Another Forensics Blog

As a follow-up to my post about how to install AFPS images on Windows, I wanted to post about how exactly to attach an APFS image on the Linux system. If you’re looking for how to install a APFS image on a Mac, Sarah Edwards composed an awesome blog post on how to do this.

There is also another one over at BlackBag.If you’re not used to APFS, I would also recommend an interesting video by Steve Whalen where he points out APFS in detail. Options, options, options. It certainly is nice to have options in forensics. One way may not work for you Sometimes, or maybe you do not have usage of a Mac at the moment. If you’re on a Windows machine and need usage of an APFS quantity or image (E01 or natural), it’s easy enough to spin up a Linux VM and move on to work.

For my assessment, I used an experimental Linux APFS driver by sgan81 – as-fuse. Note the word “experimental” – and browse the disclaimers by the writer. I would suggest verifying any results with another tool or method strongly, like the one detailed by Sarah Edwards. However, this method works in a pinch, and at least you can start evaluation until you get things working on a Mac.

Oh, – and based on the documentation, it shall prompt you for a password if the quantity is encrypted. These instructions assume that you currently have a graphic of the Mac, either in E01 or raw format (dd, dog, etc). First things first, some dependencies have to be installed before as-fuse shall work. If you’re running a version of SIFT before the one predicated on Ubuntu 16.04, several additional dependencies may be needed. This includes a newer version of cmake.

  • Water freezing in the pipes if proper environmental settings are not used or available
  • What would be the one thing you’d change about yourself
  • Brand monitoring
  • Optional – an iphone 4 4 skins, iphone 3gs cases
  • Where to Buy _______ (Where to buy a survival knife)
  • Reboot fails
  • Writing and Submitting Articles

This can be installed by following a instructions on the cmake website. Given that the SIFT workstation has been set up, we can install the E01 image. If you have a dd/raw image, you can omit to the next step. I love using the ewfmount tool in SIFT to attach E01s.

Once mounted, you will see a “virtual” uncooked image of the E01 document under the designated support point. The syntax is simple, and works on break up images as well (just designate the first portion for divided images). When you have problems with ewfmount, check out this website to post for a few option tools to mount two files.

Now that people have a dd/raw image to work with – either from mounting the E01, or because that is how the image was used – we’ll install it to a loopback device. The Linux as-fuse driver needs the volume where in fact the APFS pot is. Because the drive image may contain additional partitions, we will need to determine the offset where the APFS partition starts.