What we have published

Fill 4

ERNW White Paper 65

APFS Internals for Forensic Analysis

In forensic computing, especially in the field of post-mortem file system forensics, the reconstruction of lost or deleted files plays a major role. The techniques that can be applied to this end strongly depend on the specifics of the file system in question. Various file systems are already well-investigated, such as FAT16/32, NTFS for Microsoft Windows systems and Ext2/3/4 as the most common Linux file system and HFS/HFS+ for macOS. There also exist tools, such as the famous Sleuthkit by Brian Carrier that provide file recovery features for those file systems by interpreting the file system’s internal data structures. APFS is the new file system for Apple devices that is applied by default on all current iOS mobile devices, as well as macOS since High Sierra. For APFS that is currently being rolled out on a large number of devices, no forensic file recovery methodologies have been developed so far. To allow for manual analysis or development of forensic file recovery methods, a deeper understanding of the internal structures of the file system is necessary. In this paper, we analyse APFS and describe its internal structures to provide forensic/incident analysts with the necessary knowledge to this end.