Spectra MacCollect — User Guide

1 · What it is — and what it isn't

Spectra MacCollect performs documented live triage and logical acquisition on a running Mac.

It takes a read-only, point-in-time snapshot of the subject's data, copies it into a logical image, optionally collects high-value artifacts for triage, and seals the whole result so any later change is detectable. Its value is the record it leaves behind: a complete, hashed, self-verifying evidence set, with an honest account of what it could and could not capture.

It is deliberately not a physical, bit-for-bit image of the subject's storage. On modern Macs — particularly Apple Silicon and FileVault-encrypted systems — a traditional physical image of the internal drive is frequently unobtainable. Spectra MacCollect does not claim to produce one, and it does not recover unallocated space, deleted-but-not-overwritten data, or drive slack. It is a logical capture of live, accessible data.

2 · Before you begin

Have the following ready:

• A licensed Spectra evidence drive (see the next section), connected to the subject Mac.
• Administrator access on the collecting account, and the admin password.
• Full Disk Access granted to this copy of the app (the tool guides you through this).
• Stable power — collections can run for hours. Keep the Mac awake and the lid open.
• Proper authorization to image the computer. You will attest to this before the run.

3 · The licensed drive

Spectra MacCollect runs from an external drive with two partitions:

• MacCollect (APFS) — holds the signed application and your license file. Running from an APFS volume preserves the executable bits the app needs.
• EVIDENCE (exFAT) — receives the output. During setup the tool creates an EVIDENCE folder here containing the SparseImage, Collection Log, and Triage sub-folders.

Launch the app from the MacCollect volume. The license travels with the drive, so it activates automatically on later launches.

4 · License activation (first launch)

The first time the app runs on a drive, it shows the activation screen. After that it re-checks the saved license automatically and skips straight ahead.

• The Licensing drive serial is detected from the drive the app runs on. Auto-detect is best-effort — if it's blank or wrong, type or paste the exact serial your license was issued against. Use Detect this drive to re-read it.
• Select Import license file… and choose your .lic file. The app verifies its signature offline against the bundled public key.
• A valid license shows the licensee and expiry in green. Select Activate & continue.
• Start evaluation runs in evaluation mode — collections are still fully sealed and carry a disclosed Eval marker under the seal chain.

5 · Drive readiness (one-time)

Right after first activation, a one-time readiness check confirms the three things that matter most before a run.

• License activated & installed — a valid license is saved on the drive.
• Licensing drive read / write — an informational write test on the drive.
• Full Disk Access — required so the helper that writes the image can reach protected stores and external volumes.

If Full Disk Access isn't granted, use Open Full Disk Access, grant it to this app copy, fully quit and relaunch, then Re-check. Once passed on a licensed drive, this screen is skipped on future launches.

6 · Starting a collection — the gate

Each run opens at the gate.

• Enter the computer's administrator password. It is used only to perform this collection and is never stored or written to any log.
• Confirm the Authorization to collect attestation — that you have proper authorization to image this computer.
• Select Proceed. The active license serial and expiry are shown for the record.

7 · Best-practices checklist

A short pre-flight checklist, headed by a live Full Disk Access status banner.

The banner is green when Full Disk Access is detected and red when it isn't; Continue is unavailable until it's granted. Review the best-practice items — power, closing other apps, destination space and health, keeping the Mac awake, post-imaging eject/verify, and backups — then select I'm Ready — Continue.

8 · Choosing a collection mode

• Imager — logical image only.
• Triage — artifact collection only, no image.
• Triage & Imager — both: the logical image plus artifact triage.

Data Presets lets you save and reuse artifact selections for triage runs.

9 · Case setup & options

Setup is a guided, scrolling set of cards. Fields and options vary by the mode you chose.

Case information

Examiner, case / matter number, collection number, examiner title, collection location, client, and primary contact. Required fields are marked; optional fields are simply omitted from the record when blank.

Evidence destination

Choose the destination on your evidence drive. The tool creates its EVIDENCE folder (SparseImage / Collection Log / Triage) there. You can also set the unified-log window (how far back system logs are collected).

Sparse image / E01 encryption

• Conversion to E01 Image is on by default. Turn it off to skip the conversion (and its extra time) and produce only the sparse bundle.
• Encrypt the sparse image (AES-256) optionally encrypts the sparse bundle at rest with a passphrase you set.
• E01 encryption is disabled in this version; when sparse-image encryption is on, the encrypted-at-rest copy is the .sparsebundle.

Collection profile & artifacts (triage modes)

For triage and combined modes, pick a collection profile or a custom selection, then confirm the artifact modules to collect. The screen shows how many of the available modules are selected and what each one captures. When everything is set, select Begin Collection.

10 · Running the collection

The progress screen shows exactly where the collection is, with a live elapsed timer.

Sequential phase bars track Pre-check of device, Imaging, Triage, Collection close-out, and Convert to E01 (the last appears only when E01 conversion is on). A completed phase fills green; the active phase shows its own progress and elapsed time.

The live collection log streams every action as it happens; derivation and cleanup logs are written alongside it, and the whole set is SHA-256 hashed.

11 · The sealed evidence set

When the run completes, the EVIDENCE folder holds an organized, sealed set:

• SparseImage — the logical image (.sparsebundle), optionally AES-256 encrypted.
• E01 — an EnCase E01 derivative (when conversion is on). Both the sparse bundle and the E01 are kept.
• Collection Log — the acquisition log, a full transcript, and a structured action log, recording every step, command, exit code, and duration, plus the tool's own hash, the subject system identity and clocks, the macOS version, and storage details.
• Triage — for each collected artifact category, a hashed raw archive plus parsed, human-readable output, and a triage manifest.
• An integrity manifest over the whole set, rooted by a terminal anchor seal.

12 · Verifying a collection

A sealed set can be checked by anyone, independently, with standard tools — no Spectra software required:

1. Recompute the seal anchors and confirm they match the values recorded at collection time.
2. Verify every sealed file against the integrity manifest:

shasum -a 256 -c <manifest>

3. Confirm the triage manifest reports every collected artifact as present and intact.
4. Confirm the E01 derivative's acquired and verified SHA-256 equals the image content hash recorded under the seal — the three values match (seal = acquire = verify).

13 · Troubleshooting

Full Disk Access shows as not granted

Grant Full Disk Access to this exact app copy on the drive, then fully quit and relaunch before re-checking — macOS only re-reads the permission on a fresh launch.

License shows invalid

The most common cause is a serial mismatch. On the activation screen, type or paste the exact serial the license was issued against rather than relying on auto-detect.

The run seems slow

Collection time tracks the number of files, not just data size. A volume with very large numbers of tiny files (for example, a large local version-history store) takes longer to read. This is machine state, not a fault, and the elapsed timer confirms the tool is still working.

Destination won't accept the image

The tool refuses to write evidence to the subject's internal disk or to the same device being imaged. Use a separate external evidence drive.

14 · Support & licensing

For licensing, evaluations, renewals, or to submit a drive serial for a bring-your-own-drive license, contact info@spectramacollect.com.