07 - MacOS File Systems

#unix #Linux #filesystem

Class: CYBR-405

Notes:

Objectives

Describe Macintosh history and file structures
Describe Linux file
Use Linux forensics tools

Early days of MacOS

They started when IBM had a monopoly
Prof. went to K-mart and bought its first commodore to pirate and play games
In 1990
New Maccintouch for $28,000 (1990 dollars)
New apple laser printer for $5,000 (1990 dollars)
NEXT had a UNIX-based OS
When NEXT incorporated with Apple (as Steve Jobs cambe back to Apple) the UNIX-based OS came to Mac.
We are still using a variant of that today!

Understanding Mac Files Structures

Hierarchical File System (HFS) - Launched in 1985

Files stored in nested directories (folders)

Hierarchical File System (HFS+) - Launched in 1998

Introduced with Mac OS 8.1
also called MacOS Extended
Supports smaller file sizes on larger volumes, resulting in more efficient disk use

Apple File System (APFS) - Launched in 2017

Introduced in macOS High Sierra
Works on the concept of Containers and Volumes (like partitions).
When data is written to a device, metadata is also copied to help with crash protection

Why do you think they went from HFS to HFS+?

All of a sudden disks started getting larger and OSs couldn't handle it.

An Overview of Mac File Structures

In Mac, a file consists of two parts:
- Data fork and resource fork
Data fork typically contains data the user creates, such as text or spreadsheets
- Applications also read and write to the data fork
Resource fork contains additional information
- Such as menus and dialog boxes
- Identified as ._ filename, if copied to Windows
Resource forks are largely legacy
Still visible when copied to Windows as ._filename
Conceptually similar to NTFS alternate data streams

Notes:

If you find an old Mac in a case what are you going to do? CALL AN EXPERT
This is not how the new filesystem works on Macs anymore

Common Evidence Sources

Here are a few differences between Window and macOS file systems

Windows	Mac	Description
AppData	/Libraries	Directory where applications information is stored.
IWindows	/private/var/root	Directory where system information is stored
IUsers	/Users	Directory where user information is stored

Forensics Procedures 1

For forensics procedures in macOS:

You must know where file system components are located and how both files and file components are stored

Application settings are in three formats:

Plaintext, plist files, and the SQLite database
Plist files are preference files for installed applications on a system
- Kind of like registries on windows and uses SQL or SQLite databases

FileVault is used to encrypt and decrypt a user's directory

Like BitLocker on Windows -> an encryption mechanism

Forensics Procedures 2

Keychains

Files used to manage passwords for applications, Web sites, and other system files
The Mac application Keychain Access enables you to restore passwords
There is some evidence there you can try to find

Deleted files are in the Trashes folder

If a file is deleted at the command line, however, it doesn't show up in the trash

Where stored...

Plist files commonly stored in /Users/username/Library/Preferences
Keychains stored in ~/Library/Keychains
Safari history stored in SQLite databases

Forensics Procedures 3

Acquisition Methods in macOS
Make a forensic image of the drive
- Tools for working with a raw format image
  - BlackBag Technologies Macintosh Forensic Software
  - SubRosaSoft MacForensicsLab
  - Guidance Software EnCase
  - Sumari Recon Mac OS X Forensics
  - X-Ways Forensics
If all else fails...
- Mac's Time Machine Backup can be used to create a snapshot in time of logical files.

APFS (Modern Macs)

APFS Architecture Overview

APFS is designed for SSDs and modern storage devices
Introduced in macOS High Sierra
Replaces HFS+
Built around containers and dynamically sized volumes
Uses copy on write instead of overwriting data
Supports snapshots and cloning
Encryption native at the file system level

Notes:

They came out with this to enable Solid State Drives (SSDs)
You cannot back to an older filesystem after your files have touched APFS
The ZED filesystem on Linux does this:
- Makes a container and makes a container filesystem architecture
- Inside that container you have filesystems
- You could have different volumes, and these volumes are dynamic
- Copy on Write (Cow) instead of overwriting data.

APFS Containers and Dynamic Volumes

One physical disk contains an APFS container
The container holds multiple volumes
Volumes share a common free space pool
Volumes grow and shrink dynamically
No rigid partition boundaries between volumes
Common default volumes include System, Data, Preboot, and Recovery

In NTFS, partitions are rigid. In APFS, volumes flex. They all pull space from the same container pool.

Notes:

If you are using a volume and is not very big, there is going to be a lot of free disk space on the back of your container, that volume will shrink and deform to account for this size.
There are set volumes on a Mac that you cannot touch.

