±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35503
New Yesterday: 0 Visitors: 144

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

APFS and NUIX

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Rich2005
Senior Member
 

APFS and NUIX

Post Posted: Apr 23, 19 15:20

Afternoon all,
Just wondered if anyone had a good workaround for APFS and NUIX (investigator version in my instance - but I imagine the engine will be the same or similar for most of their products).
It has tentative support I know, but so far I've had no luck with parsing it, and confirmed via support that it's the tool having trouble doing so (perhaps due to a non-clean shutdown - though tools like X-Ways can read it fine).
Obviously using a tool like Blackbag's suite would be preferable (due to their focus on this sort of thing) but isn't an option until some extra yearly budget magically appears.
I've tried mounting the user volume logically (via EnCase I think it was) and then processing it with store-binary, as a rough-and-ready way to make it reviewable using NUIX, however whilst this appeared to complete, looking at the processing I think what actually happened was the mounting fell over at some point before the end, and then the processing just quit and finished as it couldn't see any more data.
Exporting the entire contents of the volume ran into its own issues (think it was long file paths or problematic names).
I can examine the drive, if needs be, using X-Ways, but it's going to be easier/quicker if I can get the drive into NUIX and treat it as part of the job as a whole, rather than splitting it off and doing a separate examination on it.
So if anyone can think of a novel way to get it into NUIX somehow I'm all ears!
Thanks,
Rich  
 
  

UnallocatedClusters
Senior Member
 

Re: APFS and NUIX

Post Posted: Apr 23, 19 20:32

1) Install Paragon's US$15.00 APFS for Windows software to the Nuix workstation: www.paragon-software.c...s-windows/

2) Install Paragon's APFS Image Mounter to the Nuix workstation: www.paragon-software.c...e-mounter/

Point Nuix at the APFS-mounted APFS format forensic image and process the mounted volume (which Nuix *should* be able to ingest now).  
 
  

dandaman_24
Senior Member
 

Re: APFS and NUIX

Post Posted: Apr 23, 19 20:59

Process in blacklight, export files into .dmg this way preserves the metadata. I did it the other day worked a treat.  
 
  

Rich2005
Senior Member
 

Re: APFS and NUIX

Post Posted: Apr 24, 19 10:35

- UnallocatedClusters
1) Install Paragon's US$15.00 APFS for Windows software to the Nuix workstation: www.paragon-software.c...s-windows/

2) Install Paragon's APFS Image Mounter to the Nuix workstation: www.paragon-software.c...e-mounter/

Point Nuix at the APFS-mounted APFS format forensic image and process the mounted volume (which Nuix *should* be able to ingest now).


Thanks. Though sadly for business use it seems you need their business suite instead which is over £500 (and therefore not an option for me currently).

- dandaman_24
Process in blacklight, export files into .dmg this way preserves the metadata. I did it the other day worked a treat.


Blacklight would indeed be helpful.......but as mentioned in the original post I'm not going to get the thousands of pounds required for the Blackbag stuff Wink  
 
  

MrMacca
Member
 

Re: APFS and NUIX

Post Posted: Apr 24, 19 15:53

Open the Image within X-ways so you can see the folder structure.

Then create a Container and then add the folders of the drive to the container. Save this container as an E01. (Specialist > Evidence File Container > New)

We have had success using this method.  
 
  

Rich2005
Senior Member
 

Re: APFS and NUIX

Post Posted: Apr 25, 19 11:32

- MrMacca
Open the Image within X-ways so you can see the folder structure.

Then create a Container and then add the folders of the drive to the container. Save this container as an E01. (Specialist > Evidence File Container > New)

We have had success using this method.


Great thanks Macca. I've not used containers much in X-Ways. Will give that a go at the next opportunity.  
 
  

jaclaz
Senior Member
 

Re: APFS and NUIX

Post Posted: Apr 25, 19 12:49

I don' think that there is any actual need (specifically) of the (costly) Paragon Image Mounter.

You can use - I believe - *any* similar software capable of mounting the image exposing it as a \\.\PhysicalDrive, which includes Arsenal Image Mounter and - recently - the OFSmount among others.

The Paragon APFS driver is a file system driver (IFS) capable of accessing volumes on (real, physical) disks formatted with APFS, and it should work just fine for virtual ones, as long as they emulate a physical disk.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 1