Home > Digital Forensics

APFS File System

The Apple File System (APFS) is the default file system used by macOS on all modern systems. Introduced with macOS High Sierra (10.13), APFS was designed for flash and SSD storage, offering strong encryption, snapshots, clones, and space sharing. For forensic investigators, APFS introduces a new set of structures, behaviors, and artifacts that differ significantly from older HFS+ systems.

Understanding APFS fundamentals is essential for analyzing macOS devices, performing data recovery, identifying user activity, and detecting tampering.

What Is APFS?

APFS (Apple File System) is a modern, high-performance, 64-bit file system developed by Apple.
It is optimized for:

  • SSD and flash storage

  • Strong data integrity

  • Multiple volume management

  • Fast cloning and snapshots

  • Robust encryption

APFS structures evidence differently from HFS+, so forensic methods must adapt accordingly.

APFS Core Concepts

APFS consists of containers, volumes, and snapshots.
Understanding these layers is crucial for analyzing the file system at a forensic level.

1. APFS Container

The APFS container is similar to a partition.

A single container can hold multiple APFS volumes, all sharing the same underlying storage.

Features:

  • Shared free space among volumes

  • Prevents rigid partitioning

  • Enables efficient use of disk storage

Forensic Importance:

  • Deleted or hidden volumes may still exist

  • Space sharing complicates traditional recovery

  • Volumes depend on container metadata for interpretation

2. APFS Volumes

Inside an APFS container are one or more volumes.
Common macOS volumes include:

  • Macintosh HD (System volume)

  • Macintosh HD – Data (User data)

  • Preboot (Boot support)

  • Recovery

  • VM (Virtual memory swap volume)

Data Volume Split (APFS + SIP)

Starting macOS Catalina:

  • The System volume is read-only

  • User data is stored separately in the Data volume

This separation protects system integrity but also affects forensic workflows.

Forensic Importance:

  • Most user artifacts are found in the Data volume

  • System volume changes may indicate tampering

  • The Preboot and Recovery volumes store boot-related evidence

3. APFS Snapshots

Snapshots are read-only frozen points in time of the file system.

macOS automatically creates snapshots during:

  • OS updates

  • Time Machine backups

  • System restores

Users and malware can also create snapshots.

Forensic Value:

  • Excellent for recovering deleted or modified data

  • Allows rollback to previous states

  • Preserves evidence even after system changes

  • Attackers may use snapshots to hide persistence

Snapshots are one of the most useful forensic artifacts in APFS.

APFS Metadata Structures

APFS uses several key metadata objects to organize the file system.

1. Container Superblock (NXSB)

Stores:

  • Container size

  • Volume references

  • Block maps

  • Encryption information

2. Volume Superblock (APSB)

Contains:

  • Volume name

  • Role (System, Data, Preboot, VM)

  • File count

  • Snapshot references

3. B-Tree Structures

APFS uses multiple B-trees for:

  • File metadata

  • Directory entries

  • Extents

  • Snapshots

  • Object tracking

4. Object Map (omap)

Maps object identifiers to physical blocks.

Forensic Impact:

  • Essential for recovering deleted files

  • Maintains references to old metadata

APFS Encryption

APFS supports:

  • Full disk encryption

  • Per-file encryption

  • Multi-key encryption

  • Fast secure wipe (by discarding keys)

macOS uses FileVault 2 (XTS-AES-128) for full-disk encryption.

Forensic Challenges:

  • Access requires correct password or recovery key

  • Without keys, raw APFS containers are unreadable

  • Even deleted data may be encrypted per file

  • Snapshots may store encrypted versions of files

Forensic Opportunity:

  • Keys may be found in memory (RAM)

  • iCloud-linked recovery options may exist

APFS Clones

Clones allow instant duplication of files or directories without using additional space.

When modified:

  • APFS writes only changed blocks

  • Original and clone share unchanged blocks

Forensic Impact:

  • Clones complicate timeline analysis

  • Multiple file versions may share metadata

  • Deleted clones may leave residual file fragments

APFS Space Sharing

Volumes inside a container share a pool of free space.

Forensics must consider:

  • Deleted files from one volume may be overwritten by others

  • Space allocation maps span multiple volumes

  • Recovery complexity increases with multi-volume containers

APFS Time Machine (Modern Implementation)

New Time Machine backups over APFS use APFS snapshots.

Key Forensic Notes:

  • Local Time Machine snapshots exist even without external drives

  • Snapshots retain deleted files

  • Investigators can mount snapshots to recover historical states

Forensic Artifacts on APFS

Important locations for forensic analysis:

User Artifacts (Data Volume):

  • ~/Library/Application Support/

  • ~/Library/Preferences/

  • ~/Library/Logs/

  • Safari data

  • iMessage & FaceTime databases

  • Keychains

  • Recent documents

  • System logs stored under /var/db/

System Artifacts (System Volume):

  • OS binaries

  • Startup services

  • Configuration files

Preboot Volume:

  • Boot records

  • Kernel caches

  • Boot UUID mappings

Recovery Volume:

  • Recovery environment

  • Tools for macOS reinstall

  • Potential tampering evidence

VM Volume:

  • Swap files

  • Sleep images

  • Possible password remnants

Acquiring APFS Images for Forensics

Imaging requires:

  • Disk image in physical/raw format

  • Inclusion of entire container + volumes

  • Additional steps for encrypted volumes

  • Separate handling of snapshots

Tools that support APFS:

  • dd or dcfldd (raw imaging)

  • macOS asr

  • FTK Imager

  • BlackLight

  • Cellebrite UFED Physical Analyzer

  • Magnet AXIOM

  • Autopsy (partial support)

Critical Requirement: Preserve block size (4096 bytes) for APFS containers.

Common APFS Forensic Challenges

  • Heavy use of encryption

  • Space sharing across volumes

  • Rapid log rotation

  • File cloning complicates version history

  • Snapshots increase analysis complexity

  • System and Data volumes split

Intel Dump

APFS is a modern, flexible, and secure file system designed for macOS. For forensic investigators, understanding APFS containers, volumes, snapshots, encryption, metadata structures, and space-sharing is essential for effective evidence recovery and timeline reconstruction. APFS's advanced features—especially snapshots and cloning—offer both challenges and opportunities during investigations. Thorough knowledge of these fundamentals is the foundation for successful macOS forensic analysis.

HOME COMMUNITY CAREERS DASHBOARD