26. Stability & Bugs Continued....

 

Suspect Machine Firmware Update Anyone ?

 

So this is an interesting one, when I booted MQ for the first time, using the 2019/R1.2 version from the dongle (on the 2019 Macbook Pro), I was presented with the "no entry sign".

 

Then after a short pause, the machine booted itself into the recovery partition on the suspect drive.  Not good as this is not write protected.

 

I'm then asked if I want to install a firmware update, as that is needed to boot the MQ dongle - or so I am told (See second picture below). 

 

This is Apple code telling me this, but unless you are familiar with what is happening here, there is nothing telling you this is the case - you could easily think this is MQ telling you this information.

 

So I thought I would go along with it - we are in a test environment - it asks for the Wifi password so that it can connect to Apples servers and download the update needed.

 

This download/update takes place (around 20 minutes or so), the machine reboots and sadly we have achieved nothing - MQ still does not boot from the dongle.

 

Lets look at this on-screen so you can avoid this trap!

 

Toto, we are not in Kansas anymore:

 

If you see this box pop up, you are non longer in MQ - and you will likely change files on the suspect machines hard drive if you go along with this !  So don't do it.

 

 

It goes without saying that this is another Gotcha! that really needs to go in a MQ manual update.

 

Well thats the comedy over for now, back to the review...

 

Only kidding, I have another one for you;

 

 

Whilst minding my own business in MQ and trying not to click on anything that caused a crash, or pull any funny faces (Mac's have cameras you know..) -  this little beauty popped up to spoil my fun when I was connecting a destination disk during one of the tests for the review.

 

My disk was fine and all was well after a reboot.

 

That is really it now, I don't have anything else, always fun looking at that sort of thing!

 

27. Features Not Tested:

 

Unfortunately I was unable to test every single feature of MQ, I can't point out any potential Gotcha's relating or offer my experience with these;

 

a) Fusion disks

b) Core Storage

c) RAID Arrays

d) Physical image of T2 Machine

e) Functionality with OSX earlier than High Sierra

 

Please remember this is a hobby website, so my time and funds are limited!

 

28. Updates and Bug Fixes:
 
As we have seen BB don't seem to update MQ that often, which for me as a prospective customer - is bit of a deal breaker.  The baked in filters that let you select a specific applications data files don't seem to have been updated in a very long time.
 
In comparison to other vendors who are constantly updating their products as the landscape changes (such as Yuri over at Belkasoft, Amber at Paraben, Greg at GetData (the list goes on and on) and even the ailing Encase (we have seen 8.09 and 8.10 in rapid succession!) this is a poor show from BB.
 
I think we have a classic case of something that sounded like a good idea at the time in the development meeting - but it was underestimated exactly how much work (and cost) was involved in keeping this a usable feature for non-Apple programs.
 
Hopefully the buy out by Cellbrite will give BB extra resources so that these features can be revitalised and turn them back into true killer features.
 
Always Look on the Bright Side of Life:
 
I hear on the grape vine that a new version of MQ is in the works, so maybe they will address some of the things I found problematic in this review.
 
29. Support and Warranty:
 
I had a look at the support website, it seems the usual run of the mill fayre, its nice to see a knowledge base where other customers have had problems and their tickets are made public.
 
No login is required which is also nice, so it is easy to Google problems and see pages that may have answers to problems you have!
i
If you want to take a look for yourself then look here - if you are a MQ user with issues then take a look here at the troubleshooting guide!
 
I can't comment any further on the level of support received or any warranty issues.
 
30. Long Term Review Updates:
 
Sadly I also can't comment on the long term, as I only had the dongle for two short weekends for testing.
 
UPDATE: 12-FEB-2020
 
Well I have to say I am impressed with Black Bag - even though I have not heard a peep out of them.
 
They have decided to change their marketing material and now revealed what works and what does not work on the product purchase page.  Take a look here to read it in full (scroll down to the bottom) but some extracts follow;
 
Here we have the compatibility list (first image) and then some more details on data acquisition via Live Data Acquisition.
 
So just in case I was not clear - THANK YOU - for clearing this up.

 

MQ Compatibility List

 

31. Alternative Products:
 
So this is where you can make your choice, by seeing what else is available;
 
There are few products that compete with MQ, so your choice is limited to Sumuri Recon Imager (review here) and Evimetry Imager (I have not tried this one so can't comment - Evimentry, send me a licence and I'll review it!), I'm sure there are others but these are the dedicated imaging tools that come to mind!
 
You can also try some linux forensic boot disks, but be careful and don't just try them in the wild without doing some testing first !  They won't work with contemporary Apple machines, but for the legacy clunkers (pre T2) you will should get somewhere.
 
Recon Imager (Now Recon ITR):
 
I've reviewed this here, before it became ITR - it worked well for me in testing, but it was not tested anywhere near as hard as MQ was.
 
RI can do everythng MQ does, with the following exceptions that I noticed and we discussed in part previously;
 
a) Synthisised Physical Images
b) APFS File Queue capture
c) Mislabled APFS Snapshot capture (hens teeth)
 
Notably, RI does not boot you into the suspect machines operating system if you chose the wrong version for the suspect machine.
 
Nor does it crash when you click things in menus. *chortle*
 

Check Sumuri's product page.

 

Update:  Recently,  Sumuri have just released Recon ITR, which is a merger of their Recon Imager Pro product and their Recon Triage (the one that lets you triage a Mac before you image it).  This retails at £908/$1199/€1080.

 

Want to know the kicker ?  It also includes a write blocker (the same as SB which is additional for MQ).  Now if that is not going to change the marketplace, I don't know what will!  Review coming soon, subscribe to be notified!

 

32. The Verdict & Score:

 

I thought MQ was going to be the absolute bees-knees when it came to imaging Apple computers, with the promise of Physical Images (with unallocated space) and APFS Queue files being the headline must have features.  I was excited!

 

Its all a bit Plug and Pray:

 

What I found in testing is that MQ has been almost completely crippled by the recent updates to Apple's hardware and operating systems and to my eyes, has been left to fade into a shadow of its former self due to lack of updates.

 

BB market this product to prospective customers (not all of which have zen like knowledge of the Apple product lineup) - the marketing hook stating "Image over 185 Apple machines" sounds mighty impressive to your average investigator.  Being as polite as possible, they are simply not telling you the real world capabilities of the product on contemporary machines.

 

When you also consider the "logical data/artefact collection" featuredid not perform well for non-apple applications, (such as Microsoft Office 365) it paints a very dim picture of something that once was - in my opinion the pinnacle of Mac imaging.  Perhaps this was down to lack of compatibility with my Mojave operating system on the the test machine - but all I can say is it did not perform well for me.

 

Can't Boot - Won't Boot:

 

When you note that most T2 machines from 2019 onwards simply won't boot from the MQ dongle anymore, and anything running Catalina 10.15 or later won't let you do a full loose file collection from the booted suspect machine or a live disk image of the machine, thats three major features that don't work as intended anymore.

 

These late model machines are what I am seeing now in my investigations, most corporates ditch anything older than 3 years (for tax write-downs and reliability reasons) so the days of seeing anything pre 2018 (which you can boot from with the current MQ dongle) are rapidly diminishing.

 

The only way forward now to image contemporary machines is to purchase another Apple laptop that you can take out into the field so that you can connect them together via a cable and do Target Disk Mode acquisitions.

 

Don't forget your Softblock if you need write protection of that TDM suspect machine!

 

Walking on Eggshells:

 

We then have the stability issues that I observed in such simple things as dialogue boxes, sure some of this may be Apple's code, but some isn't - I've never seen anything like this before in a released to market "forensic" product.

 

Hopefully someone senior within Cellbrite will read this review and use this information for the reason it has been put here - to improve the purchasing/usage experience for everybody - and make some changes to the marketing material. 

 

It is not a bad product, it just has some silly periphery issues.

 

Be Up Front:

 

Just being a little more upfront about the latest Apple imposed limitations would be a good start - I know it is not your fault BB - these are Apples restrictions - not yours.  A simple table in the back of the manual detailing what is and what is not going to work on any given machine is all that is required to remedy this.

