This project is not maintained any more.

Feel free to fork it. If you have an active fork and you want to be linked here you can contact me.

afro can parse APFS volumes. It can also recover deleted files from APFS that other tools do not find.

git clone https://github.com/cugu/afro
cd afro
python3 setup.py install

AFRO needs to know the start of the APFS partition. The partition can be found out as described below.

AFRO needs to know the start of the APFS container, you can find the start of the APFS container using mmls from the sleuthkit.

mmls test/wsdf.dmg

This results in:

GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Safety Table
001:  -------   0000000000   0000000039   0000000040   Unallocated
002:  Meta      0000000001   0000000001   0000000001   GPT Header
003:  Meta      0000000002   0000000033   0000000032   Partition Table
004:  000       0000000040   0000195319   0000195280   disk image
005:  -------   0000195320   0000195352   0000000033   Unallocated

You have to search for the APFS partition in this list. In the example above 004 is the APFS partition which starts at offset 40. -o 40 needs to be included in the following commands. APFS is not recognized by the sleuth kit so the description is only disk image.

All files of an apfs image can be extracted using the following command:

afro -o 40 -e files test/wsdf.dmg

The exported files are saved in a folder named after the image with the suffix '.extracted'. Because APFS images can contain multiple volumes, each volume is extracted into a separate folder inside the '.extracted' folder. Each volume can contain multiple versions of the file system which are stored in separate numbered folders. Inside those folders two folders exists 'private-dir' and 'root'. Those folders are not visible to the user, but exist on every APFS file system.

Example:

wsdf.dmg.carve_apsb.extracted
├─ wsdf                  <- First volume
│  ├─ 5                  <- First version
│  │  ├─ private-dir
│  │  └─ root            <- Root directory
│  │     ├─ folder
│  │     │  └─ foo.txt
│  │     └─ bar.txt
│  └─ 6                  <- Second version
│     └─ …
└─ my_volume_name        <- Second volume
   └─ …

To get an overview over the files a body file can be created:

afro -o 40 -e bodyfile test/wsdf.dmg

More information on the body file format can be found in the sleuthkit wiki. The body file can be further investigated using mactime and Timeline Explorer.

• Forensic APFS File Recovery: Paper where AFRO is presented.
• Apple File System Reference: Official, but incomplete APFS specification.
• Decoding the APFS file system: Paper by Kurt H.Hansen and Fergus Toolan Fergus in Digital Investigation. Published: 2017-09-22.
• Apple File System Guide: Official documentation on APFS. Lacks lots of information on APFS. Last update: 2017-09-21.
• APFS filesystem format: Deprecated blog post by myself. Still contains some useful diagrams. Last update: 2017-04-30.
• Information about the checksum calculation can be found in checksum.md.

Pull requests and issues are welcome!

The afro software is licensed as GPLv3. The ksy file (libapfs/apfs.ksy) is licensed under MIT license.