Apple's announced a new file system, APFS, which we'll start to see in 2017 with MacOS Sierra
"Apple File System supports nearly all of the features of HFS+, and offers improvements over HFS+, including 64-bit inode numbers, 1 nanosecond timestamp granularity, an expansive block allocator, support for sparse files, and a crash protection scheme."
"Apple File System provides several new features, including optimization for Flash/SSD storage, copy-on-write metadata, space sharing, cloning of files and directories, snapshots, fast directory sizing, and atomic safe-save primitives."
It's interesting that not only do the "containers" support different levels of encryption, but it's up to developers whether they use it or not. One would assume that Apple's own software (such as MacOS) will use it by default, much like OSX does now. Also, APFS supports TRIM commands out the box.
Now the question is; which tools will support it first? My prediction
1) XWF
2) Blackbag tools (Macquisition, etc)
3) Magnet Axiom
4) TSK
5) FTK
6) EnCase 8
๐
My prediction
1) XWF
2) Blackbag tools (Macquisition, etc)
3) Magnet Axiom
4) TSK
5) FTK
6) EnCase 8
My prediction
1) XWF
2) Blackbag tools (Macquisition, etc)
3) Magnet Axiom
4) TSK
5) FTK
6) EnCase 8 (but poorly/partially, and only on machines with at least 256 Gb of RAM and 32 Ghz ๐ฏ 64 cores processor) wink
jaclaz
I believe we should not spend much discussing the topic this year because of the following fact
"Apple plans to document and publish the APFS volume format when Apple File System is released in 2017."
http//arstechnica.com/apple/2016/06/digging-into-the-dev-documentation-for-apfs-apples-new-file-system/
An article a colleague shared earlier this week. Look forward to the full details being released.
I assume no tool has released support for the new file system yet?
Contacted X-Ways; no support.
Cannot see support within EnCase or FTK…
Sumuri the maker of recon did a live video on this issue
https://www.youtube.com/watch?v=OX5H-RsKexI
I assume no tool has released support for the new file system yet?
Contacted X-Ways; no support.
Cannot see support within EnCase or FTK…
It seems like even Apple doesn't fully support disks and file systems in the new OS ๐ฏ
OT (but not much) and JFYI
https://tinyapps.org/blog/mac/201710010700_high_sierra_disk_utility.html
High Sierra's Disk Utility does not recognize unformatted disks #
unless you click View > Show All Devices, quit Disk Utility, then relaunch it
this is actually APFS related
https://bombich.com/blog/2017/09/29/think-twice-before-encrypting-your-hfs-volumes-on-high-sierra
Take any HFS+ formatted volume that does not have an installation of macOS on it (that part is key), right-click on the volume in the Finder and choose the option to encrypt it. Rather than simply converting the volume to a CoreStorage Encrypted volume and keeping the HFS+ format, macOS converts the volume to APFS with no warning, and then enables encryption.
More seriously, this
https://eclecticlight.co/2017/09/10/last-week-on-my-mac-apfs-and-high-sierra-in-trouble/
When you install macOS High Sierra on the built-in solid-state drive (SSD) of a Mac, that drive is automatically converted to APFS. Fusion Drives and hard disk drives (HDDs) arenโt converted. You canโt opt out of the transition to APFS.
It also dropped the bombshell that Sierra would never be able to access volumes formatted using High Sierraโs release version of APFS
Devices formatted as APFS can be read from and written to byOther devices formatted as APFS
Devices formatted as Mac OS Extended, if using macOS High Sierra
For example, a USB storage device formatted as APFS can be read by a Mac using High Sierra, but not by a Mac using Sierra or earlier.
Will probably create havoc ( .
And I presume that all software firms are in a condition similar to the one expressed here
http//www.shirt-pocket.com/blog/index.php/comments/news_on_the_march
First, we'll definitely be supporting APFS. That work has been in progress for some time, and continues as of this post. We already have copying to and from APFS volumes working "in the lab", as it were, and testing is ongoing.
The bad news is I'm not confident enough to say we're going to release our APFS support day-and-date.
I know this kind of hedging is disappointing. But it's important to note that Apple still hasn't released any documentation on the "proper" way to create a bootable APFS volume. An example of what they have in mind was released for the very first time when the High Sierra developer release came out a few months ago, but that's it. We basically have to make an educated guess about what they want.
jaclaz
Please do not forget Passmark's OSForensics, which supports HFS+/HFSX (Mac/iPhone/iPad).
OSForensics also has a PLIST viewer built in.
It's interesting that not only do the "containers" support different levels of encryption, but it's up to developers whether they use it or not. One would assume that Apple's own software (such as MacOS) will use it by default, much like OSX does now. Also, APFS supports TRIM commands out the box.
Now the question is; which tools will support it first? My prediction
1) XWF
2) Blackbag tools (Macquisition, etc)
3) Magnet Axiom
4) TSK
5) FTK
6) EnCase 8๐
Well worth 5 minutes of your time
Not sure how Sumuri/Recon didn't end up on your lists. I would have put them first or second, specially since they said before APFS launch that they were almost on track with the support already ๐
Not sure how Sumuri/Recon didn't end up on your lists. I would have put them first or second, specially since they said before APFS launch that they were almost on track with the support already ๐
Check the date Chris_Ed "prediction" was (jokingly) made, more than one year ago, June 2016.
@UnallocatedCluster
Does OSForensics support APFS (besides HFS, HFS+ and plists)?
If no, Chris_Ed is still right about not listing it ….
jaclaz
Jaclaz (et al) -
I just upgraded my MacBook Pro (500 GB SSD drive) to High Sierra, so next step is to image it and see what tools can process the forensic image; I am going to test Forensic Explorer / OSForensics / IEF.
I will report back once I have some results.
Jaclaz (et al) -
I just upgraded my MacBook Pro (500 GB SSD drive) to High Sierra, so next step is to image it and see what tools can process the forensic image; I am going to test Forensic Explorer / OSForensics / IEF.
I will report back once I have some results.
I'll save you a bit of time - FEX doesn't have support, had a quick look today. And I haven't seen Axiom updated so I'd be surprised if IEF has support. I haven't tested the latest update to OSForensics
Basically, I haven't seen anything updated with native support for APFS yet. I'm thinking Blacklight and Recon are our best bets for the first tools to support it (utilising OSX HS to access the image). Without an official spec release I don't think we'll see Windows support for a while.
I also had a play around a few weeks ago with APFS and a few tools at the time. I documented my findings here