A simple guide on how to mount APFS (MacOS) E01 images in Linux.
sudo cp apfs-* /usr/local/bin/
Mounting
1. Create mountpoint for E01 image
mkdir /mnt/ewf
2. Mount the E01 image
sudo ewfmount /path/to/your/APFS.E01 /mnt/ewf
3. Check that the image mounted correctly (it should return /mnt/ewf/ewf1)
sudo ls -la /mnt/ewf
4. Look at the partition table to identify the starting offset of the partition of interest
sudo mmls /mnt/ewf/ewf1
The partition we want to mount starts at offset 409640.
Units are in 512-byte sectors so we multiply our offset of interest by 512. 409640*512 = 209735680.
5. Mount the ewf1 as a loop device:
df -h
First, we need to identify which loop is free for us to mount on:
This is an output example I took from here, the user is on Ubuntu 20.04.
As you can see, the biggest “loop” is loop4. The user above would mount the partition to /dev/loop5, because all other /dev/loop (below 5) are being used.
sudo losetup -r -o (OffsetX512) /dev/loop(YourNumber) /mnt/ewf/ewf1
6. Create a mountpoint for your APFS Partition
sudo mkdir /mnt/apfs
7. Mount the loop device with apfs-fuse
sudo apfs-fuse /dev/loop(YourNumber) /mnt/apfs
8. Check that all is mounted correctly
sudo ls -la /mnt/apfs
It should return root and private-dir directory. The user files are in the root directory.
Unmounting
1. Unmount the APFS mountpoint
sudo umount /mnt/apfs
2. Detach the loop device
sudo losetup --detach /dev/loop(YourNumber)
3. Unmount the E01 image
sudo umount /mnt/ewf
TLDR
– Use libewf to mount the E01 image.
– Mount ewf1 as a loop device.
– Use apfs-fuse to mount the loop device to a mountpoint.
1 thought on “How to mount APFS E01 Images in Linux”
Pingback: Mac Forensics - Fruit Book - CyberDefenders x DFA2020 CTF -