 

The Elephant in the Room:

 

So this leads us back to the elephant in the room, these "Physical Images".

 

You have to think to yourself, how many cases you worked that involved evidence in unallocated space, or the APFS file queue.  If your answer is "lots" or you are in law enforcement where you absolutely must examine those areas on every case, then you need MQ.

 

However on the flip side of the coin, if you never carve unallocated space and your workflow only requires you to pull live or deleted recoverable files from within the custodian computers' file system (documents/Emails etc), then you will be paying for features that you will never use.

 

Ultimately the decision of what you buy is up to you, do your homework and have a free trial is the way to go, look up Tom Oldroyd at BB Sales and have a chat with him.

 

Would I Buy It ?

 

Well after spending a *long time* testing this product, I can say hand on heart, that this one is not for me.  If they improved the Data Collection detection of non Apple programs then yes I would be more interested, but then the cost would, at least for me, be prohibitive.

 

Would I Review a New Version ?

 

The door is open for Cellbrite to submit the next version of MQ to CFRO for long-term review.

 

Who knows, they may pull out of the bag Super Vendor status and a CFRO Sizzler award next time, nobody knows !!!!

 

If I hear anything from BB about the new version, I'll update this review and let all you subscribers know via the newsletter!

 

Thanks!

 

I've really enjoyed writing this review, although MQ has some issues they need to sort out, I enjoyed working with it and recording my findings.

 

Its fair to say that I will never be caught out by an Apple machine in the near future - well until Apple make more workflow breaking changes!

 

Thank you for all of your support and kind messages - I enjoy reading them and reply to every one of them when time allows.

 

Scoring & Awards:

  Category Rating  
  Installation N/A  
  Ease of Use Average  
  Features Good  
  Stability Average  
  Updates Very Poor  
  Value for Money Poor  
  Licencing Fairness Excellent  
  Documentation Poor  
  Support Warranty Not Tested  
       
 
Overall Score:  6.5 out of 10
 
Special Awards:
 
Super Vendor - No
CFRO Sizzler - No
 
 

Summing Up:

 

"MQ is a very unique tool, admirable reverse engineering and significant modification to the Apple boot environment has allowed Black Bag to deliver synthesised Physical images and capture data which no other tool can produce, however you must decide if you really need that data in your production environment!"

 

"Once strong documentation has not aged well and now leaves the examiner stranded and scratching their head in certain scenarios - urgent long overdue updates to the user manual are required to rectify."

 

"A clean user interface and segregated tools allow a RAM or Disk imaging to be carried out with minimal fuss, the activity log window provides constant visual feedback of task progress."

 

"Infrequent program updates seem to have eroded the capabilities of the Data Collection (loose files) functionality, ubiquitous programs such as Microsoft Outlook and many others were not detected during my testing, requiring manual intervention to collect the required files."

 

"Whilst MQ can easily copy Disk, RAM and Logical data from your suspect machines, you must be fully aware of the limitations on these functions before you make a purchase and the extra equipment you may need as a result.  My advice is speak to BB and get a free trial - so you can test MQ in your environment to make sure it meets your needs to avoid any nasty surprises."

 

 

"Lets hope they iron out the issues, radically increase the update frequency, get a handle on the documentation and make MQ great again!"

 

UPDATE 8th Feb 2020:

 

BlackBag reposted a webinar on LinkedIn which is a positive reaction to this review!  It is nice to know that CFRO has an impact on vendors!

 

Check it out below;

 

 

Don't forget to sign up for our newsletter which will keep you up to date on new reviews (and updates to existing ones) as they are posted !

 

Please share this article on your social networks!

 

CFRO does not accept gifts, severed fingers, death threats, cash or any other form of reward for publishing a review on its website, always and forever independant warts and all reviews.  Subscribe to be notified of new content.

 

Competition entries must be received no later than December 2019.

Want to Advertise ?

If you wish to advertise your company or specific products on CFRO, please visit the Advertise Here page for more details and pricing.
 

By sponsoring an advert on this page you can help us continue making honest and independent reviews.

Print | Sitemap
(c) 2024 CFRO - Not to be copied or reproduced without written permission.

Web ViewMobile View

Logout | Edit page