Intel01
Intel iMac, MBP, Mini
Target Disk Mode and write-blocked imaging on Intel Macs — the strongest forensic class still available on Apple hardware.
- Target Disk
- T2
- Write-block
Mac Forensics,
imaged the right way.
We image Intel and Apple Silicon Macs, parse APFS and Unified Logs, recover deleted records and reconstruct user activity — with reports that hold up under cross-examination.
- Coverage
- Intel · Apple Silicon
- Method
- Target Disk · DFU · Live
- Reports
- Hash-verified, court-ready
What We Examine
Every artefact macOS records,
Every artefact macOS records,
on a single timeline.
macOS leaves traces in dozens of places — APFS snapshots, Unified Logs, KnowledgeC, Spotlight metadata, Time Machine and iCloud sync. We work each one and reconcile them chronologically.
Layer01
Forensic disk imaging
Bit-for-bit acquisition of internal and external drives — write-blocked, hash-verified, defensible across Intel and Apple Silicon.
Layer02
Live & memory capture
RAM acquisition where supported — credentials, encryption keys and running processes that vanish on shutdown.
Layer03
Deleted file recovery
Carving and APFS snapshot analysis recover deleted documents, images and Mail records — even after Trash is emptied.
Layer04
User-activity timeline
Login records, KnowledgeC, biome, Quick Look thumbnails and Recents reconstructed into a single chronology.
Layer05
Mail & Messages
Apple Mail, Outlook for Mac, iMessage and SMS forwarding analysed end-to-end with attachments and metadata.
Layer06
iCloud & sync
iCloud Drive, Photos, Continuity, Handoff and AirDrop traces — what was synced, downloaded or shared with which device.
Mac Coverage
Intel, Apple Silicon, server —
Intel, Apple Silicon, server —
all imaged in lab.
Apple Silicon changed how Macs are imaged. We use the workflow appropriate to the chip, OS version and security state — and tell you upfront what's realistic.
Apple Silicon02
M1, M2, M3, M4
DFU-mode acquisition where supported, plus live imaging with the user's credentials under lawful authority.
- DFU
- M-series
- Live
macOS Server03
Server & multi-user
Multi-user systems and macOS Server analysed — login records, file shares and Open Directory data preserved.
- Server
- Open Directory
- Shares
Encrypted04
FileVault & APFS encryption
Lawful examination where credentials, recovery keys or institutional unlock paths are available.
- FileVault
- Recovery key
- Lawful
The Approach
Apple-aware tooling,
Apple-aware tooling,
court-grade practice.
Mac forensics has changed dramatically with T2 and Apple Silicon. We use validated, write-controlled workflows — Target Disk Mode, DFU acquisition and live imaging where required — never ad-hoc copies.
Every step is documented. Every file is hashed. The output is an exhibit pack a magistrate, judge or arbitrator can rely on.
Storage
APFS · HFS+
Chips
Intel · M1 → M4
Encryption
FileVault · T2
Reports
Hash-verified
The Process
Calm, methodical,
Calm, methodical,
court-grade from intake.
Step01
Intake & scoping
Confidential brief, lawful authority confirmed, model and macOS version checked, fixed-fee quote provided.
Step02
Forensic acquisition
Target Disk, DFU or live imaging in our lab. Hashes captured. Chain of custody opened.
Step03
Analysis & reconstruction
APFS, Unified Logs, KnowledgeC and Time Machine parsed; deleted records carved; timeline reconciled.
Step04
Court-ready report
Plain-English findings with annotated exhibits. Expert testimony available where required.
Frequently Asked
Mac forensics, plainly explained.
Request A Consultation
Send A Brief.
Send A Brief.
We'll Take It From There.
Every enquiry is read by a licensed investigator and treated in strict confidence.
Step01
You send a brief
A short note about your matter — no detail required upfront.
Step02
We reply within one business day
From a licensed investigator, not a chatbot or call centre.
Step03
If we're the right fit, we book a call
Confidential. No obligation. Fixed-fee quote where possible.