Fuji: Forensic Unattended Juicy Imaging

Recovery mode

Version 1.2.0 introduces a brand new way of running Fuji from an external USB device on both Apple Silicon and Intel Macs. The Fuji Cartridge can be started and then removed from the Mac, freeing a USB port and letting you start multiple Macs with Fuji in recovery mode, one after the other.

✅ If the Mac does not use FileVault you will not need the user's credential.

The Sysdiagnose acquisition method now produces a ZIP file, includes many more logs and converts them to JSONL.

Enhancements and bug fixes

This release includes a lot of enhancements and bug fixes:

• RAM-disk self-replication: Fuji replicates itself into a RAM-disk when run in recovery mode. This means you can disconnect and reuse your Fuji Cartridge drive.
• Ditto acquisition method: This method is an alternative for Rsync, enabled only in recovery mode. This is the suggested method to use when running your Fuji Cartridge drive.
• Automatic cleanup: Useless temporary files are not retained anymore after acquisition is completed.
• Easier user interface: Only one method description is shown at any given time. The "output destination" field has been moved above the "temporary files" one, because the latter is usually left to the same default value.
• Data volume selection: Fuji automatically selects the user data volume instead of the root drive. This is the recommended setting for "Full File System" style acquisitions.
• Better colors: previous versions used very harsh shades of green and red.
• Unified logs: many more logs are acquired now.
• Sysdiagnose method: it produces a ZIP file instead of a DMG. SQLite has been abandoned in favor of JSONL, making Fuji easily interoperable with tools such as Timesketch. Moreover, the conversion takes a lot less time than before.
• Acquisition timezones: start and end dates show a timezone now.
• ASR method: the ASR method is no longer recommended due to occasional issues encountered by several users.
• Enhanced build procedure: the new DMG format can be flashed with balenaEtcher.

Brand new docs

Please check out the new documentation website: https://fujiapp.top

Fuji: Forensic Unattended Juicy Imaging

Sysdiagnose and more

This release includes several enhancements and bug fixes, along with a few interesting new features:

• Sysdiagnose acquisition method (#10): This new functionality acquires system data and unified logs using the sysdiagnose command. Fuji will automatically convert the Unified Logs to SQLite for you, making analysis much easier.
• List of drives and partitions (#15): Fuji now includes a table of drives and partitions, along with information about them. Mounted partitions can be set as the source with a single click. Thanks to @BrunoFischerGermany for the suggestion (#12) and the initial proof-of-concept implementation (#13). The "used space" for the main / mount point is estimated by examining the state of the whole APFS container.
• Better support for old macOS versions (#14): The ASR and Rsync acquisition methods have been tested successfully even on macOS versions as old as 10.13 High Sierra (released in 2017). See also #8. Please note that the Sysdiagnose acquisition method needs more testing and verification on legacy OSes.

⚠️ Carefully read the README file before using this software. ⚠️

Fuji: Forensic Unattended Juicy Imaging

First public release

This is the first public release of Fuji, a logical acquisition tool for Mac computers. It includes two different modes:

• ASR: Apple Software Restore logical acquisition.
  This is the recommended option, but it works only for volumes.
• Rsync: Files and directories are copied using Rsync.
  This is slower but it can be used on any source directory. Errors are ignored.

Carefully read the README file before using this software.