Insights Blog

End-to-End Solution for APFS now Available

The release of BlackLight 2018 R1 which, when combined with MacQuisition 2018 R1, is the world’s first and only complete end-to-end acquisition, decryption, and analysis solution for the latest Apple File System (APFS).
Demand for a reliable acquisition and analysis solution is growing daily as more and more APFS formatted devices are being brought to examiners. BlackBag Technologies, with over 14 years of experience supporting Apple forensics, once again proves to be the leader in providing forensic examiners with a truly complete solution to investigate Apple devices.
Since the release of BlackLight 2018 R1 in February, we have added enhancements we’ve made through listening to customer feedback and continually improving our Apple File System (APFS) support. Decryption capabilities have been improved for APFS devices where multiple user encryption profiles are present.

To get examiners started, the steps below outline tips and tricks for acquiring and processing APFS evidence with the powerful combination of MacQuisition and BlackLight.


When examiners encounter systems using APFS, the system will present an APFS container, inside of which several volumes may be present. Because APFS volumes within a container are not traditional macOS volumes, they cannot be individually imaged. When imaging the APFS container or the parent physical disk, the resulting image will contain the volume(s) in their current state, including encryption if present.  MacQuisition 2018 R1 supports imaging both the logical files from unencrypted volumes as well as the encrypted physical disk.  We will highlight both methods below before showing how to bring either image type into BlackLight 2018 R1.

Begin by opening MacQuisition 2018 R1 and select Image Device.

MacQuisition displaying Memory, 1 disk with 1 APFS container with stock volumes (Macintosh HD, VM, Preboot, Recovery)

MacQuisition displaying Memory, 1 disk with 1 APFS container w/stock volumes (Macintosh HD, VM, Preboot, Recovery)

Let’s review the three relevant disks in the above figure:

  1. disk0 – the physical disk indicating it contains an APFS container (red text)
  2. disk1 – is the synthesized APFS container housed on disk0. macOS presents this synthesized device as a separate virtual disk entry, but the Mac only has one physical disk.
  3. disk1s1 (Macintosh HD) – note the text in red indicating it is an encrypted. Even though the macOS will display it as a /dev/disk device, it is not a real block device, and thus cannot be imaged on its own.

An examiner at this point can choose to acquire disk0 in its encrypted state, or unencrypt the container and collect logical files.


If the examiner would like to preview the encrypted volume or collect logical files they will first need to decrypt it.  In order to decrypt the Macintosh HD volume, Navigate to Tools and select Mount Device.

Enter password to unlock partition - BlackLight, APFS, Digital Forensics, Mac Forensics, Windows Forensics

Enter password to unlock partition

The examiner can use either a valid password or the Mac’s recovery key to unlock the volume. Once entered, Click on Unlock.

Partition successfully unlocked message - Blacklight, Acquisition, Mac Forensics, Digital Forensics, DFIR, Windows Forensics

Partition successfully unlocked message

Once decryption is successful, the user may return to the Image Device screen.

Image Device now indicates unlocked - Blacklight, acquisition, forensics, digital forensics, windows forensics, Mac forensics

Image Device now indicates unlocked

Notice disk1s1 now indicates it has been unlocked, but a user still cannot image just that volume.  They will need to either select Data Collection to collect logical files or acquire the whole disk.


Since imaging the unlocked state of an encrypted APFS partition is not possible, MacQuisition 2018 R1 provides the option to collect selected files to a destination folder or Mac sparse image.
To collect decrypted logical files, select the Data Collection option.

user can select files or folders to acquire - digital forensics, Mac forensics, windows forensics, DFIR, digital forensic software

User can select files or folders to acquire

Files and folders from the unlocked volume can now be selected for collection to a destination folder or sparse image.  Select Start once ready to begin the file collection.


Finally, a user can return to Image Device after logical collection has been completed to preserve the whole disk.  Navigate back to Image Device and Select disk0.

Imaging in progress gives option for comment - digital forensics software, APFS, apple file system, Mac forensics, windows forensics

Imaging in progress gives option for comment

NOTE: In the Comments window, the examiner may want to type out the user password and recovery key so they will have it recorded for later when ingesting the image into BlackLight.


On a system running BlackLight, either Mac or Windows, create or open a case file. Click on Add Evidence and select the image created in MacQuisition.

Add Evidence displaying APFS container in grey - digital forensics, apple forensics, Mac forensics, windows forensics, DFIR, digital forensic software, APFS, apple file system

Add Evidence displaying APFS container in grey

Notice in the image above that the grey box around the APFS container and the volumes within. Decryption of APFS is built into BlackLight 2018 R1 running on both Windows and Mac systems.

Click the checkbox next to Macintosh HD to open the password prompt.

for encrypted partitions user can enter password or recovery key - digital forensics, Mac forensics, DFIR, APFS, apple file system

For encrypted partitions, users can enter a password or a recovery key

The examiner can use either a password or recovery key within this box. Note: If using a recovery key, please enter it in ALL CAPS and include dashes.

Once the volume is decrypted, select the various processing options and click Start. Note: With APFS, you can only carve from the pooled storage which means that you must choose to carve the unallocated space from the Add Evidence ingestion options window.  If carving from unallocated is not selected during ingestion, the disk needs to be added again and Unallocated selected by itself.

Select Ingestion Options for decrypted APFS partitions - digital forensics, DFIR, APFS, windows forensics

Select Ingestion Options for decrypted APFS partitions

Once Parsing has finished, the examiner can start browsing content and show that the filesystem is displaying as expected.

Once decrypted examiner can browse, tag and report as usual - digital forensics, DIR, Mac forensics, windows forensics, APFS, apple file system

Once decrypted, the examiner can browse, tag and report as usual.



Examiners need this trusted combination of imaging and processing tools, working together, to give them complete access to the APFS devices they are likely to encounter.  For more information about APFS and how it will impact your investigations, you can view our Ask the Expert Webinar on APFS here.

BlackBag Technologies is dedicated to supporting our customers by continually improving our support for the latest file systems and artifacts.  We are proud to release the first truly complete solution for APFS, using what is currently known about this new file system. We will continue to update our tools as changes are made by Apple and more is learned about forensic examination of the new Apple File System.  For feedback on our APFS support or any other enhancements, please contact us at:

Ashley Hernandez