- #Classic games collection formatted for mac os x vol 1 how to
- #Classic games collection formatted for mac os x vol 1 update
- #Classic games collection formatted for mac os x vol 1 upgrade
- #Classic games collection formatted for mac os x vol 1 full
Using hdiutil, attach (but don’t yet mount) the DMG file created in Step 3. Having trouble installing Xmount? Does it say OS X Fuse is not installed? Look in the comments section for a fix.Ĥ. Theoretically you can use another mounting utility, I've tried ewfmount on 10.13 and ran into errors that I'm still investigating. This could take a few seconds if the disk image is large. Provide the E01 image (use E? if using segments) and the converted image mount point created in Step 1. DMG is selected here since it is very Mac friendly. Using xmount (sudo required) to convert from EWF (-in) to DMG (-out) format. This will act as the root volume for the mounted image.ģ. Create another mount point to put the mounted image on. Create a mount point to put the xmount converted DMG image (converted from EWF format). $ sudo mount_hfs –o rdonly,noexec,noowners /dev/disk# /Volumes/4k_mounted/ġ. $ hdiutil attach –nomount –blocksize 4096 /Volumes/4k_image/4k.dmg $ sudo xmount -in ewf -out dmg 4k.E01 /Volumes/4k_image/ (If you have a raw (non-EWF) image, you can bypass steps 1 and 3.)
#Classic games collection formatted for mac os x vol 1 full
The following steps will bring you from a full HFS+ FileVault 4k disk image in EWF format to a mounted image using macOS 10.13.
#Classic games collection formatted for mac os x vol 1 upgrade
This article will try to provide some options to mount these images, however it cannot solve all the issues or combinations of disks/block sizes/host operating systems – it seems that you will have to upgrade to 10.13 at some point to solve many of these problems. If you see otherwise, please let me know!
#Classic games collection formatted for mac os x vol 1 how to
I will also detail how to mount the forensic disk images using newer APFS file system so analysts can start to do their thing while all the forensic tools catch up! APFS disk images already appear to use 4k block sizes as the default, at least on all my test systems. BlackBag wrote a good blog article on this last month however I hope to expand on it just a bit to include E01 files and FileVault encryption scenarios. This has caused some issues where you need to mount the image to do analysis without a major forensic suite. A few years ago, Mac systems started to use 4k blocks instead of 512 byte block sizes.
Recently there has been some questions on the forums and Twitter as to how to mount forensic disk images that were captured from Mac system that implemented 4k block sizes.
#Classic games collection formatted for mac os x vol 1 update
I will update the spreadsheet below as necessary.įor previous related blogs see here and here. If you disagree with the current findings - also let me know (I will also expect screenshots/videos from you to be sure we're on the same page.) I have tested 10.3.3 (host system) and 10.13.4 (VM) but would love someone to sanity check me - I've been wrong in the past!) I would have done more testing on different versions but have a limited set of systems as I'm traveling right now. If I am missing a certain scenario that you think should be added please let me know. I'm also consistently using the "Erase" button versus the "Partition" button. Please also test if you find (or don't find) the results in the Unified logs and/or the install.log or neither (and god forbid any other locations you might come across!). (If you happen to get it to leak the password on 10.12.x please let me know.) I'm also organizing by disk formatting scenario since I believe this is where most of the confusion comes from.ĪPFS encrypted volumes can be created on the disk level as well as the volume level and it truly seems to make a difference. The table below is sorted by macOS version - I'm just testing 10.13.x here. Some folks can replicate and some cannot - so I think its high time to test this properly to see what versions and scenarios are affected by this bug. There has been some confusion (myself included) on what is vulnerable to this bug and what isn't.