Friday, December 21, 2018

Daily Blog #574: Forensic Lunch 12/21/18 Alissa Torres, Dr. Joe Sylve

Hello Reader,
        Today we had another Forensic Lunch! This week we had:


What a great show! You can watch the video here:

1 comment:

  1. David a couple of corrections:

    * libfsapfs (and therefore pyfsapfs, dfVFS and plaso) does support encryption also see readme: https://github.com/libyal/libfsapfs/blob/master/README and the plaso release notes: http://blog.kiddaland.net/2018/12/plaso-20181219-released.html
    * the testing I did with sleuthkit-APFS was on the first test images I could find (https://github.com/dfirlabs/apfs-specimens), no particular thorough testing (on the contrary) as Matthew might be implying (not sure from his comment)
    * In contrast what Joe says, an APFS container does not contain an unlimited amount of volumes, the current format maximum is 100 and there are restrictions to what size the container must be. This was also highlighted by the paper "Decoding the APFS file system" https://www.sciencedirect.com/science/article/pii/S1742287617301408?via%3Dihub

    Regarding APFS having no journal, (as Joe explained in technical terms) the file system is the journal. A thing Joe did not highlight in the conversation about recovery and snapshots, APFS decouples low-level block storage and file-system level storage, this can make recovery more challenging.


    ReplyDelete