MacQuisition 2019 R1.2 and newer have the ability to create a physical decrypted image of a Mac with T2 chip in 5 steps.
NOTE: Apple explains more about the T2 security chip here. T2 chip encryption (hardware) is separate from FileVault encryption (software). You do NOT need the user's password for MacQuisition to decrypt T2 chip encryption. However, if FileVault (FV) encryption is turned on, you DO need either the FV password or FV recovery key in order for MacQuisition to be able to decrypt the FV encrypted data.
STEP 1: Handle secure boot settings
When a Mac with a T2 chip is sold by Apple, the secure boot settings 'Full Security' and 'Disallow booting from external media' are enabled by default. This prevents an examiner from being able to boot to external media such as MacQuisition. It is possible to change the secure boot settings by following the instructions below and entering an admin password. If you do not have the password for an admin user account, you can use the workaround in this article Imaging a Mac via Target Disk Mode.
*IMPORTANT*: The most forensically sound method is to not change the security settings and instead use the Target Disk Mode workaround. If you choose to change the secure boot setting and want to change the setting back from 'No Security' to 'Full Security' Apple requires an internet connection.
Secure Boot settings are available in the Startup Security Utility:
- Turn on the Mac, then press and hold Command (⌘)+ R immediately to start up from macOS Recovery.
- When you see the macOS Utilities window, choose Utilities > 'Startup Security Utility' from the menu bar.
- When you're asked to authenticate, click Enter macOS Password, then choose an administrator account and enter its password.
In order to boot to MacQuisition or other external media, the secure boot settings need to be changed to 'No Security' and 'Allow booting from external media'.
