[KSCI] Korea Science Citation Index Service

http://dx.doi.org/10.7236/IJIBC.2022.14.3.8

A File/Directory Reconstruction Method of APFS Filesystem for Digital Forensics

Cho, Gyu-Sang (Dept. of Computer&Software, Dongyang University)
Lim, Sooyeon (Dept. of Fine Arts, Kyungpook National University)

Publication Information

International Journal of Internet, Broadcasting and Communication / v.14, no.3, 2022 , pp. 8-16 More about this Journal

Abstract

In this paper, we propose a method of reconstructing the file system to obtain digital forensics information from the APFS file system when meta information that can know the structure of the file system is deleted due to partial damage to the disk. This method is to reconstruct the tree structure of the file system by only retrieving the B-tree node where file/directory information is stored. This method is not a method of constructing nodes based on structural information such as Container Superblock (NXSB) and Volume Checkpoint Superblock (APSB), and B-tree root and leaf node information. The entire disk cluster is traversed to find scattered B-tree leaf nodes and to gather all the information in the file system to build information. It is a method of reconstructing a tree structure of a file/directory based on refined essential data by removing duplicate data. We demonstrate that the proposed method is valid through the results of applying the proposed method by generating numbers of user files and directories.

Keywords

Digital Forensics; File/Directory Tree Reconstruction; B-tree; Object Type Record; APFS Filesystem; macOS;

Citations & Related Records

Times Cited By KSCI : 1 (Citation Analysis)

Reference
Cited By KSCI

1	Apple File System Reference, https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf.
2	Jonas Plum and Andreas Dewald. "Forensic apfs file recovery," Proceedings of the 13th International Conference on Availability, Reliability and Security, pages 1-10, 2018.
3	Simon Gander, APFS FUSE Driver for Linux, https://github.com/sgan81/apfs-fuse.
4	Joachim Metz, libfsapfs, https://github.com/libyal/libfsapfs.
5	Ernesto Fernandez, APFS for Linux, https://github.com/linux-apfs/apfsprogs.
6	ParagonTechnologie GmbH, APFS for Windows by Paragon Software. https://www.paragon-software.com/home/apfs-windows/.
7	Apple Developer, "About Apple File System," https://developer.apple.com/documentation/foundation/file_system/about_apple_file_system.
8	Kurt H. Hansen and Fergus Toolan, "Decoding the apfs file system," Digital Investigation, No. 22, pp. 107-132, 2017. https://doi.org/10.1016/j.diin.2017.07.003 DOI
9	G. -S. Cho, "Design and Implementation of APFS Object Identification Tool for Digital Forensics," International Journal of Internet, Broadcasting and Communication(IJIBC), Vol.14, No.1, 2022. http://dx.doi.org/10.7236/IJIBC.2022.14.1.x DOI
10	MacDrive, https://www.macdrive.com/.