Design and Implementation of APFS Object Identification Tool for Digital Forensics

Since High Sierra, APFS has been used as the main file system. It is a well-established file system that has been used stably thus far. From the perspective of digital forensics, there are still many areas to be investigated. Apple File System Reference is provided to the apple developer site, but it is not satisfactory to fully analyze APFS. Researchers know more about the structure of APFS than before, but they have not yet fully analyzed its structure to a perfect level about it. In this paper, we develop APFS object identification tool for digital forensics. The most basic and essential object identification and analysis of the APFS filesystem will be conducted with the tool. The analysis in this study serves as the background for an analysis of the checkpoint operation principle and structure, including the more complex B-tree structure of APFS. There are several options for the developed tool, but the results of two use cases will be shown here. Based on the implemented tool, it is hoped that more functions will be added to make APFS a useful tool for faster and more accurate analyses.