Join Us!

Notifications
Clear all

APFS Question  

  RSS
StreetForensics
(@streetforensics)
Member

I am looking at an APFS image and am trying to understand something… forgive my terms if they are wrong, I think APFS refers to things differently. I am using EnCase 8.10 and Blacklight 2019R3. I'm going to rename the paths to a degree since its an active case. Here goes

I have a notable file found in the following 'path' (EnCase) \1 Untitled\mac\.HFS+ Private Directory\dir_8992178\folder1\folder2\folder3\library\Preferences\com.apple.recentitems.plist

The same path exists in the APFS 'path' (EnCase) \Mac 2 Container -long GUID\maccmv - Data\root\Users\account name\Desktop\folder1\folder2\folder3\Library\Preferences\

The notable .plist file com.apple.recentitems.plist is NOT found in the second path…

The data as seen in Blacklight reflects this.

I am familiar with the folder structure of OSX and know the path I am looking at is not in a normal location, my guess is a user copied a home folder from another computer to the desktop of this computer for what ever reason. That's not so much an issue as much as why I don't see the same data in what seems like the same path (from Folder 1\…) .

My question is if a user was logged into the user profile (account name) and navigated down to the folder path folder1\folder2\folder3… would they see the notable .plist file found in the path that contains HFS + Private data?

I am sure I'm leaving something out that you may need to help me. If you think you can help me I'd appreciate it… if more detailed information is needed PM me and we can go from there.

Thanks in advance.

Quote
Posted : 10/02/2020 8:22 pm
Rich2005
(@rich2005)
Active Member
StreetForensics
(@streetforensics)
Member

Thanks, that did help!

ReplyQuote
Posted : 11/02/2020 5:10 pm
Share: