{"id":21104,"date":"2018-04-05T17:26:22","date_gmt":"2018-04-05T21:26:22","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=21104"},"modified":"2018-05-01T14:38:10","modified_gmt":"2018-05-01T18:38:10","slug":"blackbag-on-apfs-encryption","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2018\/04\/05\/blackbag-on-apfs-encryption\/","title":{"rendered":"BlackBag on APFS Encryption"},"content":{"rendered":"<p><a href=\"https:\/\/www.blackbagtech.com\/blog\/2018\/04\/02\/ask-expert-apfs-encryption\/\">Joe Sylve<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.blackbagtech.com\/blog\/2018\/04\/02\/ask-expert-apfs-encryption\/\"><p>Whether or not you &ldquo;unlock&rdquo; an APFS volume during acquisition, physical APFS images will still contain encrypted data.  Analysis tools such as BlackLight will then need the proper user password or recovery key to decrypt this data on demand, as you are conducting an examination.  It is not technically possible to create a forensically sound physical image of an encrypted APFS volume that contains logically decrypted data.<\/p><p>[&#8230;]<\/p><p>APFS encrypts data blocks using the XTS-AES-128 cipher.  In order to decrypt data, several pieces of information are required:<\/p><ul><li>The encrypted data<\/li><li>128-bit Volume Encryption Key<\/li><li>128-bit Secondary Encryption Key<\/li><li>The original &ldquo;block number&rdquo; of the file<\/li><\/ul><p>Each volume in an APFS container uses unique volume and secondary encryption keys.  When a file is deleted, its data blocks are released to the container pool.  At that point it is not possible to map an unallocated data block back to its original volume.  We therefore do not know which encryption keys to use to correctly decrypt the data.  This process is further complicated due to the fact that encrypted blocks can be relocated on disk.  When this happens, the data is not re-encrypted, and the original block number must be known to decrypt the data.  This information is generally lost when a file is deleted.<\/p><\/blockquote>\n\n<p>Update (2018-05-01): See also: <a href=\"https:\/\/static.ernw.de\/whitepaper\/ERNW_Whitepaper65_APFS-forensics_signed.pdf\">APFS Internals for Forensic Analysis<\/a> (PDF, via <a href=\"https:\/\/twitter.com\/Enno_Insinuator\/status\/989420747268546560\/photo\/1\">Enno Rey<\/a>).<\/p>","protected":false},"excerpt":{"rendered":"<p>Joe Sylve: Whether or not you &ldquo;unlock&rdquo; an APFS volume during acquisition, physical APFS images will still contain encrypted data. Analysis tools such as BlackLight will then need the proper user password or recovery key to decrypt this data on demand, as you are conducting an examination. It is not technically possible to create a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2018-04-12T01:12:05Z","apple_news_api_id":"2e55c196-f267-4002-bbb2-0fda56ecc544","apple_news_api_modified_at":"2018-05-01T18:38:13Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAA==","apple_news_api_share_url":"https:\/\/apple.news\/ALlXBlvJnQAK7sg_aVuzFRA","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[],"tags":[1395,1647,31,1472,30,1529,1648,48],"class_list":["post-21104","post","type-post","status-publish","format-standard","hentry","tag-apple-file-system-apfs","tag-blacklight","tag-ios","tag-ios-11","tag-mac","tag-macos-10-13","tag-macquisition","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/21104","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=21104"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/21104\/revisions"}],"predecessor-version":[{"id":21393,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/21104\/revisions\/21393"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=21104"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=21104"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=21104"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}