Hello Reader,
Today we had another Forensic Lunch! This week we had:
Today we had another Forensic Lunch! This week we had:
- Alissa Torres, (@sibertor) talking all about the changes for FOR526 as a 6 day bootcamp of memory forensic goodness, with daily Netwars challenges! You can find out more and sign up here: https://www.sans.org/event/cyber-threat-intelligence-summit-2019/course/memory-forensics-in-depth
- Alissa and I also talked about the CTI Summit which is happening the two days prior to the courses you can find out more about it here: https://www.sans.org/event/cyber-threat-intelligence-summit-2019/summit-agenda
- BTW I'm also teaching FOR500 at the CTI Summit, my only east coast teach of the year: https://www.sans.org/event/cyber-threat-intelligence-summit-2019/course/windows-forensic-analysis
- Dr. Joe Sylve (@jtsylve) talked about his work in producing both a pooled storage implementation for TSK (The Sleuth Kit) as well as APFS
- We talked about how APFS works compared to other file systems and Dr. Sylve did some demos showing how the tsk tools have been extended to work with APFS snapshots and encryption!
- You can get the current patch for TSK here: https://github.com/blackbagtech/sleuthkit-APFS/ which hopefully will get rolled into the next release of TSK
What a great show! You can watch the video here:
Also Read: Daily Blog #573
 talking all about the change...){kind=link}
David a couple of corrections:
ReplyDelete* libfsapfs (and therefore pyfsapfs, dfVFS and plaso) does support encryption also see readme: https://github.com/libyal/libfsapfs/blob/master/README and the plaso release notes: http://blog.kiddaland.net/2018/12/plaso-20181219-released.html
* the testing I did with sleuthkit-APFS was on the first test images I could find (https://github.com/dfirlabs/apfs-specimens), no particular thorough testing (on the contrary) as Matthew might be implying (not sure from his comment)
* In contrast what Joe says, an APFS container does not contain an unlimited amount of volumes, the current format maximum is 100 and there are restrictions to what size the container must be. This was also highlighted by the paper "Decoding the APFS file system" https://www.sciencedirect.com/science/article/pii/S1742287617301408?via%3Dihub
Regarding APFS having no journal, (as Joe explained in technical terms) the file system is the journal. A thing Joe did not highlight in the conversation about recovery and snapshots, APFS decouples low-level block storage and file-system level storage, this can make recovery more challenging.