Hello Reader,
Dealing with T2 Chips on recent model Macbooks has been a real pain point for us in the lab so I was very, very happy to read that Blackbag (thanks Joe and Vico!) have figured out how to transparently decrypt the physical blocks of a drive being managed by a T2 chip at imaging time. Now the important to understand is that this decryption is being done at Image time, meaning Macquisition is not extracting the keys for later use. Instead Blackbag has found a way to get the T2 chip to return decrypted blocks rather than just files.
This is a big step forward as all of the other solutions I'm aware of (including the previous version of Macquistion) where stuck just doing file system images (logical images) of APFS drives with T2 chips. Now with this feature you can get all the data including APFS snapshots and possibly deleted data as well.
You can read more here:
https://www.blackbagtech.com/blog/2019/03/11/macquisition-will-decrypt-physical-images-macs-t2-chip/
Dealing with T2 Chips on recent model Macbooks has been a real pain point for us in the lab so I was very, very happy to read that Blackbag (thanks Joe and Vico!) have figured out how to transparently decrypt the physical blocks of a drive being managed by a T2 chip at imaging time. Now the important to understand is that this decryption is being done at Image time, meaning Macquisition is not extracting the keys for later use. Instead Blackbag has found a way to get the T2 chip to return decrypted blocks rather than just files.
This is a big step forward as all of the other solutions I'm aware of (including the previous version of Macquistion) where stuck just doing file system images (logical images) of APFS drives with T2 chips. Now with this feature you can get all the data including APFS snapshots and possibly deleted data as well.
You can read more here:
https://www.blackbagtech.com/blog/2019/03/11/macquisition-will-decrypt-physical-images-macs-t2-chip/
Also Read: Daily Blog #643
Post a Comment