Live Forensics and High Sierra (Apple OSX High Sierra and SIP)

Feb 13, 2018

Starting with the most recent release of OSX (High Sierra), Apple has elected to apply additional restrictions to applications through System Integrity Protection (SIP).

Condensed to its most simple terms, these new changes mean SIP prevents applications from accessing the boot disk (rdisk0).

This means F-Response, even with root/admin level permissions, is unable to read from the root disk. Therefore we cannot provide live forensics or live disk access to remote High Sierra systems by default.

There is a workaround, however it requires the end user reboot the Apple hardware and disable SIP protections. The exact steps are as follows:

  1. Reboot the system and hold down the Command+R keys when you hear the start-up chime, this will put the operating system in recovery mode.

  2. Once in recovery mode, open a terminal window from the utilities drop down menu.

  3. In the terminal window type: csrutil disable

  4. Press enter and you will see a message saying System Integrity Protection has been disabled.

  5. Restart the machine using the menu restart option or by entering: restart.

To re-enable SIP you have to repeat the above process and replace csrutil disable with csrutil enable.

While inconvenient, it appears these recent security changes to Apple OSX are here to stay.

Warmest Regards,

Matthew Shannon, Managing Principal
F-Response