Product Features
Magnet AXIOM 3.4

APFS Performance Improvements with Magnet AXIOM 3.4

One of the improvements made in the recent 3.4 release of Magnet AXIOM includes significant enhancements to APFS processing times allowing investigators to get access to their data as quickly as possible. In this blog, we’ll showcase some real examples of those improvements.

Since AXIOM 3.0 was released earlier this spring, we’ve continued expanding our macOS artifacts, which now also includes Free Queue carving, search capabilities of unallocated space, as well as the parsing of Spotlight metadata of files located on the system.

If you haven’t upgraded to AXIOM 3.4 yet, you can get it as an update within AXIOM or as a download from our Customer Portal. By updating to AXIOM 3.4, you can utilize these new Mac performance enhancements as well as new Officer Wellness features (watch this video or our recent webinar, Addressing The Challenges of ICAC Investigations to learn more on the Officer Wellness features found in AXIOM 3.4.)

Mac Performance Enhancements

Before we get to the results of the testing, let’s first review the parameters of the test.

For these trials, we’ve run AXIOM before and after the 3.4 release on the same MacBook Air Image on two different machines. The MacBook Air housed an APFS formatted 256GB drive, and Recon Imager Pro was used to create the .E01 measuring 69GB in size.  

The MacBook Air housed an APFS formatted 256GB drive, and Recon Imager Pro was used to create the .E01 measuring 69GB in size.  

The image contains four APFS volumes listed below:

  • Volume 1: MacHD: 104.69GB
  • Volume 2: Preboot: 43.61MB
  • Volume 3: Recovery: 498.51MB
  • Volume 4: VM: 2GB

It’s also worth noting for APFS investigations, examiners will typically see four volumes with Preboot, Recovery, and VM. The “MacHD” in this case was renamed from “MacintoshHD”. If investigators see additional APFS volumes present, it’s recommended they be imaged and reviewed as part of the investigation due to the ease in which a user can create additional APFS volumes using the macOS’s built in Disk Utility application.

The hardware used for testing the new enhancements included both an i9 processor powered machine as well as an i7 machine (specs below).

Dell XPS 15 2018 MacBook Pro 
i9-8950HK CPU @ 2.90GHz 6 Cores / 12 Logical Processors 
32GB RAM 
Windows 10 Pro 		i7-8850H @ 2.60 GHz 6 Cores / 12 Logical Processors 
16GB RAM 
Bootcamp-Windows 10 Pro 
  • Both machines were connected via USB C & USB 3.1 to 2 external 1TB SSD’s (Samsung T5’s), one drive used for case files, the other for forensic images
  • Each Case file created for these tests were approximately 23.6GB

The Results

Utilizing the boot-camped MacBook Pro (i7) and AXIOM 3.2.1, we initiated our first test processing only the MacHD volume, with all artifacts selected, as well as MD5 hashing turned on. Once complete, we had over 970,000 artifacts to review, but processing of the one APFS volume took 23 hours, 38 minutes, and 29 seconds. Our second test with the i7 powered MacBook Pro and the newly released AXIOM 3.4 took only 8 hours, 49 minutes, 15 seconds, resulting in a 62.69% decrease in processing time!

As seen below, the CPU was being used to its full potential while AXIOM 3.2.1 was processing the image file.

The next contender, an i9 powered Dell XPS15 coupled with AXIOM 3.3.1 completed processing of all four volumes listed above with all artifacts turned on, and MD5 hashing selected in 12 hours, 14 minutes, and 18 seconds. After a quick AXIOM update to 3.4 the test was repeated utilizing the same standards as the rest of the trials, with processing time cut to 5 hours, 24 minutes, and 28 seconds. The Dell XPS processing time was reduced by a staggering 55.81% after updating to AXIOM 3.4.

Evidence of how hard our developers have been working to improve performance for our customers can be seen below with a staggering decrease of processing time ranging from 55% to 62% between the two test machines. Also, keep in mind the AXIOM 3.4 builds included additional processing with the addition of the Spotlight metadata being parsed as well as searching across unallocated space on the volumes.

In an upcoming blog, we’ll explore what information can be gleaned from both Extended Attributes and Spotlight metadata found on macOS systems.

If you have any questions, or have suggestions on new macOS artifacts that you’d like to see added to AXIOM, contact trey.amick@magnetforensics.com.

Related Resources

Blog

Blog

Griffeye products now a part of the Magnet Forensics product suite

Following the announcement that Griffeye would become part of Magnet Forensics, we are thrilled to announce that Griffeye is now fully integrated into the Magnet Forensics family. 

April 12, 2024 • About a 2 minute view
Blog

Blog

Magnet Axiom Cyber 7.10: AWS Sign-in improvements & animated maps

The latest release of Magnet AXIOM Cyber is here, and we’re excited to share new features for analysis and cloud acquisitions.

February 29, 2024 • About a 2 minute view
Blog

Blog

Reviewing email evidence with Email Explorer in Magnet Axiom and Axiom Cyber

With the continued prominence of email in corporate settings, we’re thrilled to unveil a highly anticipated feature to AXIOM Cyber: Email Explorer.

February 29, 2024 • About a 4 minute view
Resource Center Home

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top