Re: [sleuthkit-developers] [Sleuth Kit - APFS Filesystem] How to dump from APFS file system to POOL
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] [Sleuth Kit - APFS Filesystem] How to dump from APFS file system to POOL image?
|
From: Hin-Tak L. <hin...@ya...> - 2020-07-15 21:02:34
|
On Wednesday, 15 July 2020, 09:05:16 BST, 김형찬 via sleuthkit-developers <sle...@li...> wrote: > The first method is to create a partition using macOS's basic disk utility, add a volume to the partition, and then use the dd command. > The second method used the dd command after creating the volume using macOS' basic disk utility. > However, these methods output an error message that the file system type error cannot be determined. > I want to see how to create a pool type image to test TSK-APFS. > I am waiting for answer. I am quite sure that you are running dd wrongly - you are dd'ing the whole disk (which includes the partition table at the beginning) instead of the apfs formatted partition; also historically, apple's formatting utlity puts a "driver" partition in front too. So you need to make sure that you are dd'ing the correct device. You need to add "sM" to the end of your device, to get at the patitions e.g. "/dev/diskNsM" , where N is the disk number and M is the partition number. |
