07 - MacOS File Systems
Class: CYBR-405
Notes:
Objectives
- Describe Macintosh history and file structures
- Describe Linux file
- Use Linux forensics tools
Early days of MacOS
- They started when IBM had a monopoly
- Prof. went to K-mart and bought its first commodore to pirate and play games
- In 1990
- New Maccintouch for $28,000 (1990 dollars)
- New apple laser printer for $5,000 (1990 dollars)
- NEXT had a UNIX-based OS
- When NEXT incorporated with Apple (as Steve Jobs cambe back to Apple) the UNIX-based OS came to Mac.
- We are still using a variant of that today!
Understanding Mac Files Structures
Hierarchical File System (HFS) - Launched in 1985
- Files stored in nested directories (folders)
Hierarchical File System (HFS+) - Launched in 1998
- Introduced with Mac OS 8.1
- also called MacOS Extended
- Supports smaller file sizes on larger volumes, resulting in more efficient disk use
Apple File System (APFS) - Launched in 2017
- Introduced in macOS High Sierra
- Works on the concept of Containers and Volumes (like partitions).
- When data is written to a device, metadata is also copied to help with crash protection
Why do you think they went from HFS to HFS+?
- All of a sudden disks started getting larger and OSs couldn't handle it.
An Overview of Mac File Structures
-
In Mac, a file consists of two parts:
- Data fork and resource fork
-
Data fork typically contains data the user creates, such as text or spreadsheets
- Applications also read and write to the data fork
-
Resource fork contains additional information
- Such as menus and dialog boxes
- Identified as ._ filename, if copied to Windows
-
Resource forks are largely legacy
-
Still visible when copied to Windows as ._filename
-
Conceptually similar to NTFS alternate data streams
Notes:
- If you find an old Mac in a case what are you going to do? CALL AN EXPERT
- This is not how the new filesystem works on Macs anymore
Common Evidence Sources
Here are a few differences between Window and macOS file systems
| Windows | Mac | Description |
|---|---|---|
| AppData | /Libraries | Directory where applications information is stored. |
| IWindows | /private/var/root | Directory where system information is stored |
| IUsers | /Users | Directory where user information is stored |
Forensics Procedures 1
For forensics procedures in macOS:
- You must know where file system components are located and how both files and file components are stored
Application settings are in three formats:
- Plaintext, plist files, and the SQLite database
- Plist files are preference files for installed applications on a system
- Kind of like registries on windows and uses SQL or SQLite databases
FileVault is used to encrypt and decrypt a user's directory
- Like BitLocker on Windows -> an encryption mechanism
Forensics Procedures 2
Keychains
- Files used to manage passwords for applications, Web sites, and other system files
- The Mac application Keychain Access enables you to restore passwords
- There is some evidence there you can try to find
Deleted files are in the Trashes folder
- If a file is deleted at the command line, however, it doesn't show up in the trash
Where stored...
- Plist files commonly stored in
/Users/username/Library/Preferences - Keychains stored in
~/Library/Keychains - Safari history stored in SQLite databases
Forensics Procedures 3
- Acquisition Methods in macOS
- Make a forensic image of the drive
- Tools for working with a raw format image
- BlackBag Technologies Macintosh Forensic Software
- SubRosaSoft MacForensicsLab
- Guidance Software EnCase
- Sumari Recon Mac OS X Forensics
- X-Ways Forensics
- Tools for working with a raw format image
- If all else fails...
- Mac's Time Machine Backup can be used to create a snapshot in time of logical files.
APFS (Modern Macs)
APFS Architecture Overview
- APFS is designed for SSDs and modern storage devices
- Introduced in macOS High Sierra
- Replaces HFS+
- Built around containers and dynamically sized volumes
- Uses copy on write instead of overwriting data
- Supports snapshots and cloning
- Encryption native at the file system level
Notes:
- They came out with this to enable Solid State Drives (SSDs)
- You cannot back to an older filesystem after your files have touched APFS
- The ZED filesystem on Linux does this:
- Makes a container and makes a container filesystem architecture
- Inside that container you have filesystems
- You could have different volumes, and these volumes are dynamic
- Copy on Write (Cow) instead of overwriting data.
