Apple MacBook Air M2 Image
Hey folks,
Been doing forensics forever on Windows boxes, but first time with a modern Mac (Apple silicon/T2 territory). Got the TX1 ready, but the SSD is that proprietary blade thing – not popping out easy.
How are you guys grabbing a solid physical bit-for-bit these days?
-Yank the drive anyway (pentalobe/spudger fun) and hit it with the TX1 + proper Apple PCIe adapter? Or is Target Disk Mode + Thunderbolt write-block + ddrescue/ewfacquire on a Linux rig still the move?
-If physical's basically dead or too risky, what do I actually need on my Windows forensic workstation for a clean live or dead acquisition? FTK Imager, AXIOM, EnCase, or something else? -Any must-have drivers, bootable stuff, or T2 workarounds?
APFS/FileVault/SIP headaches I should watch for? Does the TX1 play nice with Apple SSDs out of the box or need special firmware/adapters?
Just trying to keep the chain of custody clean. Appreciate any real-world workflows.
Cheers