Just be ready to keep busy as things get set up. Even with a speedy drive, expanding the files took 10-15 minutes and once expanded, it took another 50 minutes to get the image loaded into Autopsy. I’m using a Ryand 16gb of ram, this took a long time. 500gb NVME drives are as cheap as 60 bucks now which is insane considering the speed an value, so if you have space for one, do it. The image is 27gb, you’ll need to extract it before you can work on it, and faster the disk the better. Chrome’s download resume feature came in handy, same for the forenics image. Some notesĪutopsy failed to complete the download a couple of times, might have been my network having hiccups. Keep in mind this is not necessarily forensically sound unless you mount read only. Somethings didn’t work through Autopsy and I don’t know why, but mounting the image and browsing let me access some files I couldn’t access via Autopsy. The big difference on night 2 is that I installed apfs-fuse and used it to mount the drive and examine it manually. Taking time off during work like this does me wonders because I can approach problems with a fresh mind later. I’ll call out where it was night 2 and I had some time to think about the issues. I set this up and installed stuff one night, worked on this over 2 nights and ran into some issues. I will boot into Linux every now and then if I need to, but I find I need to less and less as WSL gets better and better, especially once WSL2 came out. I cannot overstate how convenient it is to have very transparent access to Linux tools via my Windows workstation. I used Windows Subsystem for Linux 2 to install mac_apt on. I did this largely on my Windows workstation. You can find a link to the challenge here. Having another go at a CyberDefenders challenge, this one about macOS image forensics.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |