Apple OSX and Full Disk Access

Mar 13, 2024

We get emails and requests from time to time surrounding collection of Apple OSX machines, what works, and what doesn't. In fact, we put together a blog post on the topic and have them linked it below. Sadly, the long and short it is as follows:

The days of doing full disk imaging/collection are going away if not already gone completely.

How did we get here?

Photo by Walling on Unsplash

It all started back in the High Sierra days. Apple decided to restrict even the root/admin users ability to read from the raw root disk. For those who have done full disk imaging on an apple devices before, you know the drill. You make your image of /dev/rdisk0.

Except starting with High Sierra you'd get a permission denied error. In fact, even if you executed the same commands as root/admin you'd get the same thing. The only way around it was to disable System Integrity Protection (SIP). This required you to be on the physical machine and reboot it twice, once into a recovery environment where you'd run a command, then back into the main operating system. (More on this here).

As you can imagine, this didn't go over well for remote forensics.

Listen, we get it. Apple is looking out for their customers and our use cases are remarkably niche.

So what did we do? We offered to help you collect files and folders from the Apple machine (but this collection would be subject to whatever controls and permissions the operating system applied). Check out our Agentless Mission Guide for more information. Still, it worked, right up until it didn't.

Now if you try to copy files and folder content using Agentless, or just SSH/SFTP, off an Apple OSX machine you may find you don't have access to Documents, Desktop, and Downloads.

Yes, there's another step.

We've outlined it below, but the long and short of it is as follows:

You have to enable remote login and enable Full Disk Access(1).

Full Disk Access does not mean what you think it means. It just means you have access to Documents, Downloads, and Desktop. I know, it's super confusing from a forensics perspective. I'm sorry.

Enable remote login for Full Disk by going to Preferences->Sharing->Remote Login, sliding the toggle, then clicking the little "i" next to it. This will give you additional dialog. You need to check "Allow full disk access for remote users".

We hope this helps when dealing with Apple systems in the future, at least until it doesn't!

Warmest Regards,

M Shannon