- Default folder x high sierra install#
- Default folder x high sierra update#
- Default folder x high sierra pro#
- Default folder x high sierra password#
- Default folder x high sierra mac#
There are four volumes on the second disk, one of which has the OS install.ĭiskUtil apfs unlockVolume /dev/disk5s1 -passphrase password This will mount the drive as diskX and disk(X+1) – say disk4 and disk5 Hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount image.001 I found that adding DMG to the end didn’t always work, but you can use a combination of hdiutil and diskutil to mount the filesystem. In the meantime, there’s Jonas Plum’s project for Kaitai Struct, and the accompanying Digital Investigation article.Īnd don’t forget to watch the presentation by Steve Whalen at Sumuri on his research into APFS: September 27, 10:30 Pacific.
Default folder x high sierra update#
As a guess, to add support with one of the OS X acquisition tools the developers would need to update the OS to OS X High Sierra so if anyone want’s to write instructions for creating a portable OS X instance with disk arbitration/read-only mounting and a method for creating an APFS disk image and copying files and folders with their attributes that would be great…Īpple indicates that it plans to open source the file system, but as of this posting, this hasn’t happened. I don’t think there’s a way of performing a logical acquisition on APFS with either tool at the moment, so it looks like you’ll have to take a physical image and then examine it later when examination tools have better support if you’re using the commercial suites I played with. Disk 0 and disk1 appear to be my APFS SSD. All that’s connected to the machine is the internal SSD and the imaging tool’s USB. They both detected the partitions, although interestingly you’ll see additional disks that “aren’t there”.
Similarly, the current version of Macquisition allowed me to boot and image the drive. That let me boot and image my MacBook Pro. I updated Recon Imager to v1.02 and apparently, v1.03 should be released shortly. Will have to try another test case tomorrow.
Default folder x high sierra mac#
I was adding the drive that I’d imaged back to itself (imaged Mac, then booted Mac to review the image), so that may have caused me to skip a few steps with regards to FileVault2. I still wasn’t able to get that working in Blacklight though (may be user error, or it may be support – Blackbag have indicated that the next update is due out early November). Outside of forensic tools, I was able to add the DMG extension to my DD image and then add that as a drive on OS X so there’s at least that to allow examiners to manually review files in an image. Interestingly, both showed up in the ‘Add Evidence’ window as two separate disks each but I was unable to add either of them to my test case. The Windows based tools couldn’t read the file system as expected.įrom there I loaded up Blacklight on the Mac, and tried to add both my High Sierra installation, as well as a 100mb APFS disk image. Then I took a look at the drive in a few of the tools that I had available:
This won’t work if you’re currently booted off that volume, so I rebooted into the recovery media and loaded up the Terminal app. Then, after reviewing Apple’s documentation, I converted the first two volumes (meant to only do the second, but a mistype meant I converted two out of three) of my High Sierra installation. Although it may only work for internal SSD’s, and all external drives may be formatted with HFS+ (If someone wants to test this let me know and I’ll update the post).Īnyways! As expected, the HFS+ volumes were viewable in currently available tools.
Default folder x high sierra install#
If you install onto an SSD then it will automatically convert the filesystem to APFS. Apparently, this was because I used a hard drive rather than a solid state drive. I would have thought that it would have created the partitions through the installer app on my MBP and then formatted the OS partition with APFS. Interestingly, once the installation had completed I had a look at the file system and it had formatted my external drive as HFS+.
Default folder x high sierra pro#
I downloaded the installer for High Sierra on a Macbook Pro (running El Capitan) and used it to install the OS on an external hard drive (note: I also tried, unsuccessfully to create a USB installer and boot into that it didn’t work, and after a couple attempts I realised I could just install it directly using the update from the app store…whoops). Based on Steve’s video I thought it would be a good idea to do some testing. On the 25th September Apple released OS X High Sierra which uses the Apple File System (APFS) as its default file system. Will add some information to the bottom of the post of what’s happened since** **update – this has been a really popular post but it’s very outdated now.
0 kommentar(er)
