±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36231
New Yesterday: 0 Visitors: 193

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

New File System on Macs

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5  Next 
  

jaclaz
Senior Member
 

Re: New File System on Macs

Post Posted: Oct 03, 17 13:29

- Logan
I assume no tool has released support for the new file system yet?

Contacted X-Ways; no support.

Cannot see support within EnCase or FTK...


It seems like even Apple doesn't fully support disks and file systems in the new OS Shocked

OT (but not much) and JFYI:

tinyapps.org/blog/mac/...ility.html

High Sierra's Disk Utility does not recognize unformatted disks #
unless you click View > Show All Devices, quit Disk Utility, then relaunch it

this is actually APFS related:

bombich.com/blog/2017/...igh-sierra


Take any HFS+ formatted volume that does not have an installation of macOS on it (that part is key), right-click on the volume in the Finder and choose the option to encrypt it. Rather than simply converting the volume to a CoreStorage Encrypted volume and keeping the HFS+ format, macOS converts the volume to APFS with no warning, and then enables encryption.


More seriously, this:
eclecticlight.co/2017/...n-trouble/


When you install macOS High Sierra on the built-in solid-state drive (SSD) of a Mac, that drive is automatically converted to APFS. Fusion Drives and hard disk drives (HDDs) aren’t converted. You can’t opt out of the transition to APFS.

It also dropped the bombshell that Sierra would never be able to access volumes formatted using High Sierra’s release version of APFS:
Devices formatted as APFS can be read from and written to by:

Other devices formatted as APFS
Devices formatted as Mac OS Extended, if using macOS High Sierra
For example, a USB storage device formatted as APFS can be read by a Mac using High Sierra, but not by a Mac using Sierra or earlier.


Will probably create havoc Sad .

And I presume that all software firms are in a condition similar to the one expressed here:
www.shirt-pocket.com/b..._the_march


First, we'll definitely be supporting APFS. That work has been in progress for some time, and continues as of this post. We already have copying to and from APFS volumes working "in the lab", as it were, and testing is ongoing.

The bad news is I'm not confident enough to say we're going to release our APFS support day-and-date.

I know this kind of hedging is disappointing. But it's important to note that Apple still hasn't released any documentation on the "proper" way to create a bootable APFS volume. An example of what they have in mind was released for the very first time when the High Sierra developer release came out a few months ago, but that's it. We basically have to make an educated guess about what they want.


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

UnallocatedClusters
Senior Member
 

Re: New File System on Macs

Post Posted: Oct 03, 17 18:04

Please do not forget Passmark's OSForensics, which supports HFS+/HFSX (Mac/iPhone/iPad).

OSForensics also has a PLIST viewer built in.


- Chris_Ed
It's interesting that not only do the "containers" support different levels of encryption, but it's up to developers whether they use it or not. One would assume that Apple's own software (such as MacOS) will use it by default, much like OSX does now. Also, APFS supports TRIM commands out the box.

Now the question is; which tools will support it first? My prediction:
1) XWF
2) Blackbag tools (Macquisition, etc)
3) Magnet Axiom
4) TSK
5) FTK
6) EnCase 8

Wink
 
 
  

dandaman_24
Senior Member
 

Re: New File System on Macs

Post Posted: Oct 03, 17 21:16

Well worth 5 minutes of your time

www.youtube.com/watch?v=Y-re4STYlV0  
 
  

LtMorales
Newbie
 

Re: New File System on Macs

Post Posted: Oct 16, 17 13:45

Not sure how Sumuri/Recon didn't end up on your lists. I would have put them first or second, specially since they said before APFS launch that they were almost on track with the support already Wink  
 
  

jaclaz
Senior Member
 

Re: New File System on Macs

Post Posted: Oct 16, 17 14:45

- LtMorales
Not sure how Sumuri/Recon didn't end up on your lists. I would have put them first or second, specially since they said before APFS launch that they were almost on track with the support already Wink

Check the date Chris_Ed "prediction" was (jokingly) made, more than one year ago, June 2016.

@UnallocatedCluster
Does OSForensics support APFS (besides HFS, HFS+ and plists)?

If no, Chris_Ed is still right about not listing it ....

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

UnallocatedClusters
Senior Member
 

Re: New File System on Macs

Post Posted: Oct 16, 17 16:04

Jaclaz (et al) -

I just upgraded my MacBook Pro (500 GB SSD drive) to High Sierra, so next step is to image it and see what tools can process the forensic image; I am going to test Forensic Explorer / OSForensics / IEF.

I will report back once I have some results.  
 
  

randomaccess
Senior Member
 

Re: New File System on Macs

Post Posted: Oct 17, 17 11:28

- UnallocatedClusters
Jaclaz (et al) -

I just upgraded my MacBook Pro (500 GB SSD drive) to High Sierra, so next step is to image it and see what tools can process the forensic image; I am going to test Forensic Explorer / OSForensics / IEF.

I will report back once I have some results.


I'll save you a bit of time - FEX doesn't have support, had a quick look today. And I haven't seen Axiom updated so I'd be surprised if IEF has support. I haven't tested the latest update to OSForensics

Basically, I haven't seen anything updated with native support for APFS yet. I'm thinking Blacklight and Recon are our best bets for the first tools to support it (utilising OSX HS to access the image). Without an official spec release I don't think we'll see Windows support for a while.  
 

Page 2 of 5
Page Previous  1, 2, 3, 4, 5  Next