License Lookup Chat Offline - Leave Message

F-Response, APFS, and SIP - Oh my

Nov 27, 2018

 
We've been getting a decent amount of calls and emails on this, so we wanted to provide a short update.

Does F-Response still support Apple?

Yes, F-Response can still provide access to physical disks on newer Apple OS X systems. However, as of High Sierra and beyond, Apple has made changes that will need to be handled outside of F-Response in order to move forward. Hopefully this post will help clear up some of the confusion you may be experiencing and layout what your options are.

Starting with the release of Apple’s High Sierra (10.13 and later), we saw two new technologies become a default part of the operating system: System Integrity Protection (SIP) and the Apple Filesystem (APFS). Let’s look at each of these in regards to how they affect F-Response.

System Integrity Protection

SIP prevents applications from accessing the primary disk (rdisk0). This is a major concern for F-Response users as you'd typically like to access that disk at the physical layer for imaging, triage, and analysis. As it stands today, if you connect to an Apple computer using F-Response and do not see rdisk0 listed as an option then SIP is likely the culprit. Since this is a BIOS level control preventing access, there is nothing we can do from a development standpoint. You need to disable SIP to access rdisk0. You can find the steps on how to do that in this blog post: F-Response and High Sierra.

Apple File System

Apple’s new file system, APFS, is now the default for new installations. However, this is not an issue for F-Response and has much more to do with your forensic tools. Once SIP is disabled you can use F-Response to connect to rdisk0 and image as you would any physical disk (note: DiscoveryShares will not interpret APFS). To interpret the data on the remotely connected disk (or captured in the image) will require that your forensic tool can read and interpret the APFS. At the time of this post many tools are still working on adding support for APFS, but X-Ways and BlackBag are two options that that currently support it.

Check out the following link for more details on X-Ways and APFS: X-Ways + APFS.

Check out the following link for more details on BlackBag and APFS: Blackbag + APFS.

Hopefully that clears a few things up. If SIP is causing you problems or making it difficult to perform Live Forensics/Incident Response/Triage, please make Apple aware.

We cannot change SIP, only Apple can.

Equally frustrated,

M. Shannon, Managing Principal
F-Response