Imaging APFS - A Walkthrough for Starting Forensics on MacOS
HTML-код
- Опубликовано: 27 сен 2024
- Here to demystify the imaging process for computers and devices using APFS is SEVN-X's Chief Strategist Matt Barnett.
Tools used in this process (Affiliate Links)
Docking Station
amzn.to/3Axz69j
Disk Drive Reader
amzn.to/3hJzitx
1Tb Western Digital Hard Drive
amzn.to/2SS9oeu
USB-C Cable
amzn.to/3htK8VH
Blog Post
www.sevnx.com/...
More info at sevnx.com
![Tee Grizzley - Blow for Blow (feat. J. Cole) [Official Video]](http://i.ytimg.com/vi/wNLN5xsx5dc/mqdefault.jpg)
Excellent presentation, informative and captivating.
great sharing, thanks!
i have a question, if diskutil is not available while disable disk arbitration, how can we determine which disk is our target disk(synthesized) after connect?
Very interesting vid. Forgive my ignorance about forensics, but what is an example of when you’d use this?
Is this how one could image an entire Mac? I ask because of the reference you made to the long wait time for completion when you were only handling 1mg. What about 1gb? Or 1tb?
I often have such a need when cloning failing harddrives while still installed in the Mac. In the past couple years, I’d pretty much abandoned this method for accessing drives. I was losing faith in Target Disk Mode as a once-go to tool for all kinds of Mac repairs.
PS the distinction between an actual Thunderbolt 3 vs a USB-c is a detail I would have taken years of trial and error to discover. Such a beneficial tip.
I own an Independent Apple Service shop. Thanks.
This is definitely more of a process you would use when you need to forensically image a device with a 'testifiable' and defensive process. For simple data recovery, it's probably overkill but if it's your only option it is.. well... an option. Hope that helps.
hello! this might be a long shot but here it is.
I have s Seagate backup plus 4tb external hard drive APFS encrypted.
I've set a password on it years ago, the password got saved in my local keychain so i never had to type it.
When I say I've set a password i mean a looong one (was watching a lot of Snowden documentaries at the time)
fast forward 4 years, i had to format my macbook due to an issue.
I didn't know at the time that there is a local keychain, i thought it's all on iCloud.
long story short, lost the password to the external hdd.I have A LOT of family photos/videos in there as it was my main backup drive....
What are the cances I can recover the password?
Without a backup of the keychain... minimal unfortunately. Do you have any time machine backups of the OS prior to formatting?
Very nice how-to. What happens if the device employees the T2 chipset with or without FileVault2?
The device used in this tutorial had the T2 in it. With FV2 enabled, it gets more complex pretty quickly.
For god sake, remove the music in your videos. It is really annoying.
Thanks for the feedback Sanjeev, we’ve made adjustments in our latest video.
@@sevnxsecurity Yes, the music is distracting and too loud. Almost impossible to focus on the content.
You are a good speaker. However, the music really distracts from following you. For example, when I try to watch on my iPhone with earbuds, the music is too loud and I have to replay sections to hear your words. On my desktop the music is not so loud, but the music is still too distracting. Remove the background music.
Thanks for the feedback John, I’ll let our editing department know for future videos.
Why is there music in the background. Any way to turn it off? I have my own radio.
LOL we've had this comment a lot on this video. Chalk it up to a young editor that learned proper mixing...after...we published this video. Thanks for the feedback though!
This method should not work on M1 Mac. This is because there is no target disk mode.
It's been replaced with Mac Sharing Mode. It's similar but accessed differently. I haven't imaged an M1/M2 yet but let me know if you'd like us to investigate and do a video on the process for sound imaging principles on Apple Silicon.
this doesn't seems to work with FV2 /encrypted disk, cause the output is pretty much blank? any solution please? cause cannot unencrypted without mounting/ diskarbritation
and needed a thunderbolt to work @sevnxsecurity
Unfortunately, this tutorial does not apply to encrypted disks. You pretty much need the decryption key, and write-blocked hardware to image the drive the usual way.
Are the steps you mention in this video the same for a mac mini?
It will matter more on the config of the filesystem (APFS) than the chassis.