Join Us!

X-Ways Does Not Pro...
 
Notifications
Clear all

X-Ways Does Not Process APFS!!  

  RSS
4Rensics
(@4rensics)
Active Member

So, I'm running X-Ways 19.9 and I'm trying to load in a MacQuisition image from a Macbook Pro.

AXIOM has processed it perfectly and even EnCase 8 has let me process it and export it, but X-Ways just gripes at me and complains that it can see "fragments" of an APFS FileSystem. The only "helpfull" comment I get from X-Ways message box is "try holding shift and load it as a volume… I'm shocked to say this didn't work!!! roll

Am I missing a trick here. Apparently its supported, but appears to clearly not be!

Any tips or tricks please. h**l, I've even take a reply to just tell me 'don't use x-ways for APFS its not supported' At least then I know I'm not going mad!

Thanks,

Yours, frustratedly,
4Rensics

?

Quote
Posted : 28/02/2020 8:26 am
Rich2005
(@rich2005)
Active Member

v20 Preview 1 mentions " APFS Supports new Catalog ID structure as created by Mac OS Catalina"

That of any relevance? Worth trying this preview version?

(sounding like it's just not supported properly yet)

ReplyQuote
Posted : 28/02/2020 8:34 am
4Rensics
(@4rensics)
Active Member

Thanks Rich.

No harm in giving it a try (probably fly in the face of ISO using a preview version, but its Friday and I'm feeling wild!!)

Thanks again

4F

ReplyQuote
Posted : 28/02/2020 9:05 am
Rich2005
(@rich2005)
Active Member

Thanks Rich.

No harm in giving it a try (probably fly in the face of ISO using a preview version, but its Friday and I'm feeling wild!!)

Thanks again

4F

I dunno…you could spend two minutes designing a pointless testing/validation process for it, that's so simple/narrow it's practically guaranteed to pass straight away, that would seem very ISO17025 😉

ReplyQuote
Posted : 28/02/2020 9:09 am
4Rensics
(@4rensics)
Active Member

You sound cynical about ISO17025? D

Unfortunately X-Way 20.0 didn't work either. I'm beginning to think I'm going to have to analyse this in EnCase! cry

ReplyQuote
Posted : 28/02/2020 11:57 am
Rich2005
(@rich2005)
Active Member

You sound cynical about ISO17025? D

That's probably the polite way of putting it lol

I'm beginning to think I'm going to have to analyse this in EnCase! cry

My sincerest condolences wink

ReplyQuote
Posted : 28/02/2020 2:05 pm
Dilettante
(@dilettante)
New Member

I dunno…you could spend a few minutes designing a pertinent verification/validation process for it, that will provide you with objective evidence that it's fit for the specific purpose you intend to use it for. That is very ISO17025.

Or, you could twiddle your thumbs until the 'better' software finally appears to work (and on their say so) and then you can pull the proverbial 'forensic white rabbit' out the hat for the court!

ReplyQuote
Posted : 02/03/2020 8:17 pm
pbobby
(@pbobby)
Active Member

If your APFS volume is encrypted then XWays doesn't support and never will.

Stefan is either stubborn about encryption support or he cannot get licensed/authorized to for it.

I am an XWays user and use other software to handle disk encryption (namely Encase - hah. But it works very well).

ReplyQuote
Posted : 02/03/2020 9:18 pm
PensiveHike
(@pensivehike)
New Member

Once you have processed the image files with Axiom, a decrypted image file should be present within the Axiom case file. This can then be loaded into X-Ways. For the time being, this is how we are doing it.

Initially we tried loading the encrypted image into Passware and creating a decrypted image file, but certain data (pictures) was missing, so we stopped doing it this way.

ReplyQuote
Posted : 13/03/2020 2:50 pm
Rich2005
(@rich2005)
Active Member

Once you have processed the image files with Axiom, a decrypted image file should be present within the Axiom case file. This can then be loaded into X-Ways. For the time being, this is how we are doing it.

Initially we tried loading the encrypted image into Passware and creating a decrypted image file, but certain data (pictures) was missing, so we stopped doing it this way.

Not sure whether his volume was encrypted in the end, however, just for the info of others, if you don't have Axiom, you can decrypt it using libfvde mount it with fvdemount using the wipekey, and then acquire it (using ewfacquire for example).

I happen to have done a drive that way originally, and later via Axiom, and the hashes of the data were the same, just to confirm (dunno if they use the same library to do it - support haven't confirmed that or not).

ReplyQuote
Posted : 13/03/2020 3:39 pm
Share: