Decrypting an APFS ...
 
Notifications
Clear all

Decrypting an APFS Image

5 Posts
4 Users
0 Likes
1,693 Views
4Rensics
(@4rensics)
Posts: 255
Reputable Member
Topic starter
 

So, maybe I'm just not using it right, but is there feature in X-Ways to let me load in an image and decrypt it?

AXIOM and Blacklight (and am I correct in saying EnCase 8) let me load an image, identify its encrypted and give me the option to decrypt. I loaded an image in to X-Ways and it happily notified me it was APFS Encrypted and then told me it was aborting. Not very helpful!

Am I missing something or is it just not an option in X-Ways?

Thanks,
4R

 
Posted : 11/12/2019 8:57 am
(@rich2005)
Posts: 535
Honorable Member
 

I believe the short answer is no.
(they seem weak on Apple stuff and not just APFS…..things like HFS+/file-vault volumes I've had to generate decrypted images manually using Linux or using Axiom - and then bring that into X-Ways if I wanted to examine using that)

 
Posted : 11/12/2019 9:50 am
4Rensics
(@4rensics)
Posts: 255
Reputable Member
Topic starter
 

Thank you Rich. I had a feeling I wasn't losing my mind.

AXOIM to the rescue it is.

)

 
Posted : 11/12/2019 9:58 am
(@dcs1094)
Posts: 146
Estimable Member
 

Correct me if I'm wrong, pretty sure EnCase and AXIOM are using Passware in the background to detect and decrypt images. For X-Ways you are expected to import a decrypted image first. They did add support for various APFS formats when I last checked and did some testing and the reconstruction of APFS worked fine on a decrypted image.

 
Posted : 11/12/2019 1:23 pm
(@mcman)
Posts: 189
Estimable Member
 

Correct me if I'm wrong, pretty sure EnCase and AXIOM are using Passware in the background to detect and decrypt images.

We use Passware for most of our decryption but AXIOM built APFS decryption in house so it doesn't use Passware for that one. (FV2 with HFS+ however is Passware)

Jamie McQuaid
Magnet Forensics

 
Posted : 11/12/2019 5:34 pm
Share: