Apple File System (APFS) is the file system created by Apple which ultimately replaced the HFS+ file system. APFS utilizes solid-state drives (SSD) and supports native encryption. This marks in contrast to the obsolete HFS+ which counted on CoreStorage. Notably, HFS+’s encrypted data at the block level whereas APFS at the file system level.
Digital forensic professionals may take advantage of Magnet AXIOM 3.0 which supports HFS+ and APFS with the option of decrypting FileVault 2-enabled images.
APFS Mac Image Decryption Process
We will illustrate how to use Magnet AXIOM to decrypt APFS FileVault 2-Enabled Mac images and extract macOS artifacts easily.
It’s important to emphasize that forensic examiners will
1. Set the Folder Name and File Path for the “Case Details”
To get started, ensure that you have opened
Continue by clicking “EVIDENCE SOURCES“.
2. Select Your Image
Select “COMPUTER“, select “MAC“, and select “IMAGE” to choose your image. Proceed to click “Open” for the image.
In our example, we’ve chosen a .E01 image.
You will be presented with information that tells you that you do have an encrypted APFS volume. Continue by clicking “NEXT“.
3. Set the Password / Recovery Key
Enter your password / recovery key and click “CHECK” to see if Magnet AXIOM will accept that password.
Click “NEXT” to proceed.
4. Select Search Type
You’ll want to select your search type which will likely depend on unique circumstances varying from case to case. For our demonstration, we’ll just leave the search type to the default option “Full“.
We can now see that we have our evidence added to our case file.
5. Under ARTIFACT DETAILS, Click on Computer artifacts
You’ll want to continue by clicking on “Computer artifacts” under “ARTIFACT DETAILS” to select Mac artifacts to include in your case.
Click on “OPERATING SYSTEM – MACOS” to view the artifacts available for Mac, including Daily Logs, Deleted Accounts, Network Profiles, Trash, and Volume Information. There is a significant amount of information that can be extracted from our image.
Click “GO TO ANALYZE EVIDENCE“.
6. Analyze Evidence to Begin Decryption Process
Click “ANALYZE EVIDENCE” to start the decryption process of the APFS volume.
Magnet AXIOM will process the case for your artifacts.
As we can see, Magnet AXIOM equips us the ability to acquire and examine all sorts of evidence within a clean, organized interface.
Furthermore, the use of Magnet AXIOM extends to social media as well.