White Paper: Magnet AXIOM and macOS/APFS

The Apple File System (APFS) is the latest file system to come from Apple, Inc. for their family of Macintosh computers, as well as iPhone, iPad, Apple TV, and Apple Watch. It supersedes the aging Hierarchal File System Plus (HFS+), adding many significant new features found in other modern file systems such as ZFS or XFS, including Copy-on-Write (CoW), encryption, and cloning.

The purpose of this paper is to provide a high-level overview of some of the more prominent APFS features of interest to digital forensic examiners working with APFS-aware tools such as Magnet AXIOM. HFS+ is referenced where appropriate to illustrate the differences found in the two file systems. To keep the exploration reasonably brief and focused on APFS, it is assumed the target audience has a fundamental understanding of HFS+ and its associated structures, i.e. volume header, allocation file, catalog file, etc. Where APFS structures and functionality overlap or duplicate HFS+, explanations may only include common definitions when they are appropriate for clarity of discussion. Otherwise, it appears APFS has more in common with other UNIX-like file systems than it does with HFS.