New File System on Macs

yeah, part of that was turned into the tool mentioned by the developer in the comments of my thinkdfir post

yeah, part of that was turned into the tool mentioned by the developer in the comments of my thinkdfir post

I see ) , in your blog post comments there is some reference to the progresses of BlackBag and a link to a new program
http//biskus.com/
by Thomas Tempelmann, though seemingly he made a fork of the apfs.ksy only
https://github.com/tempelmann/apfs.ksy
whilst the cugu's repository offers besides the katay structure
https://github.com/cugu/apfs.ksy
also a "full" program/library
https://github.com/cugu/apfs
forked from
https://github.com/tienex/apfs

jaclaz

Yep, he worked on the original cugu stuff apparently as well, and then turned it into this tool

I haven't tested it but I dont think it deals with FV2 on Windows…which is going to be the main call from practitioners…but then we didnt have that prior to APFS either

For viewing APFS, I found that Paragon has a new tool for Windows and Unix that can read APFS. It can be downloaded here

Paragon APFS Tool

For forensics work on the APFS drive, I loaded the logical drive (via "Add Directory") into Xways.

The downside of course is that you still can't get disk level access, but at least I can view the files on the APFS formatted drives.

For viewing APFS, I found that Paragon has a new tool for Windows and Unix that can read APFS. It can be downloaded here

Paragon APFS Tool

For forensics work on the APFS drive, I loaded the logical drive (via "Add Directory") into Xways.

The downside of course is that you still can't get disk level access, but at least I can view the files on the APFS formatted drives.

Nice ) , and there is seemingly also a Linux version
https://backstage.paragon-software.com/business/apfs-linux/
that can reportedly read file metadata and access rights. (but unlike the windows version there is seemingly not a direct download link, possibly it needs registration or to be bought a license for).

jaclaz

yeah, part of that was turned into the tool mentioned by the developer in the comments of my thinkdfir post

I see ) , in your blog post comments there is some reference to the progresses of BlackBag and a link to a new program
http//biskus.com/
by Thomas Tempelmann, though seemingly he made a fork of the apfs.ksy only
https://github.com/tempelmann/apfs.ksy
whilst the cugu's repository offers besides the katay structure
https://github.com/cugu/apfs.ksy
also a "full" program/library
https://github.com/cugu/apfs
forked from
https://github.com/tienex/apfs

jaclaz

I've used their (jonas and tempelmann) reference implementation to add APFS support to the mac_apt tool. This is a framework to parse macOS full disk images (no encryption support though) for forensic artifacts. A lot of APFS's inner workings such as snapshots and the 3 byte filename hash are still unknown, but we know enough to parse the files and folders.

https://github.com/ydkhatri/mac_apt

I believe mac_apt is the first open source forensics tool to support APFS and parse high sierra images (unencrypted).

Latest UFS v6 supports it

Ref. http//r-explorer.com/technical.php

tested it

So the order of tools supporting APFS so far appears to be

1. BlackBag Tech. with BlackLight 2018 R1 (February 2018)
2. OpenText (Guidance Software) with Encase 8.07 (May 2018)
3. Possibly X-Ways with X-Ways Forensics 19.7 (currently in preview/beta)
4……?

So the order of tools supporting APFS so far appears to be

1. BlackBag Tech. with BlackLight 2018 R1 (February 2018)
2. OpenText (Guidance Software) with Encase 8.07 (May 2018)
3. Possibly X-Ways with X-Ways Forensics 19.7 (currently in preview/beta)
4……?

4. Recovery Explorer (formerly UFS)
5. R-Studio (also supports encrypted APFS in some cases)