±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34312
New Yesterday: 0 Visitors: 199

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Encase 8.07 APFS

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Encase 8.07 APFS

Post Posted: Wed May 16, 2018 10:33 am

Hey

As most of you have probably seen Opentext are now saying they support APFS within encase 8.07. Has anyone actually got this to work?

I have a physical image of a drive from a macbook, the drive has an unencrypted APFS volume but when loading into encase all i get is an entry called 'mastersuperblockcontainer' and below that about 128 entries called checkpoint. I can mount the image on a mac and view the data without problem, also blacklight can parse the image without issue.

I have spoken to opentext and they are dodging the issue blaming the problem on the method of e01 creation (Guymager).

Has anyone actually managed to view data from an apfs volume within encase?

Cheers  

johnking89
Newbie
 
 
  

Re: Encase 8.07 APFS

Post Posted: Thu May 17, 2018 2:56 am

Works for me  

AmNe5iA
Senior Member
 
 
  

Re: Encase 8.07 APFS

Post Posted: Fri May 18, 2018 6:57 am

I'm having the same issue with an E01 created using Macquisition 2018R1.2

This admittedly is an Encrypted APFS and blacklight is the only program I know so far that can decrypt it.  

MrMacca
Member
 
 
  

Re: Encase 8.07 APFS

Post Posted: Mon Jun 11, 2018 7:36 am

I’m having a similar issue.

Two Macs imaged with different versions of Paladin, but EnCase 8.07 only shows the “MasterContainerSuperBlock” subfolder with no actual data.

Case opened with Opentext support. Their suggestion at this stage is that the E01 may be faulty, however Blacklight, Paragon apfs mounter and APFS-fuse parses the image.

Will post here if we get to the bottom of the problem.  

jaco_za
Newbie
 
 
  

Re: Encase 8.07 APFS

Post Posted: Mon Jun 11, 2018 7:53 am

I contacted Guidance regarding Encase getting encrypted APFS E01 support and they messaged me back saying that they expect it to be available some time in October 2018 as they are still researching it.

Have you attempted to load the E01 image within blacklight 2018.1.1? If you contact Blackbagtech you might be able to get a trial of their software.

When i did this, the E01 created with Macquisition opened up fine in Blacklight.

Kind regards

(Edit - Just re-read and saw you have already used Blacklight, my mistake)  

Last edited by MrMacca on Mon Jun 11, 2018 8:03 am; edited 1 time in total

MrMacca
Member
 
 
  

Re: Encase 8.07 APFS

Post Posted: Mon Jun 11, 2018 7:58 am

X-ways 19.7 Preview 5 also has updated APFS support, try it on that and see if that gives same result.  

minime2k9
Senior Member
 
 

Page 1 of 1