International Journal of Internet, Broadcasting and Communication

The Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회)
권호 표지
DOI QR코드

DOI QR Code

Design and Implementation of APFS Object Identification Tool for Digital Forensics

  • Cho, Gyu-Sang (Dept. of Computer&Software, Dongyang University)
  • Received : 2021.10.20
  • Accepted : 2021.10.27
  • Published : 2022.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Since High Sierra, APFS has been used as the main file system. It is a well-established file system that has been used stably thus far. From the perspective of digital forensics, there are still many areas to be investigated. Apple File System Reference is provided to the apple developer site, but it is not satisfactory to fully analyze APFS. Researchers know more about the structure of APFS than before, but they have not yet fully analyzed its structure to a perfect level about it. In this paper, we develop APFS object identification tool for digital forensics. The most basic and essential object identification and analysis of the APFS filesystem will be conducted with the tool. The analysis in this study serves as the background for an analysis of the checkpoint operation principle and structure, including the more complex B-tree structure of APFS. There are several options for the developed tool, but the results of two use cases will be shown here. Based on the implemented tool, it is hoped that more functions will be added to make APFS a useful tool for faster and more accurate analyses.

Keywords

Acknowledgement

This work was supported by the National Research Foundation of Korea(NRF) grant funded by the Korea government(MSIT) (NRF- 2019R1F1A1058902)

References

  1. Apple Developer, "About Apple File System," https://developer.apple.com/documentation/foundation/file_system/about_apple_file_system
  2. Kurt H. Hansen and Fergus Toolan, "Decoding the apfs file system," Digital Investigation, No. 22, pp. 107-132, 2017. https://doi.org/10.1016/j.diin.2017.07.003
  3. Apple File System Reference, https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf
  4. A. Dewald and J. Plum. APFS INTERNALS FOR FORENSIC ANALYSIS, 2018. https://static.ernw.de/whitepaper/ERNW_Whitepaper65_APFS-forensics_signed.pdf
  5. Jonas Plum and Andreas Dewald. Forensic apfs file recovery. In Proceedings of the 13th International Conference on Availability, Reliability and Security, pages 1-10, 2018
  6. Simon Gander, APFS FUSE Driver for Linux, https://github.com/sgan81/apfs-fuse
  7. Joachim Metz, libfsapfs, https://github.com/libyal/libfsapfs
  8. Ernesto Fernandez, APFS for Linux, https://github.com/linux-apfs/apfsprogs
  9. MacDrive, https://www.macdrive.com/
  10. ParagonTechnologie GmbH, APFS for Windows by Paragon Software. https://www.paragonsoftware.com/home/apfs-windows/
  11. Apple File System Reference, https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf