The release of BlackLight 2018 R1, when combined with MacQuisition 2018 R1, is the world’s first complete end-to-end acquisition, decryption, and analysis solution for the latest Apple File System (APFS).To enhance the multi-platform forensic analysis tool, BlackLight 2018 R1 includes APFS support and beta support for latest versions of the following mobile applications:
o Facebook Messenger
The High Sierra release of macOS 10.13 introduced the Apple File System (APFS), which replaced HFS+ as the default file system used by Apple. APFS is much different than HFS+. APFS no longer defines a volume, rather it implements a container inside of which, several volumes may be present. APFS was designed for solid state drives (SSDs) but can work with traditional drives as well.
Because APFS volumes within a container are not traditional partitions, these volumes cannot be individually imaged. As a result, imaging the unlocked state of an encrypted APFS partition is not possible. When an APFS volume is unlocked with a password or recovery key, the unlocked volume is available for data collection (logical copy of files from the volume). When imaging the APFS Container or the parent physical disk, the resulting image will contain the volume in its encrypted state, rather than the unlocked state. MacQuisition 2018 R1 supports imaging both the logical copies of unencrypted volumes and the encrypted physical disk.
On macOS 10.13.0 (and higher) while System Integrity Protection (SIP) is active, no user, even root, can read the physical disk the system is currently booted from, the physical partition the system is currently booted from, nor the APFS container that holds the currently booted volume. This makes it impossible to image the physical disk.
Adding APFS Evidence to BlackLight 2018 R1
APFS is very different than any other file system, therefore it will appear differently than what has traditionally been seen. Specifically, the APFS container uses pooled storage which is available to all volumes within it including unallocated space. BlackLight will present the APFS pooled container highlighted with a grey box around the pooled volumes. The other volumes will appear normally. If a volume is encrypted, it will not be selected by default and will display text indicating its encrypted status.
Once the checkbox next to an encrypted volume within the APFS container is selected, a password prompt will be displayed along with a password hint if one is available. Provide the known correct password or recovery key to unlock the volume. NOTE: To use a recovery key, please enter the key in all caps, including dashes in the password prompt.
If the password or key is correct, the volume will be selected otherwise BlackLight will prompt to re-enter the correct password. All other processing options will function the same as previous versions of BlackLight with one exception: File Carving.
Because APFS uses pooled storage, you cannot carve deleted files from volumes located inside of containers. With APFS, you can only carve from the pooled storage which means that you must choose to carve the unallocated space from the Add Evidence ingestion options window. Volumes NOT within the pooled storage will behave as previous versions of BlackLight and can be carved at any point.
Once the APFS image is ingested, data within BlackLight will appear as it has with previous versions.
Mobile Application Updates
Many 3rd party applications have changed and continue to change regularly. BlackLight 2018 R1 has been updated to include new parsers for the following applications:
· Line is an app for exchanging texts, images, video and audio.
· WeChat is a Chinese multi-purpose social media mobile application.
· Facebook Messenger is an instant messaging service and software application. Originally called Facebook Chat, the app service was changed to a standalone iOS and Android app.
· WhatsApp is an instant messaging and Voice over IP service. The application allows the sending of text messages and voice calls, as well as video calls, images and other media.
NOTE: These parsers are currently supported as beta features.
To learn more about BlackLight, including more about these features, check out our comprehensive training options; including free, self-paced or in-depth courses here. Our Instructors have years of law enforcement and digital forensics experience and actively support investigators in the field.