Re: [sleuthkit-users] Sleuthkit APFS parsing (APSB Block Number)
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Sleuthkit APFS parsing (APSB Block Number)
|
From: Ann P. <apr...@ba...> - 2020-01-30 12:47:04
|
On the command line you'll need to run pstat to get the block numbers of
any APFS volumes. You're looking for the line " APSB Block Number". I'll
paste in the full process below.
$ ./mmls.exe apfs_one_vol.dmg
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000000039 0000000040 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000000040 0000097663 0000097624 disk image
005: ------- 0000097664 0000097696 0000000033 Unallocated
$ ./pstat.exe -o 40 apfs_one_vol.dmg
POOL CONTAINER INFORMATION
--------------------------------------------
Container cb1365d5-76ab-4559-be83-77f389c254e2
==============================================
Type: APFS
NX Block Number: 0
NX oid: 1
NX xid: 12
Checkpoint Descriptor Block: 7
Capacity Ceiling (Size): 49983488 B
Capacity In Use: 1724416 B
Capacity Available: 48259072 B
Block Size: 4096 B
Number of Blocks: 12203
Number of Free Blocks: 11782
|
+-> Volume 8f8dda38-0894-49f6-a943-da1401ddd148
| ===========================================
| APSB Block Number: 418
| APSB oid: 1026
| APSB xid: 12
| Name (Role): Test APFS 1 (No specific role)
| Capacity Consumed: 737280 B
| Capacity Reserved: None
| Capacity Quota: None
| Case Sensitive: No
| Encrypted: No
| Formatted by: newfs_apfs (945.260.7)
|
| Created: 2019-07-23 14:40:48.754498461 (ric)
| Changed: 2019-07-23 14:44:42.771863706 (ric)
|
| Unmount Logs
| ------------
| Timestamp Log String
| 2019-07-23 14:44:42.848757968 (ric) apfs_kext (945.260.7)
|
| Root Files
| -------------
| [ 23] file1.txt
| [ 19] .DS_Store
| [ 16] .fseventsd
| [ 18] folder1
|
+-> Unallocated Container Blocks
| ============================
| 0x000001a5-0x00002faa
$ ./fls.exe -o 40 -B 418 apfs_one_vol.dmg
r/r 23: file1.txt
r/r 19: .DS_Store
d/d 16: .fseventsd
d/d 18: folder1
On Thu, Jan 30, 2020 at 6:49 AM Jake Jackson 46059480 <
Jak...@ke...> wrote:
> Good afternoon,
>
>
>
> I am currently trying to use the Sleuthkit to be able to open .E01 files
> containing APFS images and extracting certain files. In order to do this I
> need to be able to calculate the starting APSB block of the volume in
> question. When I load the image into Autopsy the number is automatically
> determined, how is this done in Sleuthkit?
>
>
>
> Kind regards,
>
>
>
> Jake Jackson
> This email and any other accompanying document(s) contain information from
> Kent Police and/or Essex Police, which is confidential or privileged. The
> information is intended to be for the exclusive use of the individual(s) or
> bodies to whom it is addressed. The content, including any subsequent
> replies, could be disclosable if relating to a criminal investigation or
> civil proceedings. If you are not the intended recipient, be aware that any
> disclosure, copying, distribution or other use of the contents of this
> information is prohibited. If you have received this email in error, please
> notify us immediately by contacting the sender or telephoning Kent Police
> on 01622 690690 or Essex Police on 01245 491491, as appropriate. For
> further information regarding Kent Police’s or Essex Police’s use of
> personal data please go to https://www.kent.police.uk/hyg/privacy/ or
> https://www.essex.police.uk/hyg/privacy/. Additionally for our Terms and
> Conditions please go to https://www.kent.police.uk/hyg/terms-conditions/
> or https://www.essex.police.uk/hyg/terms-conditions/
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
|
