By David Swinden, Digital Forensics Specialist, 7Safe
The 13th June 2016 saw the 27th Apple World Wide Developer Conference (WWDC). As expected there were a multitude of new feature announcements to the Apple offerings of iOS, tvOS, watchOS and the newly renamed macOS.
What the keynote address failed to mention was the introduction of a new file system set to replace Apples HFS+. HFS+ has been the default file system since its introduction in 1998 and has always had a number of limitations, being described by Linus Torvaldis, creator of the Linux operating system, as the ‘worst file system ever’.
APFS is still very much in development and there are caveats to trialling it that suggest we are some time off from its full implementation as the default macOS file system. Currently the only way to play with APFS is to create a container via the command line disk utility in macOS Sierra; you cannot install the OS to it and it does not support FileVault2 or Time Machine.
So let’s take a look at some of the new features as documented by Apple before I get a copy of Sierra and have a play…
- Optimised for SSD storage technologies – HFS+ volume header anyone…?
- Native full disk encryption without the need of an additional layer (FileVault)
- Nano-second granularity in timestamps allowing far more atomicity in transactions. HFS+ stores dates and times to the second meaning far less accuracy than what modern databases and transactions require for integrity. For a file system this means more efficient and accurate logging of operations for rollback and recovery.
- Space sharing - Multiple file systems to share the same underlying free space on a physical volume. From a user perspective this night and day convenience opposed to the rigid disk structuring of old. So for example an APFS container with a capacity of 100GB contains Volume A of 10GB, Volume B of 20GB but the free space for each volume is 70GB. Similar in principle to thin provisioning in virtual environments.
- Quicker and more efficient directory information recall
- Snapshots - For anyone who has been on the 7Safe CMFS course, hard links are an ‘interesting’ topic that add a level of complication to investigations. A snap-shot, read-only instance of the file system that can be created without the use of hard links is a huge improvement and will make backups function (and likely be stored) in a similar way to Microsoft’s Volume Shadow Copies.
- Clones – These differ from snapshots as they are editable and are an instant clone of a file or directory storing changes made between it and the original. This should further enhance the revisions and auto-save functionality introduced with Apples Modern Document Model in OS X Lion.
So how will this impact us as forensic examiners? We have a whole new file system to deconstruct and play with! Big implications are the (likely default) native full disk encryption, the introduction of a new backup and revision technology, thin partitioned disks and how this will be interpreted on any platform other than a Mac.
These are just the initial highlights given to us by Apple so stay tuned for a more hands-on discussion once we have had a play.