APFS
APM and APFS seem to be unable to live together. APFS requires GUID. I have come to that conclusion when I tried formating the drive with a APM and then APFS with DiskUtility. The same goes for the MBR. APFS requires GPT.
https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf
Advantages over HFS+:
-
Optimized for Flash/SSD Storage.
-
Full disk encryption is natively supported.
-
Snapshot support.
-
Timestamps are to-the-nanosecond.
-
9 quintillion files at most (18 zeroes).
-
Clones (aka copy-on-write). When the file is copied, it’s actually not duplicated. Instead, a new pointer is created. Once either of the files get changed, the actual copying process takes place.
-
Snapshots
-
Space sharing
-
encryption
-
crash protection
-
sparse files
-
fast directory resizing
iOS has two partitions: system and user.
Full support since iOS 10.3 and macOS High Sierra (10.13).
SANS Poster APFS File System Format Reference Sheet (SANS FOR518 Reference Sheet).
Apple π. 2006 PowerPC -> Intel. They also moved to GUID partitioning (GPT). GPT replaces MPT at the end of MBR. The main difference between them is that MPT can only define 4 primary partitions, while GPT can have
Partitions and volumes are slightly different than for other FS. When we see a APFS disk, think in terms of volumes.
There are five entries (raws) there. One of them, the first, is most likely a general, main container. The other 4 are volumes: MacHD, Preboot, Recovery, VM (standard, but MacHD is usually named Macintosh HD).
The first one - container GUID. All the volumes have the same container GUID. Container GUID is similar to disk signature or the serial number that we find at offset 440 of the MBR when we are looking at HDDs from a Windows system.
APFS volumes are not fixed in size. Share space within a container. Unallocated space is pooled to all the volumes within. That’s why when analysing volumes there is no way to tell, which volume this unallocated space originated from (unlike on Win).
Timestamps
π Jan 1, 1970
Modified
Created
Accessed
On macOS type mount in Terminal to get all the disks mounted with their corresponding attributes. If you see a noatime attribute, it means Accessed attribute is not updated for that volume.
Changed
Added
Unique to APFS. Very useful for forensics since it differenciates between the file being actually created and it being copied from another media (USB, for example).
Metadata
FSEvents
Like $UsnJrnl. βοΈIt keeps track of file ids, which is useful for sequencing events. Can be found /.fseventsd. Lot’s of gzip archives.
π However, I couldn’t find it on my M1 (macOS Big Sur, 11.2.3). The daemon was running (checked with Activity Monitor). Grabbing the processes path on disk (search for
fseventsd, double-click, chooseSampleand get the path from the result)
python FSEParser_V3.3.py -s -t folder /.fseventsd -o /Users/sentinel/Desktop/FSEvents_Out
Keywords: Mount/Volume, Safari/Chrome (web search), Renamed/.trash (trash).
Lot’s of information, so, think well whether to process it or not, since it’ll take time.
β οΈ If you insert a FAT-formatted thumb drive into a macOS machine, it will create fervents.
Tools π : FSEventsParser.