Getting Saucy with APFS! The State of Apple's New File System

all right i'll give about 30 seconds or so for everybody to settle on in

all right i'd like to get started here um you are in getting saucy with apfs you see my see what i did there all right yeah i'm i love puns it's it's a good time so why am i here who the heck am i i am a mac fangirl straight up um i don't deny it i will definitely buy just about anything with an apple logo on it don't care how much it is i spend way too much money on it but i do have real jobs and that is yes with an s so by day i am a government contractor surprise dc area government contractor for parsons corporation and i do mobile forensics r d

stuff um and by night i do the sans mac forensics course so author and instructor of that so i keep pretty busy i don't have any free time to do anything else so i don't really have any hobbies other than mac stuff so what i want to talk to you about today is apfs so it's apple's new file system everybody's kind of freaking out about it i get a ton of emails saying hey does your course cover this you know how do i look at this stuff so this is kind of a kind of a quick triage run through on what can i do if i have an apfs image uh forensically speaking right now so we'll

talk about the different tool supports we'll talk about how to mount these things i'll even show you some demos hopefully demos work i do have videos though just to be sure um talk about how to acquire them some of the caveats associated with that and all sorts of good stuff with that so if you are looking to get into really deep dive into the hex kind of apfs stuff this is not that presentation i truly hope to do that presentation at some point in time but i'll talk about why this isn't that presentation in just a little bit so a little bit of history um so where did this come from why do we have apfs now so first off

1984 came came out we have the first macintosh this one had macintosh file system or mfs this was more or less a flat file system so you know didn't have a whole lot of stuff going on there they used this one for about a year or so 1985 hfs came out now you might have actually heard of hfs it's been apple's primary file system for a long time though truly it's been hfs plus so hfs was used for a few years but 1998 came out and we were starting to use hfs plus so hfs plus was an extended version of hfs they added in a bunch of stuff kind of made some band-aids and things to

fix some things for a modernish file system so we've been working with hfs plus from a forensic standpoint almost 20 years which is kind of ridiculous it's been around for a long long time so it was really getting long in the tooth there wasn't a whole lot of capability for some of the modern technologies that apple has been introducing things like core storage fusion drives i'll talk a little bit about that as as the presentation goes on so they really needed to come out with something that supported all of these features so they introduced them in 2017 apfs or apple file system i'm starting to see this now in ios and mac os and all the other

different products as well so it's it's used across all the mac devices so as far as apfs came out uh it was introduced in 2016 at wwdc um this is where i was like oh my gosh they're introducing a new file system oh crap um usually um from a forensic standpoint you get these nice forensic suites that are out there it will take some some time to actually put in support for this um so they've had a heads up i'm talking like the ftk's the end cases the black lights the big forensic suites um talk about who supports it now and who does not support it but even just straight up hfs plus it's been around for two decades

they have trouble parsing a lot of the features in hfs plus so i'm like oh great a new file system awesome let's see how well they do that because granted nobody likes apple stuff it's always the uh the redheaded stepchild of the operating systems uh from a forensic standpoint everybody always supports windows based stuff first so apple doesn't get a whole lot of good capability when it comes to support from forensic suites so they've had a little bit of heads up so 2016 it was introduced it was announced anyway september 20th 2016 there was some experimental support um so people started digging into this stuff there's some few command line um utilities out there to create

different apfs images and disk images and and formatting and things like that but it wasn't truly supported as an operating system based feature so march 27 march 27 2017 came out this is when all your ios devices upgraded to apfs this was actually pretty amazing i was waiting for like the biggest i i'm trying to use a polite word here um yes let's see yes let's use dumpster fire i was waiting for something to just get destroyed uh but it was actually pretty transparent most people didn't even realize that there was a completely new operating system or file system on their systems when they were upgrading the operating systems on their ios their ios devices their iphone's ipads their

watches their tvs it was really transparent so i got to give it up for apple for that one they did a very very good job in doing that um a little bit later they introduced it on mac os 1013 so high sierra came out um that one was maybe less transparent for some folks um there is a few issues there some people were complaining about losing data and things like that but my own personal experience i didn't have a problem with it it was actually a pretty good um so now that wasn't all devices so i'll talk about some of the caveats with that upgrade in just a bit so a quick just for apfs you know why

did this thing exist they wanted one operating system for all apple devices so as of right now it is on everything with an apple logo your watches your phones your ipads your your mac systems if it's been upgraded to the versions here so 10.3 on ios 1013 on mac os with a few caveats um 1012 you might see some apfs stuff but it was not fully supported so you probably won't see a whole lot of um os based images with apfs since it did come out in mac os 1013. now fusion drives and hard disk drives this is where those caveats exist these were not automatically upgraded to apfs transparently from a user upgrade standpoint

so fusion drives don't expect to see those um with apfs currently they're only supported right now with hfs so i i do think apple will in the future support fusion drives being transferred over to the new file system but it's not the default as of yet it's also hard disk drive so the big spinning drives so if you have an older mac with no flash based hard drive in there you might see that that is hfs unless the user specifically went in and converted it so it's not automatic through the upgrade somebody has to actually go in and do that so a few caveats there um 64-bit file system um so hfs is 32-bit so what does that mean we get more

inodes we'll show you a couple couple things in the file system but you get basically a bajillion inodes so a lot of support there a few other things it is optimized for flash and ssd drives so most of the new modern macs are coming out with flash based systems even on the ios devices as well it's all flash based not saying you can't install it on a spinning drive you just need to physically go in there and do it to the conversion one thing that i really like is nanosecond timestamp granularity i'm a forensics nerd the more granular a timestamp is the better off you are when you're putting together your timeline um so i'm actually pretty excited about

that one i know it sounds kind of stupid but you know it's it's a forensics thing what can i say there love me some timestamps so a little bit about acquisition of these devices this can be a little bit tricky um mac and ios acquisition are already tricky as it is but i will go into some of the caveats in here so first off talk a little bit about ios acquisition uh this is going to assume that you have physical or jailbroken access to the device otherwise you're doing your cell brite dumps your xry dumps your itunes backups it doesn't care about the file system it truly has no you know has no knowledge about that

when you're doing those logical acquisition polls so if you have a jailbroken access you get in there through ssh through how whatever means you might have uh you look at the etsy fs tab um file this is going to show you what's mounted and where so i have an example of of the one up there unfortunately the color is a little bit darker for this particular screen but we have two partitions that i've highlighted slash dev disk 0 s1 s1 and dev disk 0 s1 s2 first one is the system partition it holds the operating system the ios operating system on there the second one is mounted on private var this is the user data partition

so forensically you're probably going to be more or less interested in slash private slash var unless you're going into the system partition to maybe check if there's malware if it's been compromised things like that so i kind of have a um a method for acquisition that i'm calling a logical physical it's kind of a mixture of the two forensic acquisitions due to um data protection and encryption on ios devices getting a full bit by bit dd image of the uh of the drive is not going to do you any good it's all going to be encrypted so what i do is i go in there and basically do a tar bundle of all the files on that device and i

can either do system and user partition or just get it all from the root file system and pull it down into a tar bundle and take a look at that basically just a large archive of all the files on there so you're getting physical access so you get all the extra files and databases and stuff that your cell brights are not pulling but you're doing it in an unencrypted fashion so you go in there you grab it and you should be good to go most forensic utilities can import a directory of files so perhaps not the most forensically sound but it's really the only way to pull off a lot of that data in a bulk format so i have a few links

down here about the whole process that i go through of jailbreaking and getting access to that ssh and doing that tar bundle so i have one for ios 10 as well as for ios 11 and some older ones if you look in some of the links for that blog article but as far as the file system goes it's you know it's apfs kind of introduced um what i want to call it um kind of limitations and pulling a full dd so the system partition is unencrypted i could pull a full dd of that previously before 10.3 came out if i tried to do that now i kind of have some examples in the other screenshot

