On the 25th September Apple released OS X High Sierra which uses the Apple File System (APFS) as its default file system. Based on Steve’s video I thought it would be a good idea to do some testing.
I downloaded the installer for High Sierra on a Macbook Pro (running El Capitan) and used it to install the OS on an external hard drive (note: I also tried, unsuccessfully to create a USB installer and boot into that; it didn’t work, and after a couple attempts I realised I could just install it directly using the update from the app store…whoops).
Interestingly, once the installation had completed I had a look at the file system and it had formatted my external drive as HFS+. I would have thought that it would have created the partitions through the installer app on my MBP and then formatted the OS partition with APFS. Apparently, this was because I used a hard drive rather than a solid state drive. If you install onto an SSD then it will automatically convert the filesystem to APFS. Although it may only work for internal SSD’s, and all external drives may be formatted with HFS+ (If someone wants to test this let me know and I’ll update the post).
Anyways! As expected, the HFS+ volumes were viewable in currently available tools.
Then, after reviewing Apple’s documentation, I converted the first two volumes (meant to only do the second, but a mistype meant I converted two out of three) of my High Sierra installation.
This won’t work if you’re currently booted off that volume, so I rebooted into the recovery media and loaded up the Terminal app.
The command was:
diskutil apfs convert /dev/disk2s1
Then I took a look at the drive in a few of the tools that I had available:
The Windows based tools couldn’t read the file system as expected.
From there I loaded up Blacklight on the Mac, and tried to add both my High Sierra installation, as well as a 100mb APFS disk image. Interestingly, both showed up in the ‘Add Evidence’ window as two separate disks each but I was unable to add either of them to my test case.
Outside of forensic tools, I was able to add the DMG extension to my DD image and then add that as a drive on OS X; so there’s at least that to allow examiners to manually review files in an image. I still wasn’t able to get that working in Blacklight though (may be user error, or it may be support – Blackbag have indicated that the next update is due out early November).
I was adding the drive that I’d imaged back to itself (imaged Mac, then booted Mac to review the image), so that may have caused me to skip a few steps with regards to FileVault2. Will have to try another test case tomorrow.
I updated Recon Imager to v1.02 and apparently, v1.03 should be released shortly. That let me boot and image my MacBook Pro. Similarly, the current version of Macquisition allowed me to boot and image the drive. They both detected the partitions, although interestingly you’ll see additional disks that “aren’t there”. All that’s connected to the machine is the internal SSD and the imaging tool’s USB. Disk 0 and disk1 appear to be my APFS SSD.
I don’t think there’s a way of performing a logical acquisition on APFS with either tool at the moment, so it looks like you’ll have to take a physical image and then examine it later when examination tools have better support if you’re using the commercial suites I played with. As a guess, to add support with one of the OS X acquisition tools the developers would need to update the OS to OS X High Sierra; so if anyone want’s to write instructions for creating a portable OS X instance with disk arbitration/read-only mounting and a method for creating an APFS disk image and copying files and folders with their attributes that would be great…
Apple indicates that it plans to open source the file system, but as of this posting, this hasn’t happened.
And don’t forget to watch the presentation by Steve Whalen at Sumuri on his research into APFS: September 27, 10:30 Pacific.
I found that adding DMG to the end didn’t always work, but you can use a combination of hdiutil and diskutil to mount the filesystem.
hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount image.001
This will mount the drive as diskX and disk(X+1) – say disk4 and disk5
There are four volumes on the second disk, one of which has the OS install.
diskUtil apfs unlockVolume /dev/disk5s1 -passphrase password
I haven’t tested if I can add this to a forensic tool but at the very least, as long as you have the password, you can mount the image on High Sierra and then go through it.
I’ve created two APFS disk images and uploaded them here:
Encrypted (password: encrypted)
All I did was open disk utility, create a new disk image, and then APFS volume. They only have the one volume (rather than the few you would expect from a regular OSX High Sierra install).
I created 5 text files on each. I then deleted one (called deleted.txt) by putting it in the trash and clearing it, and then put another file (called trash.txt) in the trash. This should leave 3 text files on the root.