Recovery Methodologies

ApFS offers the ability to recover certain states of the file system including old or deleted versions of files. The container superblock contains a reference to the checkpoint structure. The checkpoint references the preceding container superblock, which contains information in an older state of the file system. In this way multiple older states can be recovered by parsing this chain of container superblocks.

ApFS is a copy-on-write file system and thus each block is copied before changes are applied. Therefore, a history of all files which were not overwritten and according file system structures exist. This results in a high number of artifacts that can be utilized in forensic file recovery.

From those artifacts, we identified three different approaches for file recovery that rely on different artifacts as entry points, which we present in this section: The signature-based file system metadata carving methods “NXSB carving” and “APSB carving”, as well as the heuristic file system metadata carving method “node carving”. All methods iterate the file system in blocks of 4096 bytes, which is the smallest block size observed in ApFS. Those blocks are checked for metadata structures which in turn are parsed and used to extract files.

Carving

Carving is a method to recover data content that remains in unallocated space of the file system. Traditionally we have been familiar with the disk architectures where each volume remains in a separate partition. These volumes are unaware of other volumes. In ApFS the structure is different in that the ApFS container could be divided into one or more volumes. Each volume has blocks available from a pool organized by the container bitmap. This means there are no boundaries on block level and a single block does not exclusively belongs to a given volume before it is allocated. If a file is erased on volume A the blocks are released and available for new data. These blocks could likely be used by volume B or C later. In a carving scenario in HFS+ the carved object could at least be connected to a volume but in ApFS this would be impossible to state.

NXSB carving

APSB carving

Node carving

1.      Iterate file system in blocks of 4096 byte1

2.      Check whether bytes 32 to 36 equal ‘NXSB’

3.      Verify checksum to eliminates false positives

4.      Parse identified container superblock & descent into all structures inside this container

1.      Iterate file system in blocks of 4096 byte1

2.      Check whether bytes 32 to 36 equal ‘APSB’

3.      Verify checksum to eliminates false positives

4.      Parse identified volume superblock & descent into all structures inside this volume

1.      Iterate file system in blocks of 4096 byte1

2.      Check whether bytes 24 to 26 (object type) equal ‘0x2’ or ‘0x3’

3.      Check if bytes 28 to 30 (subtype) equal ‘0xe’ (file subtype)

4.      Verify checksum to eliminates false positives

5.      Parse file node

 

< Previous | Content | Next >