Overview

This article discusses how to configure Enterprise 7.3 or later to collect from the macOS Managed Agent.

 

Prerequisites

  • A working Forensic Tools environment with Enterprise, Quin-C, and QView installed on the same machine
  • Enterprise and Quin-C configured to use internal authentication, not Active Directory authentication
  • An installed macOS Managed Agent
  • The target added as a Mac to the Agent List in Enterprise
  • Ability for the Examiner machine to see the macOS target over the desired port
  • Confirm the "QuincServerUrl" key in both FTKPlus.exe.config and JobMonitor.exe.config is correct.


    C:\Program Files\AccessData\Forensic Tools\<version>\bin\FTKPlus\JobMonitor.exe.config


    C:\Program Files\AccessData\Forensic Tools\<version>\bin\FTKPlus\FTKPlus.exe.config 

     

 

Procedure

  1. In your desired case, go to Evidence > Add Remote Mac Data... 
  2. At the Mac Agent Collection dialog, select the desired target and click Connect to Agent
    https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875829/original/mceclip0.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164114Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=6a7f33f80e675cb973b6dec9f6b70f44be46f0b03661a3326028e680bf1aab0b
  3. Click the gear icon in the upper-right corner
    https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875830/original/mceclip1.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164114Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=6e1358f1ed2844f18b7fc5df803abcf1928d8ff72fe2de4220569740b8e194ab
  4. At the Disk Image Path dialog, specify a network share that both the Examiner machine and macOS target can see, and an account with full access to that share, and click OK
    https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875831/original/mceclip2.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164114Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=917fdf40bb64c13452924e09861f2947281b9cbd0596030e2c327eaf24996d03
  5. Proceed to select the folders, files, or volume you wish to collect/image
  6. Click the Review button to verify what you wish to collect, and start the collection