there i'm going to get a operation not permitted error so they're locking that down so they've been locking stuff down pretty well on ios and they've been doing pretty close to the same thing on mac os as well so that access is just not available yet there's certainly some magic somewhere that we could potentially put in there but i just haven't figured out how to do that yet so one of those things i'm still working on but i do my logical physicals and everything seems to be fine with that

so now as far as mac acquisition goes this one can be a little bit tricky we have a lot of different things that could be an issue is the system live and up and running is there encryption at play so i'm kind of going to go through some of the features here of what could be what could be some of the issues first thing if you're doing straight up access with dcfldd dc 3d you're going to need to turn off sip or system integrity protection these utilities they want to access the the drives uh the slash dev devices but it's not going to allow that so apple has locked it down apple has locked a lot of stuff down

with sip so you're going to want to turn that off in order to get access to the drives it's actually pretty easy to do if you reboot go into recovery mode do the csr util disable you can always enable it later on so forensically speaking you want to leave the machine in the state that it was presented to you as and you can do that just fine if you need access to the drive this becomes an issue because if there's encryption and you don't have the password so if it's using file vault encryption this is not going to be your best bet you don't want to reboot the device because then you're not going to get

access to it no matter what so you might end up having to just do a logical acquisition at that point so it does use file vault encryption it is a different version of filevault encryption but as far as the user is concerned it appears to be the same thing i'll talk about the tool support for file vault encryption in just a little bit um black bag summary recon these are the only two tools right now that i'm aware of the commercial tools that will go in there and be able to image uh these devices without having to turn off sip i don't know what magic they're doing but they somehow have access to do that

so if you're doing a lot of these you might want to you know invest some money into some of these tools so you don't have to go in there and turn off sip so if you're doing it free if you don't have a whole lot of you know money at your disposal you kind of have to hack it together to to get that acquisition now generally speaking which drive do i want to acquire that is always an issue i'm going to show a couple of examples later on but the physical disk so slash dev slash disk zero for the most part um you would want to acquire this one because most tools are going to be able to read that

assuming that the tools will parse apfs some do some don't now if you're looking at multiple uh drives in a system maybe it's um maybe it's like a you know i got a bunch of drives apfs can use multiple physical volumes to store their data on you might want to do more of that more or less the logical container that it presents to you as so i'll go over some examples of that in just a bit so every acquisition is going to be a little bit different now as far as black bag goes uh i do have a screenshot up here the newest version of black bag this is a 2018 r1 and r1.1 does support

apfs which is really nice i've been playing around with it it looks pretty good um certainly there are some bugs with it but you know what new file system if i already have support right now i'm not going to complain too much so just as an example of what you might see here with my acquisition if you're able to purchase this utility i highly recommend it it's it's a great tool it basically acquires any mac that you have in the office um so the sip uh issues so if you don't know if sip is turned on or not you can do uh csr util status so i could kind of show you the an example of that

one in there um you can see if it's enabled or disabled if you attempt to try to acquire a slash dev device these are some of the errors that you're going to run into this is because of sip so in the example in the screenshot the big one to the left there i'm doing just straight up dd input file slash dev disk 0 and just throwing it to attempt directory just for the for the sake of an example so i try to do that years ago you could do this just fine but apple's been locking these things down i'm not i'm going to get an operation not permitted all right so i go ahead and try something else let me

do sudo and the same command you know so i sudo bang magnet nope still locked down operation not permitted okay so i go in and maybe do the logical device the slash dev disc one again not permitted and maybe i'll try the slice not permitted apple says nope you're not going to get access to that at all so this is why you do need to turn off sip so you can get access to that the other screenshot that i have there is being booted into recovery mode and i turned off sip system integrity protection and i can just go ahead and turn that back on when i'm done creating my image so i'm going to go over um a couple of

utilities that you can use to kind of take a look at what is on your system uh this assumes that you're already logged into the system or you have a mounted image so disk util list is going to show you which drives and which devices you have mounted are available to mount on your system so by default most mac systems the physical disk is going to be on slash dev disk zero this is going to be one of those things that's straight out of the box and then you have that internal or excuse me that synthesized disk so that's the logical version of the apfs partition so i'm going to go through this a little

