Apple File System in Mac Forensic Imaging and Analysis
This blog was updated on 4/10/18.
Apple launched macOS High Sierra in Fall 2017 and with it brought a new challenge: the new Apple File System (APFS). APFS makes accessing, combining and exploring files and folders much faster. It also dramatically improves the operating system in terms of responsiveness and broader performance.
APFS does, however, present new challenges to forensic imaging and analysis. BlackBag is committed to providing the best forensic solutions for our customers and has made APFS one of our top priorities. Since the initial release of this blog, new versions of both MacQuisition and BlackLight have been released, each with full APFS support. Visit this post for the end-to-end APFS solution.
Some customers requested we continue to post this blog as a reference for mounting APFS images on macOS. For more complete information on APFS, BlackBag has added the latest research and discoveries in our Essential Forensics Techniques (EFT) Courses here. We encourage examiners to attend at least one of these courses for hands-on experience to better understand APFS.
How to mount a physical image of macOS 10.13 High Sierra on a Mac
In some cases, an examiner may want to mount an APFS image to view or copy the data.
First, it is good to know how to create a mountable APFS image. Apple increased the system security in High Sierra, preventing the ability to create an image of the physical disk or APFS container while the Mac is running live – unless SIP (System Integrity Protection) is disabled. Therefore, it is necessary to boot to MacQuisition and not attempt to run it live as an application.
While booted to MacQuisition, the physical disk of the source Mac is generally displayed as disk0 and the APFS container is generally displayed as disk1. MacQuisition versions 2017 R1 and newer will display the physical disk and the APFS container in the ‘Image Device’ view.
NOTE: If a mountable image is desired, one must acquire the physical disk since the APFS synthesized container cannot be mounted on macOS. We recommend creating a DMG image of the physical disk for the easiest method of mounting the image on macOS. (E01 files can also be created and mounted using BlackBag’s EWMounter tool, included with BlackLight.*)
Now that you know which disk to acquire, it is also important to make note of the source Mac’s 4-digit EMC number (usually etched on the bottom of the Mac) or its model identifier. This number will identify the year the Mac was released by Apple. Mac models that have physical disks with 512-byte sector size (all 2014 and earlier models, or the 2015 MacBook Pro and 2015 iMacs) can be mounted using a Mac with 10.12.6 or later.
Mac models having physical disks with 4,096-byte sector size were unmountable on Mac OS X. But, our Chief Scientist has found a solution. If the image is from a Mac that has a physical disk with 4,096-byte sector size (2015 MacBook, 2015 MacBook Air, all 2016 and 2017 Mac laptops, and 2017 iMacs with SSD) a terminal command can be used to mount the disk image. This command is only supported on macOS 10.13.
The command below will mount a disk image (DMG only) with 4k block size as read only on High Sierra:
hdiutil attach </PATH/TO/.dmg> -blocksize 4096 -readonly
It may be necessary to mount the image with the ‘nomount’ option, which can be done with this command:
hdiutil attach </PATH/TO/.dmg> -blocksize 4096 -readonly -nomount
If the source Mac was not shut down “cleanly” by the operating system before imaging, then macOS is not able to perform a standard mount of the image. It will be necessary to shadow mount the image, which can be done with this command:
hdiutil attach -nomount -shadow <PATH/TO/SHADOW_FILE> <PATH/TO/.dmg> -noautofsck
Once the image is properly mounted, the files may be viewed, copied or exported using Finder or Terminal.
Note: If you have a RAW segmented image, you can use BlackBag’s free DMG Rename tool to convert segments from *.00001 to .dmg.
*For E01 images, EWMounter version 1.9, included with BlackLight version 2017R1.1 and newer, can mount APFS E01 images. EWMounter 1.9 supports mounting 512 and 4k block size images along with shadow mounting “unclean” images on High Sierra (10.13).
forensics research and development, and corporate investigations, our team understands forensics. Digital Forensics is more challenging than ever before due to advancements in technology. The BlackBag Team exists to find solutions for these challenges, thereby empowering our customers to seek, reveal, and preserve the truth.Meet some of our experts at https://www.blackbagtech.com/company/our-team/