Skip to content
File recovery for APFS
Python Makefile
Branch: master
Clone or download
Latest commit cd13f07 Nov 25, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
afro Improve markdown Nov 25, 2018
licences Publish afro Jun 22, 2018
logo Apple spec (#7) Sep 21, 2018
test Apple spec (#7) Sep 21, 2018
.gitignore Fix content extraction Nov 3, 2018
.pylintrc Format and lint Nov 25, 2018
.travis.yml Apple spec (#7) Sep 21, 2018
Makefile Apple spec (#7) Sep 21, 2018
README.md Improve markdown Nov 25, 2018
setup.py Apple spec (#7) Sep 21, 2018

README.md

afro logo

afro (APFS file recovery) Build Status

afro can parse APFS volumes. It can also recover deleted files from APFS that other tools do not find.

Installation

git clone https://github.com/cugu/afro
cd afro
python3 setup.py install

Usage

AFRO needs to know the start of the APFS partition. The partition can be found out as described below.

Export partition

AFRO needs to know the start of the APFS container, you can find the start of the APFS container using mmls from the sleuthkit.

mmls test/wsdf.dmg

This results in:

GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Safety Table
001:  -------   0000000000   0000000039   0000000040   Unallocated
002:  Meta      0000000001   0000000001   0000000001   GPT Header
003:  Meta      0000000002   0000000033   0000000032   Partition Table
004:  000       0000000040   0000195319   0000195280   disk image
005:  -------   0000195320   0000195352   0000000033   Unallocated

You have to search for the APFS partition in this list. In the example above 004 is the APFS partition which starts at offset 40. -o 40 needs to be included in the following commands. APFS is not recognized by the sleuth kit so the description is only disk image.

Export files

All files of an apfs image can be extracted using the following command:

afro -o 40 -e files test/wsdf.dmg

The exported files are saved in a folder named after the image with the suffix '.extracted'. Because APFS images can contain multiple volumes, each volume is extracted into a separate folder inside the '.extracted' folder. Each volume can contain multiple versions of the file system which are stored in separate numbered folders. Inside those folders two folders exists 'private-dir' and 'root'. Those folders are not visible to the user, but exist on every APFS file system.

Example:

wsdf.dmg.carve_apsb.extracted
├─ wsdf                  <- First volume
│  ├─ 5                  <- First version
│  │  ├─ private-dir
│  │  └─ root            <- Root directory
│  │     ├─ folder
│  │     │  └─ foo.txt
│  │     └─ bar.txt
│  └─ 6                  <- Second version
│     └─ …
└─ my_volume_name        <- Second volume
   └─ …

Create body file

To get an overview over the files a body file can be created:

afro -o 40 -e bodyfile test/wsdf.dmg

More information on the body file format can be found in the sleuthkit wiki. The body file can be further investigated using mactime and Timeline Explorer.

Documentation on APFS

Contributing

Pull requests and issues are welcome!

Licenses

The afro software is licensed as GPLv3. The ksy file (libapfs/apfs.ksy) is licensed under MIT license.

You can’t perform that action at this time.