File systems have always played a vital role in digital forensics and during the past 30-40 years lots of them have been developed to suit different needs. Some file systems are more tightly connected to a specific Operating System (OS). For instance HFS and HFS+ have been the file systems of choice in Apple devices for over 30 years.
On June 5, 2017 Apple announced the Mac OS High Sierra operating system with the new Apple File System or ApFS, which will be used by default on all new Macs with MacOS High Sierra, and will be used in new versions of IOS, WatchOS, and TvOS. The final version of ApFS was released in 2018.
ApFS is not an extension of HFS+. From HFS+ we are familiar with special files such as the catalog file, attributes file, allocation file and extents overflow file. These files do not exist any more nor does the journal exist. ApFS uses a different strategy to secure changes in the file system.
Why was it necessary to update the file system?
All modern Macs use the HFS+ file system, introduced in Mac OS 8.1 in 1998. In turn HFS+ is based on the HFS-system which is more than 30 years old!
In those days file systems were designed for floppy and hard drives. File sizes were in kilobytes and megabytes. Today SSDs on flash memory are used and the hard drives' volume is calculated in terabytes.
Requirements are also changing… The ZFS file system introduced by Sun Microsystems in 2005 is still considered quite modern. Below is a partial list of its features that are not available in HFS+:
- Checksums and error correction. If a failure occurs at the physical level, the file system notices and corrects this
- File system snapshots
- Accurate data on file creation / modification time. In HFS+, dates are tracked to the second although current computers can perform thousands of data operations per second
- Support for sparse-files. Image files of a fixed size will occupy on disk not all the space allocated for them but as much as there is actual data
- Date support after February 6, 2040. The fact is that in HFS+ data on the time the file was created is stored in the form of seconds that have passed since January 1, 1904. 1904 was chosen because it is the first leap year of the 20th century. For storage a variable of the unsigned int type is used the maximum value of which is 4294967295, the seconds between January 1, 1904 and February 6, 2040.
The implementation of hard links in HFS+ deserves a special mention
For classic MacOS hard links were not required. Support for hard links has been added in MacOS X based on the Unix system. And Unix requires hard links to work. But in order for users to be able to use both MacOS 9 and MacOS X on the same computer, Apple came up with its own mechanism: to create a hard link moves the original file to the hidden directory HFS+ Private Data and replaces the original with a hard link. Unfortunately such an implementation can lead to data loss.
The creator of the Linux kernel Linus Torvalds called HFS+ "probably the worst file-system ever… The true horrors of HFS+ are not in how it’s not a great filesystem, but in how it’s actively designed to be a bad filesystem by people who thought they had good ideas."
If these are obvious things why was the solution invented just now?
Apple has long known that HFS+ does not meet modern requirements so back in the days of MacOS X Leopard work was underway to implement the ZFS file system. ZFS was originally developed by Sun Microsystems which was made for their own Solaris operating system. Today ZFS is a trademark of Oracle Corporation.
MacOS X is a Unix system like Solaris. Around 2005-2006, some Solaris solutions were ported to MacOS X. The ZFS file system itself was partially ported.
But for some unknown reason full-fledged ZFS support was not implemented on Mac OS X. According to rumors the appearance of ZFS in Mac OS X was announced not by Steve Jobs but by the head of Sun Microsystems Jonathan Schwartz, and this despite the fact that by the time of release it remained only to add support for writing to disks formatted in ZFS. Apple later released the source code for implementing ZFS on Mac OS X which allowed enthusiasts to build a more complete version of the file system.
One way or another we didn’t receive Apple’s ZFS, although a third-party open source implementation of ZFS is now available, allowing you to use all the achievements of recent years of development. Its disadvantages include the fact that the operating system cannot be installed on a ZFS volume as well as slow read/write speed and high RAM requirements.