bit more detail in the um in the demo but just kind of getting a good feel for what you're going to be seeing here this is a default version of apfs straight up nothing fancy no multiple hard drives it literally is just the laptop sitting in front of me here so we're already looking for two disc devices uh in here it also uses gpt so apple has been using gpt for a very long time now if you want to see the partition table if you're used to looking at your own on hfs plus it might look a little bit different so we don't have that recovery drive anymore and the gpt guide uh the the volume type guide

is that other one that 7c34 so just be aware of those i've listed them in there the first one is the efi partition that's pretty standard you see that hfs as well as apfs so you're really looking at that second

one so now we also have disk util ap list so we have core storage before now we're doing um apfs so i'll go in this into this more into the demo but apfs uses containerization so i have this drive and i can split it up in a few different ways and that's called the apfs container now the container disk is actually holding the different drives potentially i could have multiple physical hard drives maybe a couple flashed hard drives in there all pulled together as a single apfs volume so i'll show you some examples of that as far as the volumes go there are some default ones for um os based versions of apfs and that's

where you're going to see like the pre-boot the recovery and the vm so they each have their own separate volume underneath the apfs container so the cool thing about apfs is that it'll do pools storage um and also they call it space sharing so if i have multiple volumes on there i'm not pre-allocating i could potentially pre-allocate but by default i'm not pre-allocating partitions so if i set up a volume i want five gigs associated with that i can actually grow and increase that or shrink it whenever i want on other operating systems that is not possible so i can have multiple partitions going on here different volumes i can remove them i can shrink them i can do

whatever i want with them so it's very very flexible from a file system volume standpoint so i have an example of one here i have split up this apfs container into three different volumes i'm super creative i called it vol 1 val 2 vol 3. threw some files in there just to kind of make it a little bit different and i use df to show you that it's you know only storing a certain amount of data on there if i do have a pointer on here i do great so i have the used here so 140 megs 24 megs and 9.7 megs df is only going to show you how much space you're actually using but it has really no knowledge of

all that other empty space so you see the size on the other side here it says you know seven point two seven point two seven point two so this is on a thumb drive that's it's an eight gig thumb drive so it has it has all that storage available to it if i decide to throw a lot more stuff into vol 2 it's going to grow in size as soon as i remove that stuff from vol 2 it will shrink in size so it is extremely flexible when it comes down to that now space sharing this is kind of the apfs container in a kind of a visual format my aps ball one two and three they will

store their information um kind of uh in in a um in their own little um area of the drive uh that free space if i move and change these different volumes i can add and do whatever i want with them so as far as disk util list goes i get my pointer over here there we go so i have three apfs volumes in here it's going to show me the space for each one of those even though the physical space of the drive is that 7.7 gigs so i do have that synthesized apfs container in here now slash dev slash dish 2 is the physical device perhaps the one that i would want to image because that's storing the apfs

container in here now if i do the disk util ap list on slash dev disk 3 in this case i can see that the different apfs names where it's mounted at so slash uh apfs ball one two and three as well as how much capacity that they're using i'm also able to see if it's file vault encrypted or not and you can encrypt on a per volume basis so that's also kind of different with apfs now as far as tool support goes this is the part that sucks tools will take some time to you know get up to speed and to start supporting apfs volumes so i've kind of gone through some of what i think are the

most important are the biggest players in the forensic suite game and some do and some don't some have not gotten back to me whether they're going to support it or not so some may never support it so access data ftk always a popular option there is no support for that as of right now uh black light and summery recon are the two commercial forensic suites right now that do support apfs so reading parsing and doing all that good forensic stuff with it i also have on their mac os 1013 i'm going to show you how to mount these things a little bit later on you can use the mac operating system and it will work just fine

so you don't have to spend a lot of money for these forensic suites i mean it's free with purchase of mac i guess you can say um so let's see what else axiom new x and n case nope no support there yet sans sift a lot of folks like to use that one again we get access via image mounting kind of like we do in the mac system so but this one's of course is free and it's linux based so it's uh widely available to most folks uh sleuthkit i love sleuthkit but currently there is no apfs support for that i hope to see that in the future joe is presenting on it at df-rws in