Copy on Write (CoW) in APFS

APFS does not overwrite existing blocks
When data changes, new blocks are written
Metadata is updated to reference the new blocks
Old blocks remain until reclaimed
Old blocks may persist until garbage collection (this can preserve historical file remnants)
Improves crash protection and consistency
Optimized for SSD performance

Instead of erasing old "homework", APFS writes a new version and just updates the pointer.

Notes:

Old-blocs remain until they are released (just moves pointer)
This requires a garbage collector architecture
This is important for forensics

APFS Metadata Structure

APFS uses B-trees for metadata storage
Object map tracks block references
No single Master File Table like NTFS
Metadata itself uses copy-on-write
Structure designed for crash consistency

Notes:

Metadata also uses CoW

APFS Snapshots

Point-in-time read-only state
Created using copy-on-write
Used by Time Machine and system updates
Deleted files may persist in snapshots
Investigators must examine snapshots

Notes:

Time Machine is deprecated now
- Plugin an external hard drive and go back in time, it was amazing
If you are a MacOS expert you can make a lot of money because there is ways to get data

APFS File Cloning

Cloning creates a new file without duplicating data blocks
Both files initially reference the same blocks
New blocks are written only when one file is modified
Reduces storage duplication
Speeds up file duplication operations

Forensics note:

Two files may appear separate, but originally shared identical block references.
AKA: they have the same pointer

APFS Encryption Model

Encryption is built directly into the file system
Supports single-key or multi-key encryption
FileVault integrates with APFS
Modern Macs use hardware-backed encryption
Physical acquisition can be extremely difficult without credentials
On Apple Silicon, encryption keys are stored in the Secure Enclave Physical imaging often impossible without credentials

Encryption is not an add-on. It is built into the architecture.

Note:

On modern macs (apple silicon), encryption keys are stored in a special location (Secure Enclave Physical)

NTFS vs APFS vs Ext4

Feature	NTFS	APFS	Ext4 (Linux)
Volume Structure	Fixed partitions	Container + dynamic volumes	Fixed partitions
Metadata	MFT	Object map + COW	Inodes
Snapshots	Shadow Copy	Native snapshots	Not native
Cloning	No	Yes	No
Encryption	BitLocker	Native encryption	Separate layer

Notes:

There is software to move partitions in all filesystems
On Linux files use inodes to identify themselves

Forensic Impact of APFS Features

Dynamic volumes complicate space analysis
APFS separates System and Data volumes in modern macOS
Copy on write may preserve historical data blocks
Snapshots may contain deleted evidence
Clones can share underlying data blocks
Encryption often prevents physical acquisition
Logical acquisition may be required

Notes:

CoW have historical data blocks until garbage collection comes along

This is how the File Structure looks like in MacOS

> df -h
Filesystem        Size    Used   Avail Capacity iused ifree %iused  Mounted on
/dev/disk3s1s1   460Gi    15Gi   170Gi     9%    453k  1.8G    0%   /
devfs            201Ki   201Ki     0Bi   100%     696     0  100%   /dev
/dev/disk3s6     460Gi    20Ki   170Gi     1%       0  1.8G    0%   /System/Volumes/VM
/dev/disk3s2     460Gi    15Gi   170Gi     9%    1.9k  1.8G    0%   /System/Volumes/Preboot
/dev/disk3s4     460Gi   782Mi   170Gi     1%     547  1.8G    0%   /System/Volumes/Update
/dev/disk1s2     500Mi   6.0Mi   481Mi     2%       1  4.9M    0%   /System/Volumes/xarts
/dev/disk1s1     500Mi   6.0Mi   481Mi     2%      35  4.9M    0%   /System/Volumes/iSCPreboot
/dev/disk1s3     500Mi   2.4Mi   481Mi     1%      93  4.9M    0%   /System/Volumes/Hardware
/dev/disk3s5     460Gi   257Gi   170Gi    61%    1.8M  1.8G    0%   /System/Volumes/Data
map auto_home      0Bi     0Bi     0Bi   100%       0     0     -   /System/Volumes/Data/home
/dev/disk3s1     460Gi    15Gi   170Gi     9%    453k  1.8G    0%   /System/Volumes/Update/mnt1

Linux OS

Linux File System Philosophy

Linux is built on UNIX design principles
Multiuser and permission-driven
File systems revolve around inodes
File names are directory references to inode numbers
Metadata stored separately from file names

Evolution of Linux File Systems

Ext2 introduced simple inode-based design
No journaling
Ext3 added journaling (https://www.youtube.com/watch?v=Dchyt8cW3QI)
Ext4 introduced extents and large partition support
Ext4 is the modern standard

Ext4 Architecture Overview

Boot block
Superblock
Inode tables
Journaling area
Data blocks

Pasted image 20260225092700.png|475

Notes:

Linux uses hard partitions, it is not like macOS volumes
If a superbock is corrupted, there is a potential that the disk does not move

The Superblock

Contains file system size and geometry
Tracks free blocks and inodes
Critical for mounting the file system
Backup superblocks exist across the disk
Multiple backup superblocks are distributed across the file system

Forensic note:
Corrupted superblock can prevent mounting but recovery may still be possible using backups.

