End-to-End Solution for APFS now Available

The release of BlackLight 2018 R1 which, when combined with MacQuisition 2018 R1, is the world’s first and only complete end-to-end acquisition, decryption, and analysis solution for the latest Apple File System (APFS).

Demand for a reliable acquisition and analysis solution is growing daily as more and more APFS formatted devices are being brought to examiners. BlackBag Technologies, with over 14 years of experience supporting Apple forensics, once again proves to be the leader in providing forensic examiners with a truly complete solution to investigate Apple devices.

Since the release of BlackLight 2018 R1 in February, we have added enhancements we’ve made through listening to customer feedback and continually improving our Apple File System (APFS) support. Decryption capabilities have been improved for APFS devices where multiple user encryption profiles are present.

To get examiners started, the steps below outline tips and tricks for acquiring and processing APFS evidence with the powerful combination of MacQuisition and BlackLight.

ACQUIRING APFS SYSTEMS

When examiners encounter systems using APFS, the system will present an APFS container, inside of which several volumes may be present. Because APFS volumes within a container are not traditional macOS volumes, they cannot be individually imaged. When imaging the APFS container or the parent physical disk, the resulting image will contain the volume(s) in their current state, including encryption if present.  MacQuisition 2018 R1 supports imaging both the logical files from unencrypted volumes as well as the encrypted physical disk.  We will highlight both methods below before showing how to bring either image type into BlackLight 2018 R1.

Begin by opening MacQuisition 2018 R1 and select Image Device.

MacQuisition displaying Memory, 1 disk with 1 APFS container with stock volumes (Macintosh HD, VM, Preboot, Recovery) MacQuisition displaying Memory, 1 disk with 1 APFS container w/stock volumes (Macintosh HD, VM, Preboot, Recovery)

Let’s review the three relevant disks in the above figure:

  1. disk0 - the physical disk indicating it contains an APFS container (red text)
  2. disk1 - is the synthesized APFS container housed on disk0. macOS presents this synthesized device as a separate virtual disk entry, but the Mac only has one physical disk.
  3. disk1s1 (Macintosh HD) – note the text in red indicating it is an encrypted. Even though the macOS will display it as a /dev/disk device, it is not a real block device, and thus cannot be imaged on its own.

An examiner at this point can choose to acquire disk0 in its encrypted state, or unencrypt the container and collect logical files.

DECRYPTING THE VOLUME

If the examiner would like to preview the encrypted volume or collect logical files they will first need to decrypt it.  In order to decrypt the Macintosh HD volume, Navigate to Tools and select Mount Device.

Enter password to unlock partition - BlackLight, APFS, Digital Forensics, Mac Forensics, Windows Forensics Enter password to unlock partition

The examiner can use either a valid password or the Mac's recovery key to unlock the volume. Once entered, Click on Unlock.

Partition successfully unlocked message - Blacklight, Acquisition, Mac Forensics, Digital Forensics, DFIR, Windows Forensics Partition successfully unlocked message

Once decryption is successful, the user may return to the Image Device screen.

Image Device now indicates unlocked - Blacklight, acquisition, forensics, digital forensics, windows forensics, Mac forensics Image Device now indicates unlocked

Notice disk1s1 now indicates it has been unlocked, but a user still cannot image just that volume.  They will need to either select Data Collection to collect logical files or acquire the whole disk.

COLLECTING DECRYPTED LOGICAL FILES ONLY

Since imaging the unlocked state of an encrypted APFS partition is not possible, MacQuisition 2018 R1 provides the option to collect selected files to a destination folder or Mac sparse image.

To collect decrypted logical files, select the Data Collection option.

user can select files or folders to acquire - digital forensics, Mac forensics, windows forensics, DFIR, digital forensic software User can select files or folders to acquire

Files and folders from the unlocked volume can now be selected for collection to a destination folder or sparse image.  Select Start once ready to begin the file collection.

IMAGING THE PHYSICAL DEVICE

Finally, a user can return to Image Device after logical collection has been completed to preserve the whole disk.  Navigate back to Image Device and Select disk0.

Imaging in progress gives option for comment - digital forensics software, APFS, apple file system, Mac forensics, windows forensics Imaging in progress gives option for comment

NOTE: In the Comments window, the examiner may want to type out the user password and recovery key so they will have it recorded for later when ingesting the image into BlackLight.

ADDING AN APFS EVIDENCE FILE INTO A CASE

On a system running BlackLight, either Mac or Windows, create or open a case file. Click on Add Evidence and select the image created in MacQuisition.

Add Evidence displaying APFS container in grey - digital forensics, apple forensics, Mac forensics, windows forensics, DFIR, digital forensic software, APFS, apple file system Add Evidence displaying APFS container in grey

Notice in the image above that the grey box around the APFS container and the volumes within. Decryption of APFS is built into BlackLight 2018 R1 running on both Windows and Mac systems.

Click the checkbox next to Macintosh HD to open the password prompt.

for encrypted partitions user can enter password or recovery key - digital forensics, Mac forensics, DFIR, APFS, apple file system For encrypted partitions, users can enter a password or a recovery key

The examiner can use either a password or recovery key within this box. Note: If using a recovery key, please enter it in ALL CAPS and include dashes.

Once the volume is decrypted, select the various processing options and click Start. Note: With APFS, you can only carve from the pooled storage which means that you must choose to carve the unallocated space from the Add Evidence ingestion options window.  If carving from unallocated is not selected during ingestion, the disk needs to be added again and Unallocated selected by itself.

Select Ingestion Options for decrypted APFS partitions - digital forensics, DFIR, APFS, windows forensics Select Ingestion Options for decrypted APFS partitions

Once Parsing has finished, the examiner can start browsing content and show that the filesystem is displaying as expected.

Once decrypted examiner can browse, tag and report as usual - digital forensics, DIR, Mac forensics, windows forensics, APFS, apple file system Once decrypted, the examiner can browse, tag and report as usual

SUMMARY

Examiners need this trusted combination of imaging and processing tools, working together, to give them complete access to the APFS devices they are likely to encounter.  For more information about APFS and how it will impact your investigations, you can view our Ask the Expert Webinar on APFS here.

BlackBag Technologies is dedicated to supporting our customers by continually improving our support for the latest file systems and artifacts.  We are proud to release the first truly complete solution for APFS, using what is currently known about this new file system. We will continue to update our tools as changes are made by Apple and more is learned about forensic examination of the new Apple File System.  For feedback on our APFS support or any other enhancements, please contact us at: https://www.blackbagtech.com/productfeedback.html

Leave a Reply

Sorry, you must be logged in to post a comment.