- APPLE SERIAL NUMBER FINALLY FORENSIC ANALYSIS SOFTWARE
- APPLE SERIAL NUMBER FINALLY FORENSIC ANALYSIS CODE
It isn't just defining a volume, rather it implements a container which can host several volumes in it! This output is from a default installation of HighSierra, where the Disk partitioning scheme is GPT and it defines 2 partitions as seen in the screenshot below. This may be read as 4 partitions all type APFS having the same exact starting offset and size! The reason for this is that APFS is a little different. Screenshot - Disk Info data from mac_apt showing same offset & size for all APFS volumes If you are not familiar with APFS, the Disk Info output from mac_apt might look strange to you. Only when the copy is changed will new extents be allocated. Both inodes (original and copy) will point to the same original extents. APFS also uses Copy-On-Write, which means if you copy a file, the resulting copy will not duplicate the data on disk. This means a file can have extended attributes and those are used to save compression parameters (similar to HFS+). Pre-populating this info in a database makes it much quicker for later analysis.ĪPFS allows extended attributes to be defined and used just the same as HFS+. This often means going out to an extent to read it, which makes it slow. To lookup its real size, you have to go read its compressed data header (which may be inline or in a resource fork), parse it and get the uncompressed (logical) size. In APFS, a compressed file will have its logical size set to zero in file metadata. For compressed file information, we can pre-process the logical size and save that for quick retrieval. The database does offer us several advantages though. Until this algorithm is known, we cannot write a native parser that walks the b-tree. It may just be some sort of CRC variant or something very different. The problem is that this hash algorithm is currently unknown. Instead, a 3 byte hash is computed for each file name and the b-tree maintains nodes sorted by this hash instead. Why? The way APFS stores files in its b-tree, they are not sorted by name alphabetically. But I opted for this path as it is the only solution available for now. time to do this on an image having default macOS installation (using my slow regular SATA III external disk over USB3), which is not too bad. It isn't ideal, it practically takes 2-4 min.
This means we have to read the entire filesystem data upfront before we have information to read a single file. The approach we've taken is to read all inodes and populate a database with this data. For APFS, the kaitai-struct template was developed originally by Jonas Plum & Thomas Tempelmann here.
APPLE SERIAL NUMBER FINALLY FORENSIC ANALYSIS CODE
It will generate all the code required to read those structures. Kaitai-Struct is a library that makes it easy to define and read C structures. The implementation we've used is based on the APFS template built with kaitai-struct.
He was also helpful in providing a proof of concept code for the same. I would like to thank Kurt-Helge Hansen for publishing the paper detailing APFS internal structure and working. I am unaware of any other that can read APFS. I believe at this time, Sumuri Recon is the only commercial one. This is the first forensic processing tool (in freeware) to support APFS. The checkpoint feature in APFS is currently not supported or tested although this may be added later. It does not have support for FileVault2 (encryption) and will not handle an encrypted volume. It also adds a new plugin to process print jobs, some enhanced functionality in other plugins and several minor bug fixes.Īs of now basic APFS support is complete, mac_apt can view and extract any file on the file system, including compressed files. Version 0.2 of mac_apt is now available with APFS support. Oxygen Forensic® Detective is distributed in a USB dongle and is valid for a single user.Over the past few months, I've been working at adding APFS support into mac_apt, and its finally here. By using the integrated industry-leading analytical tools to find social connections, build timelines, and categorize images, law enforcement, corporate investigators and other authorized personnel can help make this world a safer place. The cutting-edge and innovative technologies deployed in Oxygen Forensic® Detective include, but are not limited to, bypassing screen locks, locating passwords to encrypted backups, extracting and parsing data from secure applications and uncovering deleted data.įurthermore, multiple extractions can be investigated in a single interface to gain a complete picture of the data. Oxygen Forensic® Detective can also find and extract a vast range of artifacts, system files as well as credentials from Windows, macOS, and Linux machines.
APPLE SERIAL NUMBER FINALLY FORENSIC ANALYSIS SOFTWARE
Oxygen Forensic® Detective is an all-in-one forensic software platform built to extract, decode, and analyze data from multiple digital sources: mobile and IoT devices, device backups, UICC and media cards, drones, and cloud services.
0 kommentar(er)
