International Journal of Internet, Broadcasting and Communication

The Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회)
권호 표지
DOI QR코드

DOI QR Code

A File/Directory Reconstruction Method of APFS Filesystem for Digital Forensics

  • Cho, Gyu-Sang (Dept. of Computer&Software, Dongyang University) ;
  • Lim, Sooyeon (Dept. of Fine Arts, Kyungpook National University)
  • Received : 2022.05.10
  • Accepted : 2022.05.15
  • Published : 2022.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

In this paper, we propose a method of reconstructing the file system to obtain digital forensics information from the APFS file system when meta information that can know the structure of the file system is deleted due to partial damage to the disk. This method is to reconstruct the tree structure of the file system by only retrieving the B-tree node where file/directory information is stored. This method is not a method of constructing nodes based on structural information such as Container Superblock (NXSB) and Volume Checkpoint Superblock (APSB), and B-tree root and leaf node information. The entire disk cluster is traversed to find scattered B-tree leaf nodes and to gather all the information in the file system to build information. It is a method of reconstructing a tree structure of a file/directory based on refined essential data by removing duplicate data. We demonstrate that the proposed method is valid through the results of applying the proposed method by generating numbers of user files and directories.

Keywords

References

  1. Apple Developer, "About Apple File System," https://developer.apple.com/documentation/foundation/file_system/about_apple_file_system.
  2. Kurt H. Hansen and Fergus Toolan, "Decoding the apfs file system," Digital Investigation, No. 22, pp. 107-132, 2017. https://doi.org/10.1016/j.diin.2017.07.003
  3. Apple File System Reference, https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf.
  4. Jonas Plum and Andreas Dewald. "Forensic apfs file recovery," Proceedings of the 13th International Conference on Availability, Reliability and Security, pages 1-10, 2018.
  5. G. -S. Cho, "Design and Implementation of APFS Object Identification Tool for Digital Forensics," International Journal of Internet, Broadcasting and Communication(IJIBC), Vol.14, No.1, 2022. http://dx.doi.org/10.7236/IJIBC.2022.14.1.x
  6. Simon Gander, APFS FUSE Driver for Linux, https://github.com/sgan81/apfs-fuse.
  7. Joachim Metz, libfsapfs, https://github.com/libyal/libfsapfs.
  8. Ernesto Fernandez, APFS for Linux, https://github.com/linux-apfs/apfsprogs.
  9. MacDrive, https://www.macdrive.com/.
  10. ParagonTechnologie GmbH, APFS for Windows by Paragon Software. https://www.paragon-software.com/home/apfs-windows/.