Apple File System in Mac Forensic Imaging and Analysis

This blog was updated on 10/10/17.

With Apple launching macOS High Sierra, unarguably the biggest change is the new Apple File System (APFS). Essentially the foundation on which High Sierra is delivered, APFS makes accessing, combining and exploring files and folders much faster. It also dramatically improves the operating system’s responsiveness and broader performance.

APFS does, however, present challenges in Mac forensic imaging and analysis. Others might be talking about workable out-of-the-box solutions, but the truth is it’s too soon. Since Apple does not release documentation prior to a new launch, it’s too soon after High Sierra’s release for there to be a fully developed, tested and trusted Mac forensic imaging solution. Here at BlackBag Technologies, we have been reverse engineering APFS and are working on supporting High Sierra for both MacQuisition and BlackLight. Supporting High Sierra and APFS is currently one of our top priorities.

What is Apple File System (APFS)?

APFS replaces Apple’s now-ageing Hierarchical File System Plus (HFS+) file system that was developed in 1998, with HFS+ being an improved version of HFS, released in 1985!

Apple has aimed this new file system at most of all their devices, from Apple TV and Watch to iOS and desktop macOS. This means there will be sweeping changes across the board, including

  • APFS is a new, advanced storage architecture providing an extensible foundation to support new features and future storage technologies on the Mac.
  • APFS brings support for the latest high-capacity storage devices and delivers enhanced performance, security and reliability.
  • With APFS, common operations such as copying files and directories are nearly instantaneous.
  • Data is protected from power outages and system crashes thanks to advanced data integrity features.
  • APFS currently supports every Mac with all‑flash internal storage — support for Fusion and HDD Mac systems will be available in a future update.

Mac imaging workarounds for MacQuisition 2017 R1 and macOS 10.13 High Sierra

To assist examiners at this time, BlackBag’s developers have created some workarounds for imaging when using MacQuisition 2017 R1 on a Mac computer running macOS 10.13 High Sierra. Download a copy of this ‘how-to guide’ here.

Stay tuned for the upcoming BlackLight 2017 R1 release. One of the new features will support ingesting sparse images on Windows.

How to examine a physical image of macOS 10.13 High Sierra

If an examiner creates a physical image of a Mac running 10.13 with APFS, which is possible with MacQuisition 2017 R1, there is still an option to examine allocated space. Mac models that have physical disks with 512-byte sector size (all 2014 and earlier models, or the 2015 MacBook Pro and 2015 iMacs) can be mounted using a Mac with 10.12.6 or later.

Mac models that have physical disks with 4,096-byte sector size were unmountable on Mac OS X,  but our Chief Scientist has found a solution. If the image is from a Mac that has a physical disk with 4,096-byte sector size (2015 MacBook, 2015 MacBook Air, 2016 and 2017 Mac laptops) a terminal command can be used to mount the disk image. This command is only supported on macOS 10.13.

The command below will mount a disk image (DMG only) with 4k block size as read only on High Sierra:

hdiutil attach /path/to/.dmg -blocksize 4096 -readonly

It might be necessary to mount the image with the 'nomount' option, which can be done with this command:

hdiutil attach /path/to/.dmg -blocksize 4096 -readonly -nomount

Once the examiner mounts the image, they will be able to copy out the files and import them into BlackLight. BlackBag recommends copying the files to a DMG formatted as HFS+ and 'read/write,' so that the examiner can lock it and import easily into BlackLight. Using a DMG also works well for Windows users to resolve the Windows file path limitation.

Note: If you have a RAW segmented image, you can use the free DMG Rename tool to convert segments from *.00001 to .dmg. Support for mounting E01 (4k) images using EWMounter on 10.13 is coming.

Leave a Reply

Sorry, you must be logged in to post a comment.