APFS Containers and Dynamic Volumes
- One physical disk contains an APFS container
- The container holds multiple volumes
- Volumes share a common free space pool
- Volumes grow and shrink dynamically
- No rigid partition boundaries between volumes
- Common default volumes include System, Data, Preboot, and Recovery
In NTFS, partitions are rigid. In APFS, volumes flex. They all pull space from the same container pool.
Notes:
- If you are using a volume and is not very big, there is going to be a lot of free disk space on the back of your container, that volume will shrink and deform to account for this size.
- There are set volumes on a Mac that you cannot touch.
Copy on Write (CoW) in APFS
- APFS does not overwrite existing blocks
- When data changes, new blocks are written
- Metadata is updated to reference the new blocks
- Old blocks remain until reclaimed
- Old blocks may persist until garbage collection (this can preserve historical file remnants)
- Improves crash protection and consistency
- Optimized for SSD performance
Instead of erasing old "homework", APFS writes a new version and just updates the pointer.
Notes:
- Old-blocs remain until they are released (just moves pointer)
- This requires a garbage collector architecture
- This is important for forensics
APFS Metadata Structure
- APFS uses B-trees for metadata storage
- Object map tracks block references
- No single Master File Table like NTFS
- Metadata itself uses copy-on-write
- Structure designed for crash consistency
Notes:
- Metadata also uses CoW
APFS Snapshots
- Point-in-time read-only state
- Created using copy-on-write
- Used by Time Machine and system updates
- Deleted files may persist in snapshots
- Investigators must examine snapshots
Notes:
- Time Machine is deprecated now
- Plugin an external hard drive and go back in time, it was amazing
- If you are a MacOS expert you can make a lot of money because there is ways to get data
APFS File Cloning
- Cloning creates a new file without duplicating data blocks
- Both files initially reference the same blocks
- New blocks are written only when one file is modified
- Reduces storage duplication
- Speeds up file duplication operations
Forensics note:
- Two files may appear separate, but originally shared identical block references.
- AKA: they have the same pointer
APFS Encryption Model
- Encryption is built directly into the file system
- Supports single-key or multi-key encryption
- FileVault integrates with APFS
- Modern Macs use hardware-backed encryption
- Physical acquisition can be extremely difficult without credentials
- On Apple Silicon, encryption keys are stored in the Secure Enclave Physical imaging often impossible without credentials
Encryption is not an add-on. It is built into the architecture.
Note:
- On modern macs (apple silicon), encryption keys are stored in a special location (Secure Enclave Physical)
NTFS vs APFS vs Ext4
| Feature | NTFS | APFS | Ext4 (Linux) |
|---|---|---|---|
| Volume Structure | Fixed partitions | Container + dynamic volumes | Fixed partitions |
| Metadata | MFT | Object map + COW | Inodes |
| Snapshots | Shadow Copy | Native snapshots | Not native |
| Cloning | No | Yes | No |
| Encryption | BitLocker | Native encryption | Separate layer |
Notes:
- There is software to move partitions in all filesystems
- On Linux files use inodes to identify themselves
Forensic Impact of APFS Features
- Dynamic volumes complicate space analysis
- APFS separates System and Data volumes in modern macOS
- Copy on write may preserve historical data blocks
- Snapshots may contain deleted evidence
- Clones can share underlying data blocks
- Encryption often prevents physical acquisition
- Logical acquisition may be required
Notes:
- CoW have historical data blocks until garbage collection comes along
This is how the File Structure looks like in MacOS
> df -h
Filesystem Size Used Avail Capacity iused ifree %iused Mounted on
/dev/disk3s1s1 460Gi 15Gi 170Gi 9% 453k 1.8G 0% /
devfs 201Ki 201Ki 0Bi 100% 696 0 100% /dev
/dev/disk3s6 460Gi 20Ki 170Gi 1% 0 1.8G 0% /System/Volumes/VM
/dev/disk3s2 460Gi 15Gi 170Gi 9% 1.9k 1.8G 0% /System/Volumes/Preboot
/dev/disk3s4 460Gi 782Mi 170Gi 1% 547 1.8G 0% /System/Volumes/Update
