Encase 8.07 APFS
As most of you have probably seen Opentext are now saying they support APFS within encase 8.07. Has anyone actually got this to work?
I have a physical image of a drive from a macbook, the drive has an unencrypted APFS volume but when loading into encase all i get is an entry called 'mastersuperblockcontainer' and below that about 128 entries called checkpoint. I can mount the image on a mac and view the data without problem, also blacklight can parse the image without issue.
I have spoken to opentext and they are dodging the issue blaming the problem on the method of e01 creation (Guymager).
Has anyone actually managed to view data from an apfs volume within encase?
Works for me
I'm having the same issue with an E01 created using Macquisition 2018R1.2
This admittedly is an Encrypted APFS and blacklight is the only program I know so far that can decrypt it.
I’m having a similar issue.
Two Macs imaged with different versions of Paladin, but EnCase 8.07 only shows the “MasterContainerSuperBlock” subfolder with no actual data.
Case opened with Opentext support. Their suggestion at this stage is that the E01 may be faulty, however Blacklight, Paragon apfs mounter and APFS-fuse parses the image.
Will post here if we get to the bottom of the problem.
I contacted Guidance regarding Encase getting encrypted APFS E01 support and they messaged me back saying that they expect it to be available some time in October 2018 as they are still researching it.
Have you attempted to load the E01 image within blacklight 2018.1.1? If you contact Blackbagtech you might be able to get a trial of their software.
When i did this, the E01 created with Macquisition opened up fine in Blacklight.
(Edit - Just re-read and saw you have already used Blacklight, my mistake)
X-ways 19.7 Preview 5 also has updated APFS support, try it on that and see if that gives same result.