Continuing with BlackBag's leading APFS support, BlackLight 2018 R3 is now the only forensic solution to allow examiners to parse APFS Snapshots. As part of the Apple's latest filesystem, APFS was designed using Snapshots as a means for built-in backup support. Snapshots leverage the copy-on-write property of APFS to provide “instant” backups of the entire state of an APFS volume. Snapshots can be mounted as read-only volumes that are exact copies of the file system state at the time they were taken.
Processing APFS Snapshots
To examine snapshots, simply choose the “Parse Snapshots / Volume Shadow Copies” option from the advanced processing options.
When selecting the ellipsis next to the 'Parse Snapshots / Volume Shadow Copies' option, a new window will appear showing you any Snapshots that exist. Select the ones to be processed and click 'OK', those Snapshots will then be added to the case where they can be viewed, searched and filtered on.
APFS Snapshots are automatically enabled if Time Machine is enabled, even if no backup disk is connected. Snapshots are created approximately every hour, before each Time Machine backup, and before certain system updates. The Snapshot lifetimes depend on a number of factors but generally stick around for about 24 hours. Older snapshots may be deleted if the disk is low on space. We have found that devices with unsuccessful Time Machine backups tend to retain snapshots the longest.
Examining APFS Snapshots
Once processed, the APFS Snapshots are displayed in the Evidence tree under the APFS volume it is associated with. Each Snapshot is numbered and labeled with the volume name, for example, VolumeName (Snap 1). Examiners can choose to view multiple volumes and snapshots together using the checkboxes in the Evidence tree. Examiners can also filter on snapshot difference on the File Filter tab. Finally, when viewing a file, the file history view will show if the file has changes in a previous snapshot.
Keep Up with all of Apple's Changes
Apple's latest file system and updated hardware have changed how examiners, image, carve and handle encryption on devices. For more articles covering how to deal with APFS and Apple's latest updates see the following resources:
- A quick how-to post on how to image and ingest APFS devices
- How APFS encryption impacts examinations
- How to image devices with Apple's latest T2 chip hardware update
Want More information on APFS Snapshots?
ASK THE EXPERT: THE IMPORTANCE OF APFS SNAPSHOTS IN INVESTIGATIONS
Our webinar on APFS Snapshots is now available to view on demand. In this webinar, Dr. Joe T. Sylve, Director of Research and Development at BlackBag, shows you how to go back in time to review what happened on an APFS volume. Dr. Sylve discusses details of the snapshot functionality built into APFS, why snapshots will be useful in your investigations and how you will be able to take advantage of snapshots in BlackLight.
If your tool of choice is not parsing APFS snapshots, then you may be missing data.