Re: [sleuthkit-developers] [Sleuth Kit - APFS Filesystem] How to dump from APFS file system to POOL
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] [Sleuth Kit - APFS Filesystem] How to dump from APFS file system to POOL image?
|
From: 김형찬 <hj1...@aj...> - 2020-07-16 09:19:48
|
Very special thanks for your detailed reply. As advised, I tried using the dd command. There are cases where diskNsM cannot be dumped due to permission issues. Also, when the diskNsM dump image is tested on the TSK, it outputs that the file system cannot be determined. When I check the raw values, both /dev/diskN image and /dev/diskNsM image start with the apfs_nx_superblock structure implemented in TSK. However, on TSK, both images error message that the file system type error cannot be determined. I want to know how to create a pool type image to test TSK-APFS I look forward to answer. 2020년 7월 16일 (목) 오전 6:02, Hin-Tak Leung <hin...@ya...>님이 작성: > > > On Wednesday, 15 July 2020, 09:05:16 BST, 김형찬 via sleuthkit-developers < > sle...@li...> wrote: > > > The first method is to create a partition using macOS's basic disk > utility, add a volume to the partition, and then use the dd command. > > > The second method used the dd command after creating the volume using > macOS' basic disk utility. > > > However, these methods output an error message that the file system type > error cannot be determined. > > > I want to see how to create a pool type image to test TSK-APFS. > > > I am waiting for answer. > > I am quite sure that you are running dd wrongly - you are dd'ing the whole > disk (which includes the partition table at the beginning) instead of the > apfs formatted partition; also historically, apple's formatting utlity puts > a "driver" partition in front too. So you need to make sure that you are > dd'ing the correct device. You need to add "sM" to the end of your device, > to get at the patitions e.g. "/dev/diskNsM" , where N is the disk number > and M is the partition number. > |
