Disk 0 and disk1 appear to be my APFS SSD. All that’s connected to the machine is the internal SSD and the imaging tool’s USB. They both detected the partitions, although interestingly you’ll see additional disks that “aren’t there”. Similarly, the current version of Macquisition allowed me to boot and image the drive. That let me boot and image my MacBook Pro. I updated Recon Imager to v1.02 and apparently, v1.03 should be released shortly.
Will have to try another test case tomorrow. I was adding the drive that I’d imaged back to itself (imaged Mac, then booted Mac to review the image), so that may have caused me to skip a few steps with regards to FileVault2.
#Testdisk apfs update#
I still wasn’t able to get that working in Blacklight though (may be user error, or it may be support – Blackbag have indicated that the next update is due out early November). Outside of forensic tools, I was able to add the DMG extension to my DD image and then add that as a drive on OS X so there’s at least that to allow examiners to manually review files in an image. Interestingly, both showed up in the ‘Add Evidence’ window as two separate disks each but I was unable to add either of them to my test case. The Windows based tools couldn’t read the file system as expected.įrom there I loaded up Blacklight on the Mac, and tried to add both my High Sierra installation, as well as a 100mb APFS disk image. Then I took a look at the drive in a few of the tools that I had available: This won’t work if you’re currently booted off that volume, so I rebooted into the recovery media and loaded up the Terminal app. Then, after reviewing Apple’s documentation, I converted the first two volumes (meant to only do the second, but a mistype meant I converted two out of three) of my High Sierra installation. Although it may only work for internal SSD’s, and all external drives may be formatted with HFS+ (If someone wants to test this let me know and I’ll update the post).Īnyways! As expected, the HFS+ volumes were viewable in currently available tools.
#Testdisk apfs install#
If you install onto an SSD then it will automatically convert the filesystem to APFS. Apparently, this was because I used a hard drive rather than a solid state drive.
I would have thought that it would have created the partitions through the installer app on my MBP and then formatted the OS partition with APFS. Interestingly, once the installation had completed I had a look at the file system and it had formatted my external drive as HFS+.
#Testdisk apfs pro#
I downloaded the installer for High Sierra on a Macbook Pro (running El Capitan) and used it to install the OS on an external hard drive (note: I also tried, unsuccessfully to create a USB installer and boot into that it didn’t work, and after a couple attempts I realised I could just install it directly using the update from the app store…whoops). Based on Steve’s video I thought it would be a good idea to do some testing.
On the 25th September Apple released OS X High Sierra which uses the Apple File System (APFS) as its default file system. Will add some information to the bottom of the post of what’s happened since** **update – this has been a really popular post but it’s very outdated now.
0 kommentar(er)
