We have received an AFF4 image of a Mac. The company who imaged the computer advised it had the t2 chip and APFS and they were not able to provide an E01 file.
Our goal is to search the files on the drive and then load them into a hosting platform for review. What are our options?
AFAIK, the two leading Mac acquisition solutions on the market today image Macs with the T2 chip to AFF4 or to a logical image such as a sparse image, or export the data to loose files. The sparse image is a bit more flexible as it can be mounted natively on a Mac without extra tools, but it is a logical image. The AFF4 image of a T2 Mac is more along the lines of a physical image, with some restrictions such as unallocated space being still encrypted (as of this writing).
What options you have depends largely on what tools you have access to. AFF4 support is currently very limited in most mainstream tools. X-Ways has APFS support and allows ingesting AFF4 images by using a third-party plugin from Evimetry. If you have X-Ways, you can download the plug-in here.
Something that might catch you by surprise is that when you point to an AFF4 image with the plug-in installed, X-Ways hangs for a minute or two with no progress indication. Presumably, the Evimetry plug-in is doing some background work there to present the AFF4 image in a way that X-Ways can work with. It would be great to have some progress indicator at that stage. I hope Schatz and Fleischmann can collaborate on building AFF4 support straight into X-Ways for a better user experience.
Also, Evimetry has a freely available file system bridge which loads the AFF4 image and presents it as a raw image. You can then ingest the raw image into an APFS-aware tool, or copy it out as a raw image for use by itself. UPDATE: Evimetry is no longer available.
Another logical option is to use BlackLight, which supports AFF4 and APFS. Working on Mac data on a Mac is generally a good idea due to the native support built into the OS.
If you need to add a new product to your workflow to support AFF4 & APFS, I would suggest looking into its search capabilities carefully to make sure they satisfy your requirements. For instance, OCRing documents without extractable text is a common requirement when performing blanket keyword searches, but many popular DFIR tools do not have this capability in their workflow. Also, if your search requires complex search expressions containing RegEx, proximity operators, etc, I would inquire about the search syntax of the tool to see what is possible.
What we do is ingest the AFF4 into Blacklight and then export out all the files into an L01, which is not more compatible with review tools.
You can also do use Arsenal Image Mounter to mount the AFF4 as a physical disk and then open the physical disk in EnCase v8.10. Caveat: EnCase has been known to have issues with the AFF4, so i would religiously check the files that are exported using this method.
Very good points, Ed! Dealing with AFF4 images of T2 Macs presents two layers of complications—working with the AFF4 format itself, and then the APFS file system.
Mounting the AFF4 images as a physical disk with AIM is a good option but I haven’t had much luck getting the supposedly APFS-aware tools (e.g., FTK 7.2) to recognize the file system on the presented physical disk. This is where Mac-based tools have the upper hand at the moment as they don’t have to reverse-engineer APFS.
AFAIK, Recon Lab currently supports DMG and sparse images but not AFF4 on the intake side. Once you narrow things down, you can export to a ZIP or loose files. Hopefully, Sumuri or one of their users can chime in and bring more clarity.
I suggest reaching out to their support to hear it straight from the horse’s mouth.
I have had the best luck with BlackBag Tech.
They are great with finding solutions for the electronic discovery world. I always utilize them for my Mac cases. I would suggest finding a vendor that uses their software. Unless you come across this often, then I would say purchasing might be the answer. That is a question only you can answer.
In my experience, BlackBag is the best for Mac O/S.
Good luck. Let us know how it works out.
I heard BlackBag just got acquired by Cellebrite. I really hope this will be better for the industry than OpenText’s acquisition of Guidance. Good luck to both companies.
I have recently had to solve the issue of AFF4 images too. I did try Arsenal Image Mounter to mount the image but found that when I tried to do anything such as export I was getting a BSoD and my workstation was shutting down. I use a product called UFS Explorer Professional Recovery which claimed to support APFS. The good news was that it did what it said on the tin, unlike some other products that claim to support APFS but don’t. We had two AFF4 images both of which had been from MacBook Pros with T2 chip - one had the password applied before imaging and the other didn’t. After trialling the AIM with it I gave up and used the Evimetry Bridge which mounted it as a Raw image. This worked well - UFS Explorer also allowed me to input the encryption key to the image that had not been unlocked and I was able to review the filesystem. I was then able to export the User areas to be able to review them in any other Forensic tools.
Thanks for sharing your experience, Danny! It sounds like you used the Evimetry Bridge to do the AFF4 -> raw conversion and UFS Explorer Pro to unlock FileVault 2.
Based on the information on their website, UFS works on MacOS, Linux, and Windows. I’ll keep this in mind for decrypting FV2 on Windows or Linux when using a tool that doesn’t have built-in FV2 support.
It also has support for Linux LUKS encryption which I have had to decrypt recently, couldn’t seem to find another tool to do it except Linux itself. It is also my preferred tool for NAS devices. Saves me having to reconstruct them.