Monday, January 1, 2018

How to mount Mac APFS images in Windows

APFS is the new file system for Mac OS, and so far, many forensic suites are playing catch up as far as support goes. As such, workarounds may need to be employed in order to conduct analysis on Mac OS APFS images. This short blog post will cover one of those workarounds -  mounting an APFS image in Windows.

Paragon has a free (preview) driver to mount APFS volumes in Windows!!!! Sweet!!!

APFS for Windows is going to look for a connected APFS drive. Since we have an image, we will need to mount the image as a SCSI device so the Windows APFS driver can see it. To do this, we will use Arsenal Image Mounter.


Mount the image using Arsenal Image Mounter. I had to select the sector size of 4096 for it to work since the sector size in my image was 4096 (If you need to know the sector size of your image, you can use a tool like mmls to check).



Download and install APFS for Windows from Paragon and launch it. It should automatically detect the APFS volume:



Now you can browse the APFS drive in Windows:



And add it to your favorite all in one tool, like X-Ways, as a logical drive:





Happy Hunting!

9 comments:

  1. Awesome! Very cool, thanks for sharing this!

    ReplyDelete
  2. Thank Mari. Two questions...what image format was your APFS in and does Arsenal handle FV2?

    ReplyDelete
    Replies
    1. I used an E01 file. See Yogesh's answer for FV2

      Delete
  3. Ed, this approach will not work for encrypted (Filevaulted) disks. Arsenal image mounter is just emulating a disk and making it available to your system as an attached virtual disk, it does no more processing and does not parse any file systems for you.

    If and when Paragon supports encrypted disks, then it will work.

    ReplyDelete
  4. Did you have any luck getting X-ways to recognize the APFS image directly? Sounds like in Sep 2017 they added support for it in SR2 - http://www.x-ways.net/winhex/forum/messages/1/4931.html?1511344633

    ReplyDelete
    Replies
    1. I did not. :( I used the latest version, and while it identified the partition as APFS, it did not parse it out.

      Delete
  5. Nice article, helpful and informative. Thanks for willing to share.

    ReplyDelete