Feel free to fork it. If you have an active fork and you want to be linked here you can contact me.
afro can parse APFS volumes. It can also recover deleted files from APFS that other tools do not find.
git clone https://github.com/cugu/afro
cd afro
python3 setup.py install
AFRO needs to know the start of the APFS partition. The partition can be found out as described below.
AFRO needs to know the start of the APFS container, you can find the start of the APFS container using mmls from the sleuthkit.
mmls test/wsdf.dmg
This results in:
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000000039 0000000040 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000000040 0000195319 0000195280 disk image
005: ------- 0000195320 0000195352 0000000033 Unallocated
You have to search for the APFS partition in this list. In the example above 004 is the APFS partition which starts at offset 40. -o 40
needs to be included in the following commands. APFS is not recognized by the sleuth kit so the description is only disk image
.
All files of an apfs image can be extracted using the following command:
afro -o 40 -e files test/wsdf.dmg
The exported files are saved in a folder named after the image with the suffix '.extracted'. Because APFS images can contain multiple volumes, each volume is extracted into a separate folder inside the '.extracted' folder. Each volume can contain multiple versions of the file system which are stored in separate numbered folders. Inside those folders two folders exists 'private-dir' and 'root'. Those folders are not visible to the user, but exist on every APFS file system.
Example:
wsdf.dmg.carve_apsb.extracted
├─ wsdf <- First volume
│ ├─ 5 <- First version
│ │ ├─ private-dir
│ │ └─ root <- Root directory
│ │ ├─ folder
│ │ │ └─ foo.txt
│ │ └─ bar.txt
│ └─ 6 <- Second version
│ └─ …
└─ my_volume_name <- Second volume
└─ …
To get an overview over the files a body file can be created:
afro -o 40 -e bodyfile test/wsdf.dmg
More information on the body file format can be found in the sleuthkit wiki. The body file can be further investigated using mactime and Timeline Explorer.
- Forensic APFS File Recovery: Paper where AFRO is presented.
- Apple File System Reference: Official, but incomplete APFS specification.
- Decoding the APFS file system: Paper by Kurt H.Hansen and Fergus Toolan Fergus in Digital Investigation. Published: 2017-09-22.
- Apple File System Guide: Official documentation on APFS. Lacks lots of information on APFS. Last update: 2017-09-21.
- APFS filesystem format: Deprecated blog post by myself. Still contains some useful diagrams. Last update: 2017-04-30.
- Information about the checksum calculation can be found in checksum.md.
Pull requests and issues are welcome!
The afro software is licensed as GPLv3. The ksy file (libapfs/apfs.ksy) is licensed under MIT license.