قالب وردپرس درنا توس
Home / Mac / Mount all things! – Mounting of APFS and 4k disk images on macOS 10.13 – mac4n6.com

Mount all things! – Mounting of APFS and 4k disk images on macOS 10.13 – mac4n6.com




Recently there have been some questions on the forum and Twitter about how to mount forensic disk images captured from the Mac system that implemented 4k block sizes. A few years ago, Mac systems began using 4k blocks instead of 512 byte block sizes. This has caused some problems where you need to mount the image to do analysis without a major forensic suite. BlackBag wrote a good blog post in this last month, but I hope to expand on it just a little to include E01 files and FileVault encryption scenarios.

I also want to detail how to mount forensic disk images using the newer APFS file system, so analysts can start doing their stuff while all forensic tools come up! APFS disk images already look like using 4k block sizes by default, at least on all test systems. If you see anything else, please let me know!

This article will try to give you some options to mount these photos, but it can not solve all the problems or combinations of disks / block sizes / host operating systems ̵

1; it appears that you will need to upgrade to 10.13 at a time to resolve many of these problems.

The following steps will bring you from a full HFS + FileVault 4k disk image in EWF format to a mounted image using macOS 10.13. (If you have a raw image (non-EWF), you can bypass steps 1 and 3.) [sudomkdir/volumer/4k_image/

  • $ sudo mkdir / volumer / 4k_mounted /

  • $ sudo xmount – in ewf – out dmg 4k.E01 / Volumer / 4k_image /

  • $ hdiutil attachment -nomount -blockize 4096 /Volumes/4k_image/4k.dmg

  • [Input Password in Prompt Window]
  • $ diskutil cs list [19659006] $ sudo mount_hfs -o rdonly, noexec , noowners / dev / disk # / Volumer / 4k_mounted /

  • 1. Create a mount point to set xmount converted DMG image (converted from EWF format). [sudo is required when dealing with /Volumes/ since 10.12]

    2. Create another mounting point to put the mounted image on. This will act as the root volume of the mounted image.

    3. Use xmount (sudo required) to convert from EWF (–in) to DMG (–out) format. DMG is selected here since it is very Mac friendly. Give the E01 image (use E? If you use segments) and the converted image fix point created in step 1. This can take a few seconds if the image is large. Theoretically you can use another mounting tool, I have tried ewfmount at 10.13 and ran into errors that I'm still investigating. Having trouble installing Xmount? Does it say that OS X Fuse is not installed? See the comments box for a solution.

    4. Using hdiutil, add (but not even mount) the DMG file created in step 3. Using the hidden argument, you can specify 4096 (& # 39; 4k & # 39; can also be used here). It's worth noting that while it's hidden in 10.13, this option does not look in 10.12 versions of this tool. It is also not detailed on hdiutil man since. Had to love hidden functionality! This will be a bunch of / dev / disk * options, but none of these are the ones you need thanks to CoreStorage.


    Source link