Received AFF4 Image, Now What?

Hi everyone!

We have received an AFF4 image of a Mac. The company who imaged the computer advised it had the t2 chip and APFS and they were not able to provide an E01 file.

Our goal is to search the files on the drive and then load them into a hosting platform for review. What are our options?

1 Like

Hi there!

AFAIK, the two leading Mac acquisition solutions on the market today image Macs with the T2 chip to AFF4 or to a logical image such as a sparse image, or export the data to loose files. The sparse image is a bit more flexible as it can be mounted natively on a Mac without extra tools, but it is a logical image. The AFF4 image of a T2 Mac is more along the lines of a physical image, with some restrictions such as unallocated space being still encrypted (as of this writing).

What options you have depends largely on what tools you have access to. AFF4 support is currently very limited in most mainstream tools. X-Ways has APFS support and allows ingesting AFF4 images by using a third-party plugin from Evimetry. If you have X-Ways, you can download the plug-in here.

Something that might catch you by surprise is that when you point to an AFF4 image with the plug-in installed, X-Ways hangs for a minute or two with no progress indication. Presumably, the Evimetry plug-in is doing some background work there to present the AFF4 image in a way that X-Ways can work with. It would be great to have some progress indicator at that stage. I hope Schatz and Fleischmann can collaborate on building AFF4 support straight into X-Ways for a better user experience.

Also, Evimetry has a freely available file system bridge which loads the AFF4 image and presents it as a raw image. You can then ingest the raw image into an APFS-aware tool, or copy it out as a raw image for use by itself. You can get the file system bridge with freely available Evimetry Community.

Another logical option is to use BlackLight, which supports AFF4 and APFS. Working on Mac data on a Mac is generally a good idea due to the native support built into the OS.

If you need to add a new product to your workflow to support AFF4 & APFS, I would suggest looking into its search capabilities carefully to make sure they satisfy your requirements. For instance, OCRing documents without extractable text is a common requirement when performing blanket keyword searches, but many popular DFIR tools do not have this capability in their workflow. Also, if your search requires complex search expressions containing RegEx, proximity operators, etc, I would inquire about the search syntax of the tool to see what is possible.

4 Likes

What we do is ingest the AFF4 into Blacklight and then export out all the files into an L01, which is not more compatible with review tools.

You can also do use Arsenal Image Mounter to mount the AFF4 as a physical disk and then open the physical disk in EnCase v8.10. Caveat: EnCase has been known to have issues with the AFF4, so i would religiously check the files that are exported using this method.

4 Likes

Very good points, Ed! Dealing with AFF4 images of T2 Macs presents two layers of complications—working with the AFF4 format itself, and then the APFS file system.

Mounting the AFF4 images as a physical disk with AIM is a good option but I haven’t had much luck getting the supposedly APFS-aware tools (e.g., FTK 7.2) to recognize the file system on the presented physical disk. This is where Mac-based tools have the upper hand at the moment as they don’t have to reverse-engineer APFS.

Does anyone know if Recon Lab does this also?

AFAIK, Recon Lab currently supports DMG and sparse images but not AFF4 on the intake side. Once you narrow things down, you can export to a ZIP or loose files. Hopefully, Sumuri or one of their users can chime in and bring more clarity. :slightly_smiling_face:

I suggest reaching out to their support to hear it straight from the horse’s mouth.

The only two PC tools that I know are AXIOM and EnCase v8.08+, but I don’t really trust the way EnCase is reading the AFF4/APFS.

AXIOM does a pretty good job.

2 Likes

Very helpful, Ed. Thanks!

I have had the best luck with BlackBag Tech.
They are great with finding solutions for the electronic discovery world. I always utilize them for my Mac cases. I would suggest finding a vendor that uses their software. Unless you come across this often, then I would say purchasing might be the answer. That is a question only you can answer.
In my experience, BlackBag is the best for Mac O/S.
Good luck. Let us know how it works out.

2 Likes

Thanks everyone for the suggestions. We’re very grateful for the guidance!

I heard BlackBag just got acquired by Cellebrite. I really hope this will be better for the industry than OpenText’s acquisition of Guidance. Good luck to both companies.

This tool can also creat E01 files and there is an option to mount local images as virtual file or disk. Great tool.

1 Like

Who makes AFAIK? I’ve never heard of it and am interested in finding out more information about it.

Oh, Scott you are missing out. It is a hot knowledge management startup. If you Google it, you’ll find that everybody is talking about it.

Sorry, that was just me being too acronym happy :grinning:

Ha! I was Googling but now that makes total sense. I guess I need to stay better in touch with my acronyms.

1 Like

FWIW Mount Image Pro V7 now supports AFF4 images

1 Like

Very cool; thanks for the info, Scott! Looks like they’ve also added the option to mount APFS using their own file system driver.

I have recently had to solve the issue of AFF4 images too. I did try Arsenal Image Mounter to mount the image but found that when I tried to do anything such as export I was getting a BSoD and my workstation was shutting down. I use a product called UFS Explorer Professional Recovery which claimed to support APFS. The good news was that it did what it said on the tin, unlike some other products that claim to support APFS but don’t. We had two AFF4 images both of which had been from MacBook Pros with T2 chip - one had the password applied before imaging and the other didn’t. After trialling the AIM with it I gave up and used the Evimetry Bridge which mounted it as a Raw image. This worked well - UFS Explorer also allowed me to input the encryption key to the image that had not been unlocked and I was able to review the filesystem. I was then able to export the User areas to be able to review them in any other Forensic tools.

1 Like

Thanks for sharing your experience, Danny! It sounds like you used the Evimetry Bridge to do the AFF4 -> raw conversion and UFS Explorer Pro to unlock FileVault 2.

Based on the information on their website, UFS works on MacOS, Linux, and Windows. I’ll keep this in mind for decrypting FV2 on Windows or Linux when using a tool that doesn’t have built-in FV2 support.

It also has support for Linux LUKS encryption which I have had to decrypt recently, couldn’t seem to find another tool to do it except Linux itself. It is also my preferred tool for NAS devices. Saves me having to reconstruct them.