Sumuri, a Camden-based company known for Mac Forensics, developed a method to forensically capture data from Macs with T2 Security Chipsets without the need for decryption or a user’s login credentials.

Sumuri’s method for data extraction does not violate the integrity of Apple’s T2 Security Chipset. These new features will be released within a few days with the Version 4 update of their Recon Imager software.

The T2 Security Chipset was borrowed from iOS devices. It serves many functions, however, the one that troubles forensic examiners the most is that it encrypts data at rest. This means that the files and folders contained within the internal drive of a Mac are always encrypted. For example, if it were possible to remove the internal Solid State Disk of a Mac with a T2 Chipset in an attempt to create a forensic image or copy of files, no usable data could be taken.

Recon Imager (Version 4) is able to acquire all of the data to include all the files, the Apple Extended Metadata and its local Time Machine Snapshots. Recon Imager V.4 does not need to use hacks or reversed engineered solutions that decrypt the data. Recon Imager V.4 can still acquire all the data logically, which will save space on examiner’s collection drives. A smaller forensic acquisition saves money and time.

Additionally, Sumuri has developed a method to locate and present local Time Machine snapshots to the examiner in seconds. The examiner then has the ability to choose individual snapshots, specific to a date and time, or all of the snapshots to image.

Recon Imager V.4 additionally follows traditionally accepted forensic protocols as it is able to hash the source and the output.

For more, visit