july so i hope that's going to happen in the future and then finally x-ways is kind of a strange one i love x-ways i use it for all my android stuff it will recognize apfs it will basically oops it will basically say yep that there is apfs and that is it okay well that's better than just a random drive that says i don't know what this is unallocated whatever so you know it's the first step so i'll give it a little bit of credit there but there are options out there there's free options and then there's pay for options depending on what kind of uh platform you're running on as well uh just a little screenshot about black

bag i like black uh black light a lot i use it quite a bit for all my mac stuff it open up you know your e01 images if you've used the expert witness format it reads it just fine there's there's file vault support so you're pretty much good to go on that you just gotta spend what is it like 2500 or something now to get that particular utility so a little bit about mounting i'm actually going to go through here and do this as a demo i think i have time for that um excuse me um so you want to mount these things i like mounting these things because i use a lot of the built-in utilities on

the mac operating system to do a lot of my forensics so in my normal day-to-day work i actually have a mounted image as well as the image loaded into blacklight and i'll use whichever one works best for whatever i'm looking at sometimes just using you know x adder on the command line to look at all my extended attributes is so much easier on a mounted image than actually going into blacklight and going through and clicking and it's you know there's different reasons to use different ways so i end up mounting these things quite often so let me just get down to the command line here if it'll work

all right hopefully folks in bat can see that okay cool it's like really big but we'll see how this works out so i have my image not that image

there we go so i got my my galaga image here these are the new files that i'm using for my class so first thing i'm going to do i'm just going to show you what's already on my system so i have disk util list and i apologize i'm actually gonna make that a tad smaller just so it doesn't look like complete crap there we go so my internal drive is def dev slash disk zero it says internal that's useful in my synthesized my logical apfs container for the laptop that's sitting in front of me here is dev disc one i always call my systems whatever operating system that they're currently on so i got high sierra here

but you can see it has the apple apfs partition label on there and the physical store is dev 0 s2 which points to this one up here so it's basically saying i am the logical version of this physical drive i get pre-boot you get your recovery and you get your virtual memory in there as well so this is the standard apfs of what it looks like on just pretty much any mac system that doesn't have a lot of specialty stuff associated i also have another hard drive just a little western digital hard drive setting up here as well so that's been mounted or available on slash dev disc two c is external but it is a physical drive

and it's running core storage so core storage is one of those things that apple has implemented to do a lot of the capabilities that was not built into the operating system or the file system hfs file system so it's kind of like a band-aid so if you're used to seeing core storage a lot of that stuff has now been implemented into apfs so i just kind of want to throw out the different examples in there so my core storage volume is mounted on slash dev disc three it's external and virtual so core storage uses the virtual term here apfs uses synthesized for that logical uh version of the uh of that drive and this one is nice it says unlocked

and encrypted so it is a file vaulted to core storage volume for my western digital drive so if you were doing core storage you might have used this command so cs or you can type in the whole thing core storage to list out the different pieces of that logical volume for that core storage volume so i got my western red just a red passport drive up here it's four terabytes it only has one physical volume uh it shows me that it is using encryption it's fully secure i always like that one unlocked but it is running hfs so core storage and hfs kind of go hand in hand i can run a very similar command

this one might take a little bit of time for some reason it does take a few seconds to run but now this is showing me the apfs container oops so it's got one found um this is on my current system right now it shows me the size of the volume so i have a it's a one terabyte drive and my internal ssd shows me the physical disk image in there it's on disk zero s2 and then it shows me the different volumes so i have one two three four different volumes so my data the user's data the operating system data is on the one that has no specific role why they couldn't come up with a role for that i don't know

but it's though that's the one that you're going to be looking at from a forensic standpoint um it's mounted on slash so the root of the volume and it is unlocked so it is using file vault and it is currently unlocked because i'm currently booted into the system uh the other ones you might see in here is pre-boot information so when you boot up and need some information to do that booting up it's not file vaulted and it's very small it's 27 megs in size you get a recovery partition also not file vaulted and then finally you get slash private var vm so that virtual memory space also not file vaulted so that is a

