Getting Saucy with APFS!

The State of Apple’s New File System

Sarah Edwards | @iamevltwin | oompa@csh.rit.edu | mac4n6.com

Apple File System History
 Apple File Systems – Let’s Reminisce

1985 1998 2017

1984 Hierarchical File Hierarchical File Apple File

System System Plus System
Macintosh File
System (MFS) • HFS or Mac • HFS+ or Mac • APFS
OS Standard OS Extended • iOS 10.3,
• System 2.1 • System 8.1 macOS 10.13

Rich Trouton - Storing our Digital Lives: Mac filesystems from MFS to APFS https://youtu.be/IHZK30h8x4w
 APFS Timeline

June 26, September March 27, September

2016 20, 2016 2017 25, 2017
• Announced • macOS 10.12 • iOS 10.3 • macOS 10.13
at WWDC • “Experimental • tvOS 10.2
Support” • watchOS 3.2
APFS Gist

š New default file system for iOS 10.3,

macOS 10.13 (with caveats), watchOS
3.2, & tvOS 10.2
š Some basic APFS functionality available
with Sierra (10.12)
š iOS upgrade to APFS transparently in 10.3
update
š Fusion Drives & HDDs not automatically
converted to APFS
š High Sierra (10.13) install performs in-place
upgrade to APFS from HFS+
š 64-bit File System
š Optimized for Flash/SSD Drives
š Can be used on HDDs
š Internal & External - Bootable & Data Drives
š Can be used across multiple drives
(ie: RAID-ish, CoreStorage-ish)
š Nanosecond Timestamp Granularity
š Implements TRIM
Acquisition
iOS Acquisition

š Assumes physical/jailbroken access

š Disk Layout: /etc/fstab
š ‘dd’ system partition imaging limited by permissions = ”Operation not permitted”
š “Logical/Physical” Acquisition – Tar bundle of logical files from physical partitions
š https://www.mac4n6.com/blog/2018/1/7/ios-imaging-on-the-cheap-part-deux-for-ios-10-
11
macOS Acquisition
š macOS
š Turn off SIP (System Integrity Protection)
š Reboot into Recovery Mode and run
‘csrutil disable’
š Can re-enable after imaging by rebooting
into recovery mode and ‘csrutil
enable’
š SIP Status – ‘csrutil status’
š Encryption
š Password or Recovery Key Required
š Physical Disk (/dev/disk0) - For single drive
APFS implementation
š Logical Container (/dev/disk1) - For
systems using spanning data across
multiple physical disks (Converted Fusion
drives, multiple SSDs, etc.)
š Tools
š dd/dcfldd/dc3dd
š Access Data FTK CLI Imager
š BlackBag MacQuisiton
š Sumuri Recon Imager
BlackBag MacQuisition
SIP Acquisition Errors

š Devices not available with SIP

enabled
š Even with root!
š Disable SIP using csrutil in
Recover Mode
š Reboot, CMD+R
š csrutil disable
macOS Disks & Partitions
diskutil list
GPT Partitions
gpt –r show /dev/disk0
š EFI Partition GUID - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
š APFS Partition GUID - 7C3457EF-0000-11AA-AA11-00306543ECAC
š FYI: gpt command can only be run with SIP disabled
 APFS Containers
diskutil ap list

APFS Container

Container Disk

Physical Store
Volumes
• Roles (“None” (User/OS), PreBoot, Recovery, VM)
• Encryption Status - “HighSierra” uses FileVault
Pooled Storage or “Space Sharing”
 “Space Sharing”

š APFS Containers may contain multiple volumes

š Disk spaced is shared amongst other volumes
APFS Container (8GB)
APFS_ APFS_
APFS_VOL1
VOL2 VOL3 Free Space
(146.4MB) (25.5MB) (10.2MB)
Forensic Tool Analysis Support
Forensic Tool Analysis Support

Tool Support Notes

AccessData FTK No
BlackBag BlackLight Yes FileVault Support
macOS 10.13 Yes Native via Image Mounting, FileVault Support
Magnet Axiom No
Nuix No
OpenText EnCase Meh. Logical L01 File – No full native support.
SANS SIFT Yes Via Image Mounting, 3rd Party Driver, No
FileVault Support
Sleuthkit No Soon? DFRWS US 2018, Paper by Joe Sylve
Sumuri Recon Yes FileVault Support
XWays Yes Unencrypted APFS Support
BlackBag BlackLight
Mounting
 MacOS – w/ or w/o FileVault Encryption
10.13 Host Required

1.$ sudo mkdir /Volumes/apfs_image/

2.$ sudo mkdir /Volumes/apfs_mounted/
3.$ sudo xmount --in ewf apfs.E01 --out dmg /Volumes/apfs_image/
4.$ hdiutil attach –nomount /Volumes/apfs_image/apfs.dmg
5.$ diskutil ap list
6.$ diskutil ap unlockVolume <Disk GUID> –nomount
7.$ sudo mount_apfs –o rdonly,noexec,noowners /dev/disk#
/Volumes/apfs_mounted/
Windows & Linux Mounting Options

š APFS drivers from Paragon (paragon-software.com)

š Windows – Free, Currently no support for FileVault
š Linux – Price and FileVault Support Unknown – “Contact Us”
š Open Source APFS Driver by sgan81 – APFS-fuse
š https://github.com/sgan81/apfs-fuse
š FileVault Encryption Supported (with password)
š Fantastic Tutorials from Mari DeGrazia
š http://az4n6.blogspot.com/2018/01/how-to-mount-mac-apfs-images-in-windows.html
š Using Arsenal Image Mounter
š http://az4n6.blogspot.com/2018/01/mounting-apfs-image-in-linux.html
APFS Features
Clones

š Instant copy of
files/directories
š No redundant use of space
š New/modified data to files
saved in separate blocks
š File changes saved as
deltas
 Snapshots

š Read-only snapshot of the file system

š Efficient Backups (Time Machine)
š Time Machine Local Snapshots created: Once an hour & before macOS updates
š Time Machine Local Snapshots kept for 24 hours
š Create on-demand snapshot ‘tmutil localsnapshot’
š 10.12 had command apfs_snapshot
š Use tmutil and apfs_mount on live system
š Still trying to determine how to use forensically from dead image
š About Time Machine local snapshots - https://support.apple.com/en-us/HT204015
 Snapshots
Live List

š diskutil ap listsnapshots <mountpoint>

š …or listsnaps (for the millennials)
š tmutil listlocalsnapshots <mountpoint>
Snapshot Mounting – Live System
Encryption

š Encryption, built in.

HFS+ required CoreStorage wrapper
š Encryption per Volume
š Modes:
š No Encryption
š Single-key
š Multi-key
š Per-file keys for data
š Key for sensitive metadata

š AES-XTS, AEX-CBC (depends on hardware)

š https://www.blackbagtech.com/blog/2018/04/02/ask-expert-apfs-encryption/
APFS Password Bug – Unified Logs & install.log

https://www.mac4n6.com/blog/2018/4/1/ok-internet-lets-test-this-apfs-password-bug-properly
The Future of APFS Forensics
HFS+ Documentation – TechNote 1150

š HFS+ first implemented in 1998

š Published 1999
š Last Updated in 2004!
š “Reserved for future use.”
In-Depth Analysis & Tools
File System Documentation Resources

!
š Kaitai Struct from cugu - https://github.com/cugu/apfs.ksy
š ‘Decoding the APFS file system’ by Kurt H. Hansen & Fergus Toolan
š https://www.researchgate.net/publication/319573636_Decoding_the_APFS_file_system
š ENRW Whitepaper 65 - APFS Internals for Forensic Analysis by Andreas Dewald & Jonas Plum
š https://static.ernw.de/whitepaper/ERNW_Whitepaper65_APFS-forensics_signed.pdf
 References & Links

š https://developer.apple.com/library/content/documentation/FileManagement/Conceptual/APFS_Guide/
š https://www.blackbagtech.com/blog/2018/04/02/ask-expert-apfs-encryption/
š https://www.blackbagtech.com/blog/2018/04/11/apple-file-system-apfs-mac-forensic-imaging-analysis/
š https://www.mac4n6.com/blog/2017/11/26/mount-all-the-things-mounting-apfs-and-4k-disk-images-on-macos-1013
š https://www.blackbagtech.com/blog/2018/04/11/apple-file-system-apfs-mac-forensic-imaging-analysis/
š https://www.paragon-software.com/home/apfs-windows/
š https://www.paragon-software.com/business/apfs-linux/
š https://github.com/sgan81/apfs-fuse
š http://az4n6.blogspot.com/2018/01/how-to-mount-mac-apfs-images-in-windows.html
š http://az4n6.blogspot.com/2018/01/mounting-apfs-image-in-linux.html
š https://derflounder.wordpress.com/category/apple-file-system/
š https://developer.apple.com/videos/play/wwdc2016/701/
š https://developer.apple.com/videos/play/wwdc2017/715/