensic environment on Intel Macs | Supports multiple output formats | Handles T2 and Apple Silicon through macOS-native APIs
**Cons:** Commercial license required | Logical only -- no access to unallocated space on APFS | Limited to Mac platform
**Notes:** SUMURI Recon is one of the few tools designed specifically for macOS forensic acquisition. It handles the unique challenges of APFS, T2, and Apple Silicon better than generic tools.

### Cellebrite Digital Collector (macOS)

Cellebrite Digital Collector performs targeted and full logical acquisitions of macOS systems with support for APFS, FileVault, and T2/Apple Silicon platforms.

**Tools:** Cellebrite Digital Collector

**Prerequisites:**
- Cellebrite Digital Collector license
- Compatible hardware
- FileVault credentials if encryption is enabled

**Steps:**
1. Install Cellebrite Digital Collector on the forensic workstation.
2. Connect the target Mac or run the collector on the target.
3. Select acquisition type and target volumes.
4. Authenticate if FileVault is enabled.
5. Start collection and monitor progress.
6. Verify and export collected evidence.

**Pros:** Enterprise-grade macOS forensic acquisition | Supports the latest macOS versions and hardware | Integrated with Cellebrite analysis ecosystem
**Cons:** Expensive commercial license | Requires Cellebrite ecosystem for full functionality
**Notes:** Cellebrite DC is the commercial standard for macOS acquisition in law enforcement. Consider SUMURI Recon as an alternative for organizations not in the Cellebrite ecosystem.

## Triage Acquisition

### AutoMacTC Triage Collection

AutoMacTC (Automated Mac Forensic Triage Collector) is a free tool that collects key forensic artifacts from macOS systems including logs, user activity, persistence mechanisms, and system configuration.

**Tools:** AutoMacTC

**Prerequisites:**
- Root/sudo access on the target Mac
- Python available (built into macOS)
- Full Disk Access may need to be granted to Terminal

**Steps:**
1. Download AutoMacTC from GitHub.
2. Run with sudo: sudo python automactc.py -o /evidence/output -p
3. AutoMacTC collects: ASL/unified logs, browser history, user accounts, login items, cron jobs, LaunchAgents/Daemons, network history, and more.
4. Review the output directory structure.
5. Transfer collected artifacts for analysis.

**Pros:** Free and open-source | Comprehensive macOS-specific artifact collection | Modular design -- enable/disable specific collectors | CSV output for easy analysis and timeline building
**Cons:** Requires Python on the target (usually pre-installed on macOS) | May require Full Disk Access TCC permission on newer macOS | Must run on a live macOS system
**Notes:** AutoMacTC is the macOS equivalent of KAPE for triage collection. Grant Full Disk Access to Terminal.app before running to ensure complete artifact access on macOS Catalina and later.

### mac_apt (macOS Artifact Parsing Tool)

mac_apt is a forensic tool for processing macOS and iOS artifacts. It can work on live systems, disk images, or individual artifact files to extract and parse forensic data.

**Tools:** mac_apt

**Prerequisites:**
- Python 3 with required dependencies
- Root access for live system analysis

**Steps:**
1. Install mac_apt from GitHub.
2. For live acquisition: sudo python mac_apt.py LIVE /evidence/output
3. For disk image: python mac_apt.py MOUNTED /Volumes/target /evidence/output
4. Select artifact plugins to run.
5. Review parsed output in SQLite databases and CSV files.

**Pros:** Works on live systems, mounted images, and individual files | Extensive artifact parsing with 30+ plugins | Output in SQLite for structured querying | Free and open-source
**Cons:** Complex setup with multiple Python dependencies | Parsing-focused -- use alongside a collection tool
**Notes:** mac_apt excels at parsing collected artifacts. Use it in combination with AutoMacTC or manual collection for a complete workflow.

### Mac-Triage Collection Script

Lightweight shell-based triage collection script for macOS that gathers system logs, user artifacts, persistence mechanisms, and network configuration.