pretty much the default version of that of a mac os system so to mount this thing i'm going to create a couple of mount points in here and i can't type and speak at the same time so i apologize if i'm quiet for a little bit

so it did ask for my password there whenever you're interacting with slash volumes now as of the last few versions it's locking that down you're going to need you know privileged access to to to do this kind of stuff but this is on your analysis system you probably will have you know the password for that i should hope so create a couple of mount points in here so i'm using one to to change the image because i created this image and it's an expert witness format versus straight up raw dd so i'm going to just kind of convert it quickly and then i'm going to mount it on gallagher mount so i'm using the tool x mount here to do

this it's uh it's it's free it's available for a lot of different platforms which makes it very accessible using dash dash in saying this is the type of image that i'm currently working with and that's ewf expert witness format i'm just going to drag and drop oops versus typing it all in so i'm saying my image is in expert witness format i'll use dash dash out to say i want it into a dmg so dmg very mac friendly and i'm going to get that access on galaga image all right so if i do take a look at what we have there i have galaga dmg and galaga.info so a little bit of metadata information but the dmg

is what i'm going to be using so it does a really quick trans you know conversion uh from e01 format to that dmg format so pretty easy to do that now sorry i can't type and talk at the same time

all right so i'm using hdiutil here this is uh native utility and into mac to basically say attach it make it available to mount it but don't actually mount it because i'm passing that dash no amount because i'm going to mount it in a forensically uh useful way in the next command line so this is going to do its thing it might take a few minutes seconds really not really minutes so now i have available everything on slash dev disk 4 s1 s2 so that's the the raw uh image if you will and we have slash devs disc five and these are all the different apfs uh volumes on there now i don't know which one

i can tell you which one i know it is but i have to run another command to actually figure out which one i want to get access to so this is where disk util ap list comes into play so it says to found now if you remember before i had one found now that i have this other mounted image available it's going to find two apfs containers

all right so disk zero excuse me disc one this is my internal system this is not the one that i'm looking for disc five however is my mounted system so the one that i wanna take a look at uh disc four s2 in here let's see so i have apfs volume roll no specific role the volume name is called galaga this is this particular user's macintosh hd if you will and then pre-boot recovery and vm the one that i want to look at the one that has the user data is this galaga this one slash dev uh excuse me dev disc 5 s1 so i'm going to use that in my next command so i'm using mount apfs here if you did

this before there's a mount hfs very similar in structure using a few options everybody's got their favorite mounting options i'm using read only no owners and no exec so don't execute anything if you're doing a lot of compromised malware type of stuff probably a good one to put in there and no owners will change it'll remove some of the ownership issues so you can actually get access to some of these files again everybody's got their favorites so slash devdix5 and i want to put it up on galaga mount

all right let's take a look at what we have there so we have a mounted um mac operating system uh you see that the hidden directories up there you get file events d the spotlight database stuff users volumes all sorts of good stuff so now i can access this and do whatever forensic stuff that i want to do that if i need to scan it with something if i need to run a script on something i now have that available should be good to go so that is that is that any questions with that yeah i i say that again oh uh so i created the expert witness format with um ftk um command line imager um so ftk i give

it a lot of crap but their command line imager for mac and and stuff is actually pretty good so i have a nice compressed e01 file format from one of my images so ftk imager

i actually do a lot of analysis using spotlight so i do want it to go and kind of go do something i i use the spotlight utilities to actually query the spotlight database that's already been indexed why use somebody else's indexing when apple's already done that for me uh so i got the video there don't need that so a few other things um windows and linux mounting options um it's not just for macs uh you could do it in windows you got the paraben not paraben paragon software drivers some are free some are not um there's the open source one for for linux systems that's apfs fuse i do have another demo video for that i don't

