MacOS is notoriously hard to work with when it comes to forensics. Things that are simple and routine for a Windows investigation become laborious and confusing in the Mac world. Introductions like APFS, Secure Enclave, and proprietary processors have made navigating Mac forensics with a Windows machine almost impossible. With a Windows-based tool, you may be able to get a basic look at data but you’ll always be missing key details that can only be accessed by a Mac.
That’s why here at SUMURI we always say use a Mac to examine a Mac. That mentality is why we took a different approach from every other tool on the market and built our analysis and acquisition tools, RECON LAB and RECON ITR, from the ground up on macOS. If you are using any other approach to analyze macOS systems you will always be missing data.
RECON LAB and RECON ITR are designed with a simple philosophy in mind, work with the Mac, not against it.
MacOS is a very secure and proprietary operating system and that makes it very hard to work with outside of its native environment. On the other hand, macOS and APFS can easily work with other operating and file systems, either natively or with the help of simple third-party utilities. We use the native capabilities to preserve metadata in a way that no one else can and the 3rd party utilities to make sure we have total support for every other platform.
People don’t normally think of macOS as a platform to do forensics on but that couldn’t be further from the truth. RECON LAB is a powerful tool that has features that are only possible on macOS. We use native libraries and utilities that are able to parse and interpret data in a way that simply isn’t possible with other operating systems.
RECON LAB is built for macOS but it isn’t just limited to macOS. RECON LAB is able to take all the processing power of Apple hardware and macOS to examine Windows, Linux, iOS, and Android devices. macOS offers hardware and software capabilities that make it an amazing platform for forensics. Start using macOS to its fullest potential today by adding RECON LAB to your forensic toolkit.