Recently there has been some questions on the forums and Twitter as to how to mount forensic disk images that were captured from Mac system that implemented 4k block sizes. A few years ago, Mac systems started to use 4k blocks instead of 512 byte block sizes. This has caused some issues where you need to mount the image to do analysis without a major forensic suite. BlackBag wrote a good blog article on this last month however I hope to expand on it just a bit to include E01 files and FileVault encryption scenarios.
I will also detail how to mount the forensic disk images using newer APFS file system so analysts can start to do their thing while all the forensic tools catch up! APFS disk images already appear to use 4k block sizes as the default, at least on all my test systems. If you see otherwise, please let me know!
This article will try to provide some options to mount these images, however it cannot solve all the issues or combinations of disks/block sizes/host operating systems – it seems that you will have to upgrade to 10.13 at some point to solve many of these problems.
The following steps will bring you from a full HFS+ FileVault 4k disk image in EWF format to a mounted image using macOS 10.13. (If you have a raw (non-EWF) image, you can bypass steps 1 and 3.)
$ sudo mkdir /Volumes/4k_image/
$ sudo mkdir /Volumes/4k_mounted/
$ sudo xmount –in ewf –out dmg 4k.E01 /Volumes/4k_image/
$ hdiutil attach –nomount –blocksize 4096 /Volumes/4k_image/4k.dmg
[Input Password in Prompt Window]
$ diskutil cs list
$ sudo mount_hfs –o rdonly,noexec,noowners /dev/disk# /Volumes/4k_mounted/
1. Create a mount point to put the xmount converted DMG image (converted from EWF format). [sudo is required when dealing with /Volumes/ since 10.12]
2. Create another mount point to put the mounted image on. This will act as the root volume for the mounted image.
3. Using xmount (sudo required) to convert from EWF (–in) to DMG (–out) format. DMG is selected here since it is very Mac friendly. Provide the E01 image (use E?? if using segments) and the converted image mount point created in Step 1. This could take a few seconds if the disk image is large. Theoretically you can use another mounting utility, I’ve tried ewfmount on 10.13 and ran into errors that I’m still investigating.
4. Using hdiutil, attach (but don’t yet mount) the DMG file created in Step 3. Using the hidden argument –blocksize we can specify 4096 (‘4k’ can also be used here). It is worth noting here that while hidden in 10.13 this option does not appear to exist in 10.12 versions of this utility. It is also is not detailed in the hdiutil man page. Gotta love hidden functionality! This will output a bunch of /dev/disk* options, however none of these are the ones you need thanks to CoreStorage.