F-Response and Apple, 2024 Edition
Jan 08, 2024
It's been a few years since we broke down the complete situation with remote data collection and Apple computers. I figured now was a good time to do that again.
TLDR; It hasn't gotten easier. Forensic disk imaging is pretty much out. File and folder remote data collection is still available.
Apple's security posture remains largely the same. There are no good options for performing remote full disk forensic images. Sadly, that remains unchanged. You still have to disable SIP, and you have to deal with any cryptography that may have been engaged. Neither of these tasks can be readily performed from remote which means performing live forensics or making a forensic image of a remote Apple computer without being able to physically touch it is all but impossible.
That doesn't mean you can't get file and folder content, though.
F-Response Consultant, Consultant + Covert, Enterprise, and Universal, all provide "agentless" access to remote Apple computers. This is basically a SFTP-based file and folder copy mechanism that lets you collect select content from the remote apple machine provided you can connect to it directly.
In fact, we have a mission guide that walks you through that process here:
Collecting from an SFTP Share (Apple/Linux/etc)
Also, F-Response Collect allows you to create Apple collections of file and folder content and does not require a direct connection.
Using F-Response Collect with Apple OSX
Hopefully this helps. If you have more questions, don't hestitate to contact us.
Thanks!
Warmest Regards,
M Shannon