The release of BlackLight 2018 R1 which, when combined with MacQuisition 2018 R1, is the world’s first and only complete end-to-end acquisition, decryption, and analysis solution for the latest Apple File System (APFS).
Demand for a reliable acquisition and analysis solution is growing daily as more and more APFS formatted devices are being brought to examiners. BlackBag Technologies, with over 14 years of experience supporting Apple forensics, once again proves to be the leader in providing forensic examiners with a truly complete solution to investigate Apple devices.
Since the release of BlackLight 2018 R1 in February, we have added enhancements we’ve made through listening to customer feedback and continually improving our Apple File System (APFS) support. Decryption capabilities have been improved for APFS devices where multiple user encryption profiles are present.
To get examiners started, the steps below outline tips and tricks for acquiring and processing APFS evidence with the powerful combination of MacQuisition and BlackLight.
ACQUIRING APFS SYSTEMS
When examiners encounter systems using APFS, the system will present an APFS container, inside of which several volumes may be present. Because APFS volumes within a container are not traditional macOS volumes, they cannot be individually imaged. When imaging the APFS container or the parent physical disk, the resulting image will contain the volume(s) in their current state, including encryption if present. MacQuisition 2018 R1 supports imaging both the logical files from unencrypted volumes as well as the encrypted physical disk. We will highlight both methods below before showing how to bring either image type into BlackLight 2018 R1.
Begin by opening MacQuisition 2018 R1 and select Image Device.
Let’s review the three relevant disks in the above figure:
- disk0 - the physical disk indicating it contains an APFS container (red text)
- disk1 - is the synthesized APFS container housed on disk0. macOS presents this synthesized device as a separate virtual disk entry, but the Mac only has one physical disk.
- disk1s1 (Macintosh HD) – note the text in red indicating it is an encrypted. Even though the macOS will display it as a /dev/disk device, it is not a real block device, and thus cannot be imaged on its own.
An examiner at this point can choose to acquire disk0 in its encrypted state, or unencrypt the container and collect logical files.
DECRYPTING THE VOLUME
If the examiner would like to preview the encrypted volume or collect logical files they will first need to decrypt it. In order to decrypt the Macintosh HD volume, Navigate to Tools and select Mount Device.
The examiner can use either a valid password or the Mac's recovery key to unlock the volume. Once entered, Click on Unlock.
Once decryption is successful, the user may return to the Image Device screen.
Notice disk1s1 now indicates it has been unlocked, but a user still cannot image just that volume. They will need to either select Data Collection to collect logical files or acquire the whole disk.
COLLECTING DECRYPTED LOGICAL FILES ONLY
Since imaging the unlocked state of an encrypted APFS partition is not possible, MacQuisition 2018 R1 provides the option to collect selected files to a destination folder or Mac sparse image.
To collect decrypted logical files, select the Data Collection option.
Files and folders from the unlocked volume can now be selected for collection to a destination folder or sparse image. Select Start once ready to begin the file collection.
IMAGING THE PHYSICAL DEVICE
Finally, a user can return to Image Device after logical collection has been completed to preserve the whole disk. Navigate back to Image Device and Select disk0.
NOTE: In the Comments window, the examiner may want to type out the user password and recovery key so they will have it recorded for later when ingesting the image into BlackLight.
ADDING AN APFS EVIDENCE FILE INTO A CASE
On a system running BlackLight, either Mac or Windows, create or open a case file. Click on Add Evidence and select the image created in MacQuisition.
Notice in the image above that the grey box around the APFS container and the volumes within. Decryption of APFS is built into BlackLight 2018 R1 running on both Windows and Mac systems.
Click the checkbox next to Macintosh HD to open the password prompt.
The examiner can use either a password or recovery key within this box. Note: If using a recovery key, please enter it in ALL CAPS and include dashes.
Once the volume is decrypted, select the various processing options and click Start. Note: With APFS, you can only carve from the pooled storage which means that you must choose to carve the unallocated space from the Add Evidence ingestion options window. If carving from unallocated is not selected during ingestion, the disk needs to be added again and Unallocated selected by itself.
Once Parsing has finished, the examiner can start browsing content and show that the filesystem is displaying as expected.
Examiners need this trusted combination of imaging and processing tools, working together, to give them complete access to the APFS devices they are likely to encounter. For more information about APFS and how it will impact your investigations, you can view our Ask the Expert Webinar on APFS here.
BlackBag Technologies is dedicated to supporting our customers by continually improving our support for the latest file systems and artifacts. We are proud to release the first truly complete solution for APFS, using what is currently known about this new file system. We will continue to update our tools as changes are made by Apple and more is learned about forensic examination of the new Apple File System. For feedback on our APFS support or any other enhancements, please contact us at: https://www.blackbagtech.com/productfeedback.html