Re: [sleuthkit-developers] [Sleuth Kit - APFS Filesystem] How to dump from APFS file system to POOL
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] [Sleuth Kit - APFS Filesystem] How to dump from APFS file system to POOL image?
|
From: Hin-Tak L. <ht...@us...> - 2020-07-17 15:46:13
|
On Thursday, 16 July 2020, 09:51:06 GMT+1, 김형찬 <hj1...@aj...> wrote:
> Very special thanks for your detailed reply.
> As advised, I tried using the dd command.
> There are cases where diskNsM cannot be dumped due to permission issues.
> Also, when the diskNsM dump image is tested on the TSK, it outputs that the file system cannot be determined.
> When I check the raw values, both /dev/diskN image and /dev/diskNsM image start with the apfs_nx_superblock structure implemented in TSK.
> However, on TSK, both images error message that the file system type error cannot be determined.
> I want to know how to create a pool type image to test TSK-APFS
> I look forward to answer.
The permission issue is just standard FAQ - you need admin privilege to do any low-level operations.
You should try fsstat. Also, are you not running the option wrongly? It is "-f apfs" (and "-f list" to get a list). And what version of sleuthkit are you using?
|
