Nuix and Encrypted ...
 
Notifications
Clear all

Nuix and Encrypted APFS images

5 Posts
4 Users
0 Likes
950 Views
(@mrmacca)
Posts: 20
Eminent Member
Topic starter
 

Looking for some advice regarding how to get an Encrypted APFS E01 image into Nuix 7.6.

Has anyone had any success with this yet?

In the past we were just importing a logical image of the content that was created using Macquisition, however this changes the dates and times of any folders, so it's not ideal.

Does anyone know of a program that can load an Encrypted APFS E01 and then extract the contents out to an E01 or a L01?

Any help would be greatly appreciated.

Thanks in advance.

 
Posted : 23/11/2018 2:01 pm
(@jahearne)
Posts: 35
Eminent Member
 

My best guess, because I haven't tested it yet, but this is what I would try to do You will have to decrypt it in EnCase or BlackLight and write it to a hard drive (or other medium) un-encrypted, then scan that drive into Nuix. Oh, but wait! Nuix doesn't support APFS.

I think the way you were doing it is the best way! Create an E01 as well for preservation's sake. Folders are considered an Immaterial Items anyways. As long as the document metadata doesn't change you should be alright.

I'm backlogged right now, I'd love to test this…

 
Posted : 17/01/2019 3:42 am
(@mrmacca)
Posts: 20
Eminent Member
Topic starter
 

Another method I have tried is the following

APFS Encrypted? Decrypt using Passware.

Load this new image into X-ways Forensics 19.7. Once it populates the partitions, I then create a new Container file and add all of the folders that are present.

I then close the Container file which then allows me to save it as an E01. I do this and then add this newly created E01 into Nuix and so far imports it fine.

Still testing though.

 
Posted : 22/01/2019 4:51 pm
(@johnking89)
Posts: 5
Active Member
 

How about load it into encase 8.08 to decrypt and then create a L01?

 
Posted : 22/01/2019 5:11 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

What did the vendor or your SE say?

Usually when I want to know how to do something new (to me, anyway) in a tool (FOSS or commercial) I start by going to the person/people who wrote it. In some cases, they may already have a solution.

 
Posted : 22/01/2019 8:30 pm
Share: