As a follow up to my post about how to install AFPS images on Windows, I wanted to post about how to mount an APFS image on a Linux system. If you are looking for how to install an APFS image on a Mac, Sarah Edwards published a awesome blog post on how to do this.
There is also a different one over at BlackBag.If you are new to APFS, I’d also recommend an interesting video by Steve Whalen where he explains APFS at length. Options, options, options. It certainly is nice to have options in forensics. Sometimes one way might not work for you, or maybe you do not have usage of a Mac at this time. If you are on a Windows machine and need access to an APFS volume or image (E01 or organic), it’s easy enough to spin up a Linux VM and move on to work.
For my screening, I used an experimental Linux APFS drivers by sgan81 – apfs-fuse. Note the term “experimental” – and read the disclaimers by the author. I would suggest verifying any results with another tool or method highly, such as the one detailed by Sarah Edwards. However, this technique works in a pinch, with least you can begin analysis until you get things focusing on a Mac.
Oh – and based on the documentation, it’ll fast you for a security password if the quantity is encrypted. These instructions assume that you curently have a graphic of the Mac, either in E01 or raw format (dd, dmg, etc). First things first, some dependencies need to be installed before apfs-fuse shall work. If you are running a version of SIFT to the main one based on Ubuntu 16 prior.04, a couple of additional dependencies might be needed. This includes a more recent version of cmake.
- Water freezing in the pipes if proper environmental controls aren’t used or available
- What would be the thing you’d change about yourself
- Brand monitoring
- Optional – an iphone 4 4 skins, iphone 3gs cases
- Where to Buy _______ (Where to buy a success knife)
- Reboot fails
- Writing and Submitting Articles
This can be installed by following instructions on the cmake website. Now that the SIFT workstation has been setup, we can install the E01 image. When you have a dd/raw image, you can skip to the next step. I like using the ewfmount tool in SIFT to attach E01s.
Once mounted, there will be a “virtual” organic image of the E01 document under the specified support point. The syntax is simple, and works on split images as well (just identify the first portion for divided images). When you have problems with ewfmount, check out this blog post for a few choice tools to attach ewf files.
Now that we have a dd/fresh image to utilize – either from mounting the E01, or because that is the way the image was used – we’ll mount it to a loopback device. The Linux apfs-fuse drivers needs the volume where the APFS pot is. As the drive image may contain additional partitions, we will need to find out the offset where the APFS partition starts.