Overview
This article discusses how to configure Enterprise 7.3 or later to collect from the macOS Managed Agent.
Prerequisites
- A working Forensic Tools environment with Enterprise, Quin-C, and QView installed on the same machine
- Enterprise and Quin-C configured to use internal authentication, not Active Directory authentication
- An installed macOS Managed Agent
- The target added as a Mac to the Agent List in Enterprise
- Ability for the Examiner machine to see the macOS target over the desired port
- Confirm the "QuincServerUrl" key in both FTKPlus.exe.config and JobMonitor.exe.config is correct.
C:\Program Files\AccessData\Forensic Tools\<version>\bin\FTKPlus\JobMonitor.exe.config
C:\Program Files\AccessData\Forensic Tools\<version>\bin\FTKPlus\FTKPlus.exe.config
Procedure
- In your desired case, go to Evidence > Add Remote Mac Data...
- At the Mac Agent Collection dialog, select the desired target and click Connect to Agent
- Click the gear icon in the upper-right corner
- At the Disk Image Path dialog, specify a network share that both the Examiner machine and macOS target can see, and an account with full access to that share, and click OK
- Proceed to select the folders, files, or volume you wish to collect/image
- Click the Review button to verify what you wish to collect, and start the collection