**Tools:** Mac-Triage, Bash

**Prerequisites:**
- Root/sudo access
- Bash shell (available on all macOS versions)

**Steps:**
1. Deploy the Mac-Triage script to the target system.
2. Run with sudo: sudo bash mac_triage.sh -o /evidence/output
3. The script collects: unified logs, user profiles, browser data, installed apps, network state, launch items.
4. Review and transfer the output directory.

**Pros:** No dependencies -- pure shell script | Lightweight and fast | Easy to customize and extend
**Cons:** Less comprehensive than AutoMacTC | Requires manual analysis of raw collected files | TCC restrictions may limit access on newer macOS
**Notes:** Good as a quick first-response tool when more sophisticated tools are not available. Customize the script for your environment.

## Remote Acquisition

### AXIOM Cyber Remote Acquisition (macOS)

Magnet AXIOM Cyber supports remote acquisition of macOS endpoints, collecting targeted files, user artifacts, and system data over the network.

**Tools:** Magnet AXIOM Cyber

**Prerequisites:**
- AXIOM Cyber license
- SSH or MDM access to target Mac
- Admin credentials for the target system

**Steps:**
1. Launch AXIOM Cyber and create a case.
2. Select macOS remote acquisition.
3. Enter target Mac hostname/IP and credentials.
4. Deploy the AXIOM agent (requires SSH access or MDM).
5. Select artifacts to collect.
6. Monitor collection and process with AXIOM Examine.

**Pros:** Remote macOS acquisition without physical access | Integrated analysis with AXIOM Examine | Handles APFS and FileVault scenarios
**Cons:** Expensive commercial license | Requires network access and admin credentials | TCC restrictions may limit remote artifact access
**Notes:** For macOS remote acquisition, ensure the agent process has Full Disk Access. This may require MDM pre-configuration in enterprise environments.

### Velociraptor Remote Collection (macOS)

Deploy Velociraptor agents on macOS endpoints for remote forensic artifact collection, live response, and threat hunting.

**Tools:** Velociraptor

**Prerequisites:**
- Velociraptor server deployed
- macOS agents installed with appropriate TCC permissions
- Network connectivity between agents and server

**Steps:**
1. Deploy Velociraptor macOS agent to target endpoints.
2. Access the Velociraptor server console.
3. Navigate to the target client.
4. Launch macOS-specific artifact collections.
5. Monitor and download results.

**Pros:** Free and open-source | macOS-specific artifacts supported | Enterprise-scale deployment | Powerful VQL queries for custom collection
**Cons:** Agent requires Full Disk Access TCC permission | macOS security prompts may interfere with agent operation | Requires pre-deployed infrastructure
**Notes:** macOS TCC (Transparency, Consent, and Control) permissions are the biggest challenge for remote macOS forensics. Pre-configure Full Disk Access for the Velociraptor agent via MDM profiles.

## Cloud Acquisition

### iCloud Data Acquisition

Acquire iCloud-synced data including iCloud Drive, Photos, Messages, Notes, and other synced content through Apple account access or legal process.

**Tools:** Elcomsoft Phone Breaker, iCloud Web, Legal Process

**Prerequisites:**
- Apple ID credentials and 2FA access, OR
- Valid legal process for law enforcement, OR
- User consent for internal investigations

**Steps:**
1. Determine the scope of iCloud data needed.
2. For law enforcement: submit legal process to Apple for iCloud data.
3. For internal investigation with credentials: use Elcomsoft Phone Breaker to download iCloud backups and synced data.
4. For consent-based: access iCloud.com or System Preferences to export data.
5. Document the acquisition method and chain of custody.
6. Parse and analyze the acquired iCloud data.

**Pros:** Accesses data that may not exist on the local device | iCloud backups can contain data from multiple Apple devices | Historical data available through Apple legal process
**Cons:** Two-factor authentication complicates third-party tool access | Apple Advanced Data Protection may prevent Apple-side access | Legal process timelines can be lengthy | Scope depends on what the user has synced to iCloud
**Notes:** Apple Advanced Data Protection (ADP) enables end-to-end encryption for most iCloud data categories. If ADP is enabled, Apple cannot provide the encrypted data even with legal process. Check ADP status early in the investigation.

---
*Generated by DFIR Assist*