/dev/disk1s2 500Mi 6.0Mi 481Mi 2% 1 4.9M 0% /System/Volumes/xarts
/dev/disk1s1 500Mi 6.0Mi 481Mi 2% 35 4.9M 0% /System/Volumes/iSCPreboot
/dev/disk1s3 500Mi 2.4Mi 481Mi 1% 93 4.9M 0% /System/Volumes/Hardware
/dev/disk3s5 460Gi 257Gi 170Gi 61% 1.8M 1.8G 0% /System/Volumes/Data
map auto_home 0Bi 0Bi 0Bi 100% 0 0 - /System/Volumes/Data/home
/dev/disk3s1 460Gi 15Gi 170Gi 9% 453k 1.8G 0% /System/Volumes/Update/mnt1
Linux OS
Linux File System Philosophy
- Linux is built on UNIX design principles
- Multiuser and permission-driven
- File systems revolve around inodes
- File names are directory references to inode numbers
- Metadata stored separately from file names
Evolution of Linux File Systems
- Ext2 introduced simple inode-based design
- No journaling
- Ext3 added journaling (https://www.youtube.com/watch?v=Dchyt8cW3QI)
- Ext4 introduced extents and large partition support
- Ext4 is the modern standard
Ext4 Architecture Overview
- Boot block
- Superblock
- Inode tables
- Journaling area
- Data blocks
/CYBR-405/Visual%20Aids/Pasted%20image%2020260225092700.png)
Notes:
- Linux uses hard partitions, it is not like macOS volumes
- If a superbock is corrupted, there is a potential that the disk does not move
The Superblock
- Contains file system size and geometry
- Tracks free blocks and inodes
- Critical for mounting the file system
- Backup superblocks exist across the disk
- Multiple backup superblocks are distributed across the file system
Forensic note:
Corrupted superblock can prevent mounting but recovery may still be possible using backups.
Notes:
- Knows how many blocks are free
- If it gets corrupted it is going to be a problem
- There are some backup superblocks
inodes - the Heart of Linux
- Every file has an inode
- Stores metadata: permissions, owner, timestamps, size
- Contains pointers to data blocks
- Does not store file name
- Inodes are pre-allocated when the file system is created
Important concept:
- Directories map names to inode numbers.
Notes:
- This is the heart of Linux
- These are pointers to data blocks
- inode is fix-length
- Stores 16 different addresses (pointers)
- 12 Direct pointers
- x2 Indirect
- x3 Indirect
Ext4 Extents
- Extents replace older block mapping system
- More efficient for large files
- Reduces fragmentation
- Improves performance
- Extents describe contiguous ranges of blocks instead of individual block pointers
Journaling in Ext3 and Ext4
- Journaling records intended metadata changes
- Ext4 journals metadata, not necessarily full file data
- Helps recover after crash
- Does not necessarily preserve old data blocks
- Journal is temporary
Forensics angle:
Journal may contain remnants of recent metadata activity.
Notes:
- Remember journals contain data as well, this is key for digital forensics people
- There are ctf challenges that have flags on journaling
Deleted File Behavior in Linux
- Deleting a file removes directory entry
- Inode may remain until reused
- Data blocks may persist until overwritten
- File carving possible
NOTE: If inode and data blocks are not overwritten, recovery is possible
Notes:
- File carving is possible
- Data blocks stay there until overwritten
Linux vs NTFS vs APFS
NTFS → Centrailized MFT-based
APFS → Container-based and Copy-On-Write (COW)
Ext4 → Inode based + journaling
Introduction to ZFS
ZFS is not the default Linux file system.
Ext4 still dominates most Linux distributions.
However:
ZFS is widely used in
- Enterprise storage
- Forensic labs
- NAS systems (including TrueNAS)
- FreeBSD
- Proxmox
- Some Ubuntu deployments
And architecturally, it is very similar to APFS in some ways.
Notes:
- This is basically just like Mac's APFS
- It is used mostly on servers or NAS systems
- FreeBS uses as well (it is a flavor of linux)
- Proxmox uses ZFS
- Open source version is XCP
- Proxmox is not stable but it is small, fast, etc.
- Runs containers and VMs at the same time on the same network
- XCP does not run containers natively, you need to run them on a VM
- If you run a container that uses your system resources
ZFS
- ZFS is a modern advanced file system and volume manager
- Originally developed by Sun Microsystems
- Common in FreeBSD, TrueNAS, enterprise Linux