think i will have time to show it to you but maybe at the end but tutorials that are out there i list a couple of different tutorials from mari degrazia she's written up some really great uh walkthroughs on how to mount apf images on windows as well as uh the sans sift it makes it pretty easy um i say i can't i can't complain there i mean i do everything on a mac but i know not everybody in the forensics world does everything on a mac i know i'm the weird one in that case so don't have time for that one just yet i may go back to it i do want to talk a little bit about

some of the features from a forensic standpoint for for apfs so we have a thing called clones this is where it's basically creating instant copies of data so you copy this one i have a copy of whatsapp up in the uh the screenshot up there it just because i'm copying the 72.1 meg file it doesn't mean it's not going to take a long time it's pretty much instant but it's also not taking up double the space because i have that cloned uh so it's sharing the same data blocks on the file system so make changes to whatsapp.dmg only those changes will be uh stored on there so it is a space saving uh feature a couple of examples up there if i get

my cursor to work oops why does it disappear so much so i got a couple of the inodes here so 201 and 192. so two files two different inodes but the files the file sizes are the same the metadata does change so you will get different metadata but the content of those files will stay the same until one of them has changed and only the deltas for that will be stored in separate blocks on the file system so in the other screenshot i i say that you know it has 140 megs used uh two different inodes but the space is the same so you see that extra space because i made that copy so this is a before and after i made that

copy uh it's still only using 104 140 megs on that particular volume so i could copy that whatsapp.gmg a hundred different times and it's not going to use any more space we also have this concept of snapshots so i think these are going to be really forensically interesting um in the future currently right now they're really only being used with time machine kind of stuff so a lot of the support that you might have seen in 1012 was not inputted into the 1013 features so there's a few different utilities that we can use to create snapshots to review snapshots you can mount snapshots these are snapshots and time of whatever was on that file system

and they are created very pr pretty much instantaneously you know maybe one second or things like that so from a forensic standpoint that could be pretty useful because i could see what a a previous version of that file system looked like compare it to the next one uh compared to the one that i'm currently standing in front of me really don't know how to do that from a forensic standpoint yet but i can assure you that i'm doing a lot of research to see how can we use these things how can i mount them to do what i need to do so as far as apple's documentation goes um frozen at the moment of time of its

creation and it's very quickly i can see this being very useful aps volume can have zero or more associated snapshots so they do get created whenever you do a system update it gets created if you have time machine on getting created maybe once an hour however that is set by default it does also say apfs snapshots are neither listed nor discoverable when their volume is not mounted meaning it's being stored in this magical area that apple's not going to tell you where they're being stored so truly have no idea how to pull these things off of a dead file system just yet again more research is needed at that point but they do say that apfs snapshots are

mountable if you can find them and it provides a read-only historic version of that file system so i really do think this is going to be an interesting area uh to be used in a in a forensic format to get access to some of these this is on a live system i can use a couple of different utilities to see what snapshots i have available i can use disk util ap list snapshots or tmutil list local snapshots so tm util is the time machine utility uh pretty much the same output in slightly different ways i do like that it has the list snaps it seems very millennial to me so disk util ap list snaps if i'm too lazy to write

out list snapshots you know so you do have that option there as well same thing nice little shortcut so on the live system i can mount these as well so this is on my local system a laptop sitting in front of me i have a snapshot i do have time machine running so i have a bunch of these things i can mount them pretty easily with the mount apfs command that i show you up there very similar to what i showed you before and i can actually browse that and see the different changes in there so this is on a live system it does have some capabilities but it'll be really interesting to see where this where this comes into play

from a dead image perspective but again still kind of working on that research a little bit more about encryption encryption again it is called file vault 2 but it's not the same file of all 2. so under the hood it's quite a bit different it's uh more of like a file system level encryption versus the full disk block level encryption that older file vault 2 was so this might come into play when you're using your forensic suites i might ask you for recovery key information password information and how they do the decryption of that hopefully from a forensic standpoint you're not having to do a lot of that and your tool is actually doing it but just be aware

that it's not quite the same thing black bag put a nice blog article kind of going into the details of that if you are interested apfs is in its infancy um 1013 is a dumpster fire if you will in so many ways i don't know how many different bugs their password bugs have been out there i ran into one i do not bug hunt but i just ran into one uh putting some new stuff together for my course um it you you create apfs images using disk utility you reformat your your external drives or your thumb drives into apfs containers and it will just go ahead and nicely put the password in plain text in a

not just one log file in multiple log files um they have fixed this in 10 14 excuse me 10 13.4 um but yeah that's uh that wasn't oh it's such a dumpster fire um but if you are looking for passwords and i like passwords from a forensic standpoint because that saves me a lot of work brute forcing things so just go ahead and take a look at the unified files as well as the install log and see if you can take those out for some of those external drives that you're wondering how do i get into this thing so i have a few blog articles on that one always good stuff a few other features

crash protection no journaling there is no journal in apfs that's kind of different from a file system point of view but we still have the file system event store database and if you talk to me i freaking love that database it stores so much great forensic information i mean it's way better than the journal so fortunately that is still saved in apfs atomic safe save either the file changed or it did not so it's not you're not going to have that partial thing going on there and sparse files so very similar to shared space it's only going to allocate what it needs at that particular time so it's not going to just allocate four gigs when you don't need

four gigs for a particular file so it should help on uh space saving so the future of apfs forensics um so techno 1150 the infamous techno 1150 this is the bible of hfs slash hfs plus file system spec uh hfs first came out in 98 this was published in 99. i'm waiting for apfs version of this i don't have a whole lot of hope now this one was only last updated in 2004 so what 14 years ago there's all these areas that are reserved for future use in this spec guess what's being used in current hfs plus implementations all that crap but they do not go and document it so this is one of the things

i really hate with apple they are really kind of crap on a lot of their documentation including stuff that they've been using for two decades um you know so i i give them a lot of crap for that as far as the same file system spec for apfs apple says on their file system guide they plan to document and publish the aps volume format but they have yet to do so this is where forensics can be really difficult so most of the forensic implementations of this thank you most of the forensic implementations of this have been done by reverse engineering the file system reverse engineering file systems is not an easy thing if i give you a few

different links down there read some of these papers look at the structures this is not a simple file system to parse and one of the problems is that i think apple keeps updating and changing it which is probably why they haven't documented to begin with so just be aware if your tools don't work right or they have a few bugs it's because they just haven't published documentation yet so cut them a little bit of slack reverse engineering file systems not the easiest thing to do a few other links i know you probably can't see them but when i publish the slides hopefully you'll be able to click through those different blog articles associated with it how to mount these things

the different drivers needed for windows and linux all sorts of good stuff in there including some of the apple documentation which again lacking and kind of crap so that's it for me you can find the presentation on my website it's macforensics.com soonish i am presenting this at b-sides nola so i'm going to wait to publish until a couple weeks from now but if you need a copy of the presentation like today that's fine you can hit me up on twitter i'm on twitter way too much or you can you know email me and i will send you the presentation i can also send you the demo videos as well so if you like mac stuff you want to

take a class you know come find me um i bounce between a lot of different places new apfs stuff should be introduced should be introduced in the austin class but possibly also the vegas class kind of iffy right now i've got a lot of work to do to push that out so at this point any questions crickets yes from reading the paper so the uh the question was how much does um apfs take from the hfs from a file system review it looks like they do take quite a bit so there's still b trees a lot of the same structures still look like they exist this is from one of the papers um that i

put a link up out there too but it's quite a bit more complicated than hfs so there's a lot of other stuff going on there it's going to take some time to kind of piecemeal that together actually figure out what's going on

i think the snapshots are going to be where it's at now granted i've not done as much research as i like because it's um it's not an easy thing to do but i think that's going to be my favorite thing of that new file system from a forensic standpoint i have no idea i stick to my mac file systems i don't have time i don't even remember how to do ntfs anymore to be honest with you i stay away from windows stuff as much as i possibly can all right well if you have any questions hit me up later but i think it's time for me to get off the stage and everybody get to go to lunch

[Applause]