Magnet AXIOM: Decrypting APFS FileVault 2-Enabled Mac Images

by Sunny Hoi

Apple File System (APFS) is the file system created by Apple which ultimately replaced the HFS+ file system. APFS utilizes solid-state drives (SSD) and supports native encryption. This marks in contrast to the obsolete HFS+ which counted on CoreStorage. Notably, HFS+’s encrypted data at the block level whereas APFS at the file system level.

Digital forensic professionals may take advantage of Magnet AXIOM 3.0 which supports HFS+ and APFS with the option of decrypting FileVault 2-enabled images.

APFS Mac Image Decryption Process

We will illustrate how to use Magnet AXIOM to decrypt APFS FileVault 2-Enabled Mac images and extract macOS artifacts easily.

It’s important to emphasize that forensic examiners will need to confirm that they have sufficient space for the encryption process to work correctly.

1. Set the Folder Name and File Path for the “Case Details”

To get started, ensure that you have opened Magnet AXIOM Process. For our tutorial, we’ll go ahead and create a new case. Set your folder name and file path under both “LOCATION FOR CASE FILES” and “LOCATION FOR ACQUIRED EVIDENCE“.

Continue by clicking “EVIDENCE SOURCES“.

2. Select Your Image

Select “COMPUTER“, select “MAC“, and select “IMAGE” to choose your image. Proceed to click “Open” for the image.

In our example, we’ve chosen a .E01 image.

You will be presented with information that tells you that you do have an encrypted APFS volume. Continue by clicking “NEXT“.

3. Set the Password / Recovery Key

Enter your password / recovery key and click “CHECK” to see if Magnet AXIOM will accept that password.

Click “NEXT” to proceed.

4. Select Search Type

You’ll want to select your search type which will likely depend on unique circumstances varying from case to case. For our demonstration, we’ll just leave the search type to the default option “Full“.

Click “NEXT“.

We can now see that we have our evidence added to our case file.

5. Under ARTIFACT DETAILS, Click on Computer artifacts

You’ll want to continue by clicking on “Computer artifacts” under “ARTIFACT DETAILS” to select Mac artifacts to include in your case.

Click on “OPERATING SYSTEM – MACOS” to view the artifacts available for Mac, including Daily Logs, Deleted Accounts, Network Profiles, Trash, and Volume Information. There is a significant amount of information that can be extracted from our image.

Click “GO TO ANALYZE EVIDENCE“.

6. Analyze Evidence to Begin Decryption Process

Click “ANALYZE EVIDENCE” to start the decryption process of the APFS volume.

Magnet AXIOM will process the case for your artifacts.

Conclusion

As we can see, Magnet AXIOM equips us the ability to acquire and examine all sorts of evidence within a clean, organized interface.

Furthermore, the use of Magnet AXIOM extends to social media as well.

Related Posts