Liberated from https://www.researchgate.net/publication/319573636; retrieved from https://github.com/darlinghq/darling-dmg/files/1741393/DIIN_698_Revisedproof.pdf on December 26th, 2018.
Abstract:
File systems have always played a vital role in digital forensics and during the past 30–40 years many of
these have been developed to suit different needs. Some file systems are more tightly connected to a
specific Operating System (OS). For instance HFS and HFS+ have been the file systems of choice in Apple
devices for over 30 years.
Much has happened in the evolution of storage technologies, the capacity and speed of devices has
increased and Solid State Drives (SSD) are replacing traditional drives. All of these present challenges for
file systems. APFS is a file system developed from first principles and will, in 2017, become the new file
system for Apple devices.
To date there is no available technical information about APFS and this is the motivation for this article.
Author(s): Kurt H. Hansen; Fergus Toolan
Series: Digital Investigation xxx (2017) 1–26
Edition: Article in press (copy via RG)
Publisher: Elsevier
Year: 2017
Language: English
Pages: 26
Background......Page 2
The APFS file system......Page 3
Snapshots......Page 5
APFS and digital forensic challenges......Page 7
Tables in APFS......Page 8
Table type 0......Page 11
Table type 2......Page 12
Table type 7......Page 13
The bitmap structure......Page 14
Bitmap Descriptor......Page 16
Bitmap record block (BMRB)......Page 17
Bitmap block (BMB)......Page 19
Catalog B-Tree structure......Page 21
Root node......Page 22
Leaf Nodes......Page 23
Extent blocks......Page 24
Appendix B. File name records......Page 25
Appendix C. Abbreviations used in the article......Page 26
References......Page 27
