Imaging APFS - A Walkthrough for Starting Forensics on MacOS

preview_player
Показать описание
Here to demystify the imaging process for computers and devices using APFS is SEVN-X's Chief Strategist Matt Barnett.

Tools used in this process (Affiliate Links)

Docking Station
Disk Drive Reader
1Tb Western Digital Hard Drive
USB-C Cable

Blog Post

  1. SEVNX
  2. hacking
  3. sevn-x
  4. sevnx
  5. forensics
  6. apfs
Рекомендации по теме
Imaging APFS - 0:12:45

Imaging APFS - A Walkthrough for Starting Forensics on MacOS

Ask An Expert: 0:45:48

Ask An Expert: How Will APFS Impact My Investigations?

Digital Forensic Boot 0:03:32

Digital Forensic Boot Scan a Mac with APFS

RECON IMAGER APFS 0:04:47

RECON IMAGER APFS Update – Imaging Simplified

How to Boot 0:04:09

How to Boot Scan a Mac with APFS and FileVault 2

Solving the Mystery 1:05:33

Solving the Mystery Behind Imaging a Mac Computer

E3 Forensic Platform 0:02:01

E3 Forensic Platform adding APFS Image

Mac File Systems 0:08:19

Mac File Systems Explained | APFS, HFS+ & More

APFS and the 0:58:03

APFS and the Jamf Admin: What you need to know | JNUC 2017

BSidesCharm - 2018 0:50:00

BSidesCharm - 2018 - Sarah Edwards - Getting Saucy with APFS! - The State of Apple’s New File System...

How to Decrypt 0:02:44

How to Decrypt APFS FileVault 2-Enabled Mac Images with Magnet AXIOM

How to Make 0:11:38

How to Make MacOS APFS Bootable Image & Restore to an External SSD Drive?

Formatting SSDs to 0:05:14

Formatting SSDs to APFS: Step-by-Step Tutorial for Apple Mac

How to use 0:21:20

How to use Time Machine and APFS snapshots on macOS

Creating Encrypted Disk 0:07:57

Creating Encrypted Disk Images on a Mac

How to delete 0:02:46

How to delete APFS partition/volume on macOS Ventura

How to Use 0:10:52

How to Use Disk Utility on Mac | Tutorial

Understanding how to 0:22:14

Understanding how to FORMAT your NEW External Hard Drive for your MAC - A look at Apple Disk Utility

Mount APFS Disk 0:07:54

Mount APFS Disk on MacOS and Xmount

Unlocking and decrypting 0:02:14

Unlocking and decrypting a APFS filevault encrypted volume with the Terminal.

APFS Disk Reading 0:10:59

APFS Disk Reading in Windows: Best Tools You Should Use!

Mount APFS Disk 0:03:36

Mount APFS Disk on SANS SIFt (Linux) with ewfmount

How to quickly 0:00:58

How to quickly erase and format your Mac's hard drive

How to CREATE 0:25:43

How to CREATE VOLUMES and PARTITIONS on an External Hard Drive using Disk Utility on a MAC

Комментарии
Автор

For the dd command, you can use "status=progress" option to see the running static.

CRK
Автор

Excellent presentation, informative and captivating.

forpaqk
Автор

Are the steps you mention in this video the same for a mac mini?

msewhisperer
Автор

great sharing, thanks!
i have a question, if diskutil is not available while disable disk arbitration, how can we determine which disk is our target disk(synthesized) after connect?

阿提蒙
Автор

hello! this might be a long shot but here it is.
I have s Seagate backup plus 4tb external hard drive APFS encrypted.
I've set a password on it years ago, the password got saved in my local keychain so i never had to type it.
When I say I've set a password i mean a looong one (was watching a lot of Snowden documentaries at the time)
fast forward 4 years, i had to format my macbook due to an issue.
I didn't know at the time that there is a local keychain, i thought it's all on iCloud.
long story short, lost the password to the external hdd.I have A LOT of family photos/videos in there as it was my main backup drive....
What are the cances I can recover the password?

ParallaxVisuals
Автор

Why is there music in the background. Any way to turn it off? I have my own radio.

LouRC
Автор

Very interesting vid. Forgive my ignorance about forensics, but what is an example of when you’d use this?
Is this how one could image an entire Mac? I ask because of the reference you made to the long wait time for completion when you were only handling 1mg. What about 1gb? Or 1tb?

I often have such a need when cloning failing harddrives while still installed in the Mac. In the past couple years, I’d pretty much abandoned this method for accessing drives. I was losing faith in Target Disk Mode as a once-go to tool for all kinds of Mac repairs.

PS the distinction between an actual Thunderbolt 3 vs a USB-c is a detail I would have taken years of trial and error to discover. Such a beneficial tip.

I own an Independent Apple Service shop. Thanks.

luxmunk
Автор

Very nice how-to. What happens if the device employees the T2 chipset with or without FileVault2?

davidpoole
Автор

It wont really work that way on m1+ macs sine they use virtual network device as a target disk.

inwerp
Автор

You are a good speaker. However, the music really distracts from following you. For example, when I try to watch on my iPhone with earbuds, the music is too loud and I have to replay sections to hear your words. On my desktop the music is not so loud, but the music is still too distracting. Remove the background music.

johnhanley
Автор

For god sake, remove the music in your videos. It is really annoying.

sanjeevgoel
Автор

I revisited this video and I must point out a very big mistake.
Imaging virtual synthesed disk won't make a proper image. It is quite trivial to write data to EFI partition which is not even listed in your dev3. Efi partition also contains some boot logs which are also obviously a part of forensics research.

inwerp
Автор

This method should not work on M1 Mac. This is because there is no target disk mode.

minorukobayashi
Автор

this doesn't seems to work with FV2 /encrypted disk, cause the output is pretty much blank? any solution please? cause cannot unencrypted without mounting/ diskarbritation
and needed a thunderbolt to work @sevnxsecurity

IlCapodeiCapiTheBoss