Join Us!

Notifications
Clear all

APFS and NUIX  

  RSS
Rich2005
(@rich2005)
Active Member

Afternoon all,
Just wondered if anyone had a good workaround for APFS and NUIX (investigator version in my instance - but I imagine the engine will be the same or similar for most of their products).
It has tentative support I know, but so far I've had no luck with parsing it, and confirmed via support that it's the tool having trouble doing so (perhaps due to a non-clean shutdown - though tools like X-Ways can read it fine).
Obviously using a tool like Blackbag's suite would be preferable (due to their focus on this sort of thing) but isn't an option until some extra yearly budget magically appears.
I've tried mounting the user volume logically (via EnCase I think it was) and then processing it with store-binary, as a rough-and-ready way to make it reviewable using NUIX, however whilst this appeared to complete, looking at the processing I think what actually happened was the mounting fell over at some point before the end, and then the processing just quit and finished as it couldn't see any more data.
Exporting the entire contents of the volume ran into its own issues (think it was long file paths or problematic names).
I can examine the drive, if needs be, using X-Ways, but it's going to be easier/quicker if I can get the drive into NUIX and treat it as part of the job as a whole, rather than splitting it off and doing a separate examination on it.
So if anyone can think of a novel way to get it into NUIX somehow I'm all ears!
Thanks,
Rich

Quote
Posted : 23/04/2019 4:20 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

1) Install Paragon's US$15.00 APFS for Windows software to the Nuix workstation https://www.paragon-software.com/us/home/apfs-windows/

2) Install Paragon's APFS Image Mounter to the Nuix workstation https://www.paragon-software.com/us/business/image-mounter/

Point Nuix at the APFS-mounted APFS format forensic image and process the mounted volume (which Nuix *should* be able to ingest now).

ReplyQuote
Posted : 23/04/2019 9:32 pm
dandaman_24
(@dandaman_24)
Active Member

Process in blacklight, export files into .dmg this way preserves the metadata. I did it the other day worked a treat.

ReplyQuote
Posted : 23/04/2019 9:59 pm
Rich2005
(@rich2005)
Active Member

1) Install Paragon's US$15.00 APFS for Windows software to the Nuix workstation https://www.paragon-software.com/us/home/apfs-windows/

2) Install Paragon's APFS Image Mounter to the Nuix workstation https://www.paragon-software.com/us/business/image-mounter/

Point Nuix at the APFS-mounted APFS format forensic image and process the mounted volume (which Nuix *should* be able to ingest now).

Thanks. Though sadly for business use it seems you need their business suite instead which is over £500 (and therefore not an option for me currently).

Process in blacklight, export files into .dmg this way preserves the metadata. I did it the other day worked a treat.

Blacklight would indeed be helpful…….but as mentioned in the original post I'm not going to get the thousands of pounds required for the Blackbag stuff 😉

ReplyQuote
Posted : 24/04/2019 11:35 am
MrMacca
(@mrmacca)
New Member

Open the Image within X-ways so you can see the folder structure.

Then create a Container and then add the folders of the drive to the container. Save this container as an E01. (Specialist > Evidence File Container > New)

We have had success using this method.

ReplyQuote
Posted : 24/04/2019 4:53 pm
Rich2005
(@rich2005)
Active Member

Open the Image within X-ways so you can see the folder structure.

Then create a Container and then add the folders of the drive to the container. Save this container as an E01. (Specialist > Evidence File Container > New)

We have had success using this method.

Great thanks Macca. I've not used containers much in X-Ways. Will give that a go at the next opportunity.

ReplyQuote
Posted : 25/04/2019 12:32 pm
jaclaz
(@jaclaz)
Community Legend

I don' think that there is any actual need (specifically) of the (costly) Paragon Image Mounter.

You can use - I believe - *any* similar software capable of mounting the image exposing it as a \\.\PhysicalDrive, which includes Arsenal Image Mounter and - recently - the OFSmount among others.

The Paragon APFS driver is a file system driver (IFS) capable of accessing volumes on (real, physical) disks formatted with APFS, and it should work just fine for virtual ones, as long as they emulate a physical disk.

jaclaz

ReplyQuote
Posted : 25/04/2019 1:49 pm
Share: