afro can parse APFS volumes. It can also recover deleted files from APFS that other tools do not find.
git clone https://github.com/cugu/afro cd afro python3 setup.py install
AFRO needs to know the start of the APFS partition. The partition can be found out as described below.
AFRO needs to know the start of the APFS container, you can find the start of the APFS container using mmls from the sleuthkit.
This results in:
GUID Partition Table (EFI) Offset Sector: 0 Units are in 512-byte sectors Slot Start End Length Description 000: Meta 0000000000 0000000000 0000000001 Safety Table 001: ------- 0000000000 0000000039 0000000040 Unallocated 002: Meta 0000000001 0000000001 0000000001 GPT Header 003: Meta 0000000002 0000000033 0000000032 Partition Table 004: 000 0000000040 0000195319 0000195280 disk image 005: ------- 0000195320 0000195352 0000000033 Unallocated
You have to search for the APFS partition in this list. In the example above 004 is the APFS partition which starts at offset 40.
-o 40 needs to be included in the following commands. APFS is not recognized by the sleuth kit so the description is only
All files of an apfs image can be extracted using the following command:
afro -o 40 -e files test/wsdf.dmg
The exported files are saved in a folder named after the image with the suffix '.extracted'. Because APFS images can contain multiple volumes, each volume is extracted into a separate folder inside the '.extracted' folder. Each volume can contain multiple versions of the file system which are stored in separate numbered folders. Inside those folders two folders exists 'private-dir' and 'root'. Those folders are not visible to the user, but exist on every APFS file system.
wsdf.dmg.carve_apsb.extracted ├─ wsdf <- First volume │ ├─ 5 <- First version │ │ ├─ private-dir │ │ └─ root <- Root directory │ │ ├─ folder │ │ │ └─ foo.txt │ │ └─ bar.txt │ └─ 6 <- Second version │ └─ … └─ my_volume_name <- Second volume └─ …
Create body file
To get an overview over the files a body file can be created:
afro -o 40 -e bodyfile test/wsdf.dmg
Documentation on APFS
- Apple File System Reference: Official, but incomplete APFS specification
- Decoding the APFS file system: Paper by Kurt H.Hansen and Fergus Toolan Fergus in Digital Investigation. Published: 2017-09-22.
- Apple File System Guide: Official documentation on APFS. Lacks lots of information on APFS. Last update: 2017-09-21.
- APFS filesystem format: Deprecated blog post by myself. Still contains some useful diagrams. Last update: 2017-04-30.
- Information about the checksum calculation can be found in checksum.md.
Pull requests and issues are welcome!