Not sure how Sumuri/Recon didn't end up on your lists. I would have put them first or second, specially since they said before APFS launch that they were almost on track with the support already 😉
Not sure how Sumuri/Recon didn't end up on your lists. I would have put them first or second, specially since they said before APFS launch that they were almost on track with the support already 😉
Check the date Chris_Ed "prediction" was (jokingly) made, more than one year ago, June 2016.
@UnallocatedCluster
Does OSForensics support APFS (besides HFS, HFS+ and plists)?
If no, Chris_Ed is still right about not listing it ….
jaclaz
Jaclaz (et al) -
I just upgraded my MacBook Pro (500 GB SSD drive) to High Sierra, so next step is to image it and see what tools can process the forensic image; I am going to test Forensic Explorer / OSForensics / IEF.
I will report back once I have some results.
Jaclaz (et al) -
I just upgraded my MacBook Pro (500 GB SSD drive) to High Sierra, so next step is to image it and see what tools can process the forensic image; I am going to test Forensic Explorer / OSForensics / IEF.
I will report back once I have some results.
I'll save you a bit of time - FEX doesn't have support, had a quick look today. And I haven't seen Axiom updated so I'd be surprised if IEF has support. I haven't tested the latest update to OSForensics
Basically, I haven't seen anything updated with native support for APFS yet. I'm thinking Blacklight and Recon are our best bets for the first tools to support it (utilising OSX HS to access the image). Without an official spec release I don't think we'll see Windows support for a while.
I also had a play around a few weeks ago with APFS and a few tools at the time. I documented my findings
Just to update (and for those not already aware), X-Ways have apparently added support for APFS as of 19.4 SR-2.
See
NB I've not tested this myself. Do any of the other main tools offer support yet?
Cheers,
Ben
Just to update (and for those not already aware), X-Ways have apparently added support for APFS as of 19.4 SR-2.
hey ben, they added "support".
ie it says that it's an APFS volume but doesn't parse the file system.
That being said, I tested it on a volume that was file vaulted, i haven't seen how it goes with a disk image created with disk utility. If you've got xways handy you can pull down a disk image i created over on thinkdfir.com
Just to update (and for those not already aware), X-Ways have apparently added support for APFS as of 19.4 SR-2.
hey ben, they added "support".
ie it says that it's an APFS volume but doesn't parse the file system.
That being said, I tested it on a volume that was file vaulted, i haven't seen how it goes with a disk image created with disk utility. If you've got xways handy you can pull down a disk image i created over on thinkdfir.com
Now that's an "interesting" distinction! P
Thanks for the link - I've added those images into XWF and found that you are quite right - recognition of the APFS filesystem but no actual files and folders.
I also partitoned and formatted a USB stick with GPT/APFS using a Mac running High Sierra to test this on a phsyical drive, rather than via DMG files/virtual drives (my understanding is that the DMG format uses the old Apple Partition Table system so I wanted to eliminate that from the equation). The same results were observed - screenshot
It's a step forward at least, but I wonder when full compatibility will reach us?
when apple open sources the file system
or someone reverse engineers it
i'd say that people are working on the second, i doubt the first will come to pass
or someone reverse engineers it
It seems like following this post
https://
some work has been done
https://
https://
(no idea on the amount of progresses)
jaclaz