±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34825
New Yesterday: 1 Visitors: 88

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

New File System on Macs

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5  Next 
  

Re: New File System on Macs

Post Posted: Mon Dec 18, 2017 5:58 am

- randomaccess
yeah, part of that was turned into the tool mentioned by the developer in the comments of my thinkdfir post


I see Smile , in your blog post comments there is some reference to the progresses of BlackBag and a link to a new program
biskus.com/
by Thomas Tempelmann, though seemingly he made a fork of the apfs.ksy only:
github.com/tempelmann/apfs.ksy
whilst the cugu's repository offers besides the katay structure:
github.com/cugu/apfs.ksy
also a "full" program/library:
github.com/cugu/apfs
forked from:
github.com/tienex/apfs

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: New File System on Macs

Post Posted: Wed Dec 20, 2017 3:21 am

Yep, he worked on the original cugu stuff apparently as well, and then turned it into this tool

I haven't tested it but I dont think it deals with FV2 on Windows...which is going to be the main call from practitioners...but then we didnt have that prior to APFS either  

randomaccess
Senior Member
 
 
  

Re: New File System on Macs

Post Posted: Wed Dec 20, 2017 8:12 am

For viewing APFS, I found that Paragon has a new tool for Windows and Unix that can read APFS. It can be downloaded here:

Paragon APFS Tool

For forensics work on the APFS drive, I loaded the logical drive (via "Add Directory") into Xways.

The downside of course is that you still can't get disk level access, but at least I can view the files on the APFS formatted drives.  

BobSentMe
Newbie
 
 
  

Re: New File System on Macs

Post Posted: Wed Dec 20, 2017 10:21 am

- BobSentMe
For viewing APFS, I found that Paragon has a new tool for Windows and Unix that can read APFS. It can be downloaded here:

Paragon APFS Tool

For forensics work on the APFS drive, I loaded the logical drive (via "Add Directory") into Xways.

The downside of course is that you still can't get disk level access, but at least I can view the files on the APFS formatted drives.


Nice Smile , and there is seemingly also a Linux version:
backstage.paragon-soft...pfs-linux/
that can reportedly read file metadata and access rights. (but unlike the windows version there is seemingly not a direct download link, possibly it needs registration or to be bought a license for).

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: New File System on Macs

Post Posted: Tue Jan 02, 2018 10:24 pm

- jaclaz
- randomaccess
yeah, part of that was turned into the tool mentioned by the developer in the comments of my thinkdfir post


I see Smile , in your blog post comments there is some reference to the progresses of BlackBag and a link to a new program
biskus.com/
by Thomas Tempelmann, though seemingly he made a fork of the apfs.ksy only:
github.com/tempelmann/apfs.ksy
whilst the cugu's repository offers besides the katay structure:
github.com/cugu/apfs.ksy
also a "full" program/library:
github.com/cugu/apfs
forked from:
github.com/tienex/apfs

jaclaz


I've used their (jonas and tempelmann) reference implementation to add APFS support to the mac_apt tool. This is a framework to parse macOS full disk images (no encryption support though) for forensic artifacts. A lot of APFS's inner workings such as snapshots and the 3 byte filename hash are still unknown, but we know enough to parse the files and folders.

github.com/ydkhatri/mac_apt

I believe mac_apt is the first open source forensics tool to support APFS and parse high sierra images (unencrypted).
_________________
Yogesh Khatri

Blog - www.swiftforensics.com 

YogeshKhatri
Member
 
 
  

Re: New File System on Macs

Post Posted: Wed Jan 03, 2018 2:58 am

Latest UFS v6 supports it

Ref. : r-explorer.com/technical.php

tested it  

einstein9
Member
 
 
  

Re: New File System on Macs

Post Posted: Mon May 14, 2018 7:49 am

So the order of tools supporting APFS so far appears to be:

1. BlackBag Tech. with BlackLight 2018 R1 (February 2018)
2. OpenText (Guidance Software) with Encase 8.07 (May 2018)
3. Possibly X-Ways with X-Ways Forensics 19.7 (currently in preview/beta)
4......?  

AmNe5iA
Senior Member
 
 

Page 4 of 5
Go to page Previous  1, 2, 3, 4, 5  Next