Fuji - A New Open Source Tool for Full File System Acquisition of Mac Computers

Fuji - A New Open Source Tool for Full File System Acquisition of Mac Computers (PDF, 4.17MB)Last updated: 29 Sep, 2024

Presented by:

Andrea Lazzarotto

SANS DFIR Europe - Prague 2024

The advent of Apple Silicon introduced new challenges for forensic acquisition on macOS devices, as traditional imaging tools like dd or Disk Utility cannot be used due to hardware-level encryption. This issue inspired the creation of Fuji, a free and open-source tool designed for the forensic acquisition of Mac computers.

Fuji leverages native Apple utilities such as ASR and Rsync to perform a Full File System (FFS) live acquisition, thus working even on encrypted drives. It generates DMG files compatible with tools like FTK Imager and Autopsy.

We will explore what Fuji is capable of, the differences between its acquisition modes, and how it was developed using Python.

Presenters

Andrea Lazzarotto

Andrea Lazzarotto works as a digital forensics consultant in Italy and has conducted research on anti-forensics methods for tampering with WhatsApp chats.

Related Resources

Backdoors and Breadcrumbs

Summit PresentationDigital Forensics and Incident Response

24 Jul 2025
Federico Cedolini
SANS DFIR Summit 2025

Forensic Analysis of TAILs

Summit PresentationDigital Forensics and Incident Response

24 Jul 2025
Aaron Sparling
SANS DFIR Summit 2025

macOS Lockdown Mode: A DFIR Odyssey

Summit PresentationDigital Forensics and Incident Response

24 Jul 2025
Bhargav Rathod
SANS DFIR Summit 2025

MDR to IDR Handoffs: Stick the Landing

Summit PresentationDigital Forensics and Incident Response

24 Jul 2025
Jess Burn, Jeff Pollard
SANS DFIR Summit 2025

Making Sense of the Chaos

Summit PresentationDigital Forensics and Incident Response

24 Jul 2025
Lee Archinal, Arun Warikoo
SANS DFIR Summit 2025

Consolidating Relevant Events Logs and Alerts

Summit PresentationDigital Forensics and Incident Response

24 Jul 2025
Ezz Tahoun
SANS DFIR Summit 2025

Related Courses

View All Courses

Slide 1 of 15
FOR589: Cybercrime Investigations
Intermediate
FOR589Digital Forensics and Incident Response
5 Days (Instructor-Led)
30 CPEs / 30 Hours (Self-Paced)
Labs: 20 Hands-On Labs
View course details Register
Slide 2 of 15
FOR585: Smartphone Forensic Analysis In-Depth
Essentials
FOR585Digital Forensics and Incident Response
GIAC Advanced Smartphone Forensics (GASF)
6 Days (Instructor-Led)
36 CPEs / 36 Hours (Self-Paced)
Labs: 22 Hands-On Labs
View course details Register
Slide 3 of 15
FOR608: Enterprise-Class Incident Response & Threat Hunting
Intermediate
FOR608Digital Forensics and Incident Response
GIAC Enterprise Incident Responder (GEIR)
6 Days (Instructor-Led)
36 CPEs / 36 Hours (Self-Paced)
Labs: 20 Hands-On Labs
View course details Register
Slide 4 of 15
FOR518: Mac and iOS Forensic Analysis and Incident Response
updatedIntermediate
FOR518Digital Forensics and Incident Response
GIAC iOS and macOS Examiner (GIME)
6 Days (Instructor-Led)
36 CPEs / 36 Hours (Self-Paced)
Labs: 23 Hands-On Labs
View course details Register
Slide 5 of 15
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
updatedIntermediate
FOR508Digital Forensics and Incident Response
GIAC Certified Forensic Analyst (GCFA)
6 Days (Instructor-Led)
36 CPEs / 36 Hours (Self-Paced)
Labs: 35 Hands-On Labs
View course details Register
Slide 6 of 15
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
Advanced
FOR610Digital Forensics and Incident Response
GIAC Reverse Engineering Malware (GREM)
6 Days (Instructor-Led)
36 CPEs / 36 Hours (Self-Paced)
Labs: 48 Hands-On Labs
View course details Register
Slide 7 of 15
FOR578: Cyber Threat Intelligence
Intermediate
FOR578Digital Forensics and Incident Response
GIAC Cyber Threat Intelligence (GCTI)
6 Days (Instructor-Led)
36 CPEs / 36 Hours (Self-Paced)
Labs: 20 Hands-On Labs
View course details Register
Slide 8 of 15
FOR509: Enterprise Cloud Forensics and Incident Response
Major UpdatesIntermediate
FOR509Digital Forensics and Incident Response
GIAC Cloud Forensics Responder (GCFR)
6 Days (Instructor-Led)
36 CPEs / 36 Hours (Self-Paced)
Labs: 23 Hands-On Labs
View course details Register
Slide 9 of 15
FOR528: Ransomware and Cyber Extortion
Intermediate
FOR528Digital Forensics and Incident Response
4 Days (Instructor-Led)
24 CPEs / 24 Hours (Self-Paced)
Labs: 13 Hands-On Labs
View course details Register
Slide 10 of 15
FOR577: LINUX Incident Response and Threat Hunting
Intermediate
FOR577Digital Forensics and Incident Response
GIAC Linux Incident Responder (GLIR)
6 Days (Instructor-Led)
36 CPEs / 36 Hours (Self-Paced)
Labs: 23 Hands-On Labs
View course details Register
Slide 11 of 15
FOR710: Reverse-Engineering Malware: Advanced Code Analysis
Advanced
FOR710Digital Forensics and Incident Response
36 CPEs / 36 Hours (Self-Paced)
Labs: 12 Hands-On Labs
View course details Register
Slide 12 of 15
FOR498: Digital Acquisition and Rapid Triage
Essentials
FOR498Digital Forensics and Incident Response
GIAC Battlefield Forensics and Acquisition (GBFA)
6 Days (Instructor-Led)
36 CPEs / 36 Hours (Self-Paced)
Labs: 20 Hands-On Labs
View course details Register
Slide 13 of 15
FOR563: Applied AI for Digital Forensics and Incident Response: Leveraging Local Large Language Models
newIntermediate
FOR563Digital Forensics and Incident Response
1 Day (Instructor-Led)
6 CPEs / 6 Hours (Self-Paced)
Labs: 4 Hands-On Labs
View course details Register
Slide 14 of 15
FOR500: Windows Forensic Analysis
Essentials
FOR500Digital Forensics and Incident Response
GIAC Certified Forensic Examiner (GCFE)
6 Days (Instructor-Led)
36 CPEs / 36 Hours (Self-Paced)
Labs: 22 Hands-On Labs
View course details Register
Slide 15 of 15
FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
Advanced
FOR572Digital Forensics and Incident Response
GIAC Network Forensic Analyst (GNFA)
6 Days (Instructor-Led)
36 CPEs / 36 Hours (Self-Paced)
Labs: 20 Hands-On Labs
View course details Register