Notes:

Knows how many blocks are free
If it gets corrupted it is going to be a problem
There are some backup superblocks

inodes - the Heart of Linux

Every file has an inode
Stores metadata: permissions, owner, timestamps, size
Contains pointers to data blocks
Does not store file name
Inodes are pre-allocated when the file system is created

Important concept:

Directories map names to inode numbers.

Notes:

This is the heart of Linux
These are pointers to data blocks
inode is fix-length
Stores 16 different addresses (pointers)
- 12 Direct pointers
- x2 Indirect
- x3 Indirect

Ext4 Extents

Extents replace older block mapping system
More efficient for large files
Reduces fragmentation
Improves performance
Extents describe contiguous ranges of blocks instead of individual block pointers

Journaling in Ext3 and Ext4

Journaling records intended metadata changes
- Ext4 journals metadata, not necessarily full file data
Helps recover after crash
Does not necessarily preserve old data blocks
Journal is temporary

Forensics angle:
Journal may contain remnants of recent metadata activity.

Notes:

Remember journals contain data as well, this is key for digital forensics people
There are ctf challenges that have flags on journaling

Deleted File Behavior in Linux

Deleting a file removes directory entry
Inode may remain until reused
Data blocks may persist until overwritten
File carving possible

NOTE: If inode and data blocks are not overwritten, recovery is possible

Notes:

File carving is possible
Data blocks stay there until overwritten

Linux vs NTFS vs APFS

NTFS → Centrailized MFT-based
APFS → Container-based and Copy-On-Write (COW)
Ext4 → Inode based + journaling

Introduction to ZFS

ZFS is not the default Linux file system.
Ext4 still dominates most Linux distributions.

However:
ZFS is widely used in

Enterprise storage
Forensic labs
NAS systems (including TrueNAS)
FreeBSD
Proxmox
Some Ubuntu deployments

And architecturally, it is very similar to APFS in some ways.

Notes:

This is basically just like Mac's APFS
It is used mostly on servers or NAS systems
FreeBS uses as well (it is a flavor of linux)
Proxmox uses ZFS
- Open source version is XCP
- Proxmox is not stable but it is small, fast, etc.
  - Runs containers and VMs at the same time on the same network
- XCP does not run containers natively, you need to run them on a VM
- If you run a container that uses your system resources

ZFS

ZFS is a modern advanced file system and volume manager
Originally developed by Sun Microsystems
Common in FreeBSD, TrueNAS, enterprise Linux
Uses copy-on-write architecture
Designed for data integrity and reliability

Notes:

Sun Microsystems:
- Stanford University Networking Microsystems
- Java came from Sun!

ZFS Storage Model

Uses storage pools instead of partitions
Pools (zpools) contain datasets
Datasets can have independent properties
Space dynamically allocated within the pool

Pasted image 20260225094113.png|400

This mirrors APFS containers conceptually

ZFS Copy-on-Write

Never overwrites live data
Writes new blocks and updates pointers
Snapshots are lightweight and fast
Prevents corruption during crashes

ZFS Data Integrity Model

Every block is checksummed
Checksums are stored separately from data
Detects silent corruption (bit rot)
Can self-heal when redundancy exists

Notes:

It can self-heal itself if a file is corrupted
Uses checksum to verify data

ZFS vs Ext4

Ext4 uses journaling
ZFS uses copy-on-write
Ext4 does not checksum all data blocks
ZFS provides end-to-end data integrity

IMPORTANT:

Ext4 is default in most Linux distributions.
ZFS is powerful but not default.

Summary

UNIX was created to be a multiuser, multithreaded, secure OS
The Linux kernel is usually packaged with other software components, such as a GUI and applications
Linux supports a wide range of file systems
UNIX and Linux have four components defining the file system: boot block, superblock, inode block, and data block
Linux forensic tools are often freeware
Before macOS, the file systems HFS and HFS+ were used
In older version of macOS, a file consists of two parts: a data fork and a resource fork
A volume is any storage medium used to store files
Plist files are preference files for installed applications on a macOS system
The biggest challenge in acquiring images from macOS systems is often physical access to the drive