A new free white paper is now available from Magnet Forensics — download Magnet AXIOM and macOS/APFS today!About the White Paper
The Apple File System (APFS) is the latest file system to come from Apple, Inc. for their family of Macintosh computers, as well as iPhone, iPad, Apple TV, and Apple Watch. It supersedes the aging Hierarchal File System Plus (HFS+), adding many significant new features found in other modern file systems such as ZFS or XFS, including Copy-on-Write (CoW), encryption, and cloning.
The purpose of this paper is to provide a high-level overview of some of the more prominent APFS features of interest to digital forensic examiners working with APFS-aware tools such as Magnet AXIOM. HFS+ is referenced where appropriate to illustrate the differences found in the two file systems. To keep the exploration reasonably brief and focused on APFS, it is assumed the target audience has a fundamental understanding of HFS+ and its associated structures, i.e. volume header, allocation file, catalog file, etc. Where APFS structures and functionality overlap or duplicate HFS+, explanations may only include common definitions when they are appropriate for clarity of discussion. Otherwise, it appears APFS has more in common with other UNIX-like file systems than it does with HFS.
Looking to Learn More about macOS Investigations?
Register for our live "macOS: Forensic Artifacts and Techniques That are Essential for Mac Investigations" webinar on June 26. Can’t make the live presentation? Register for the event and we’ll send you a link to the recording of the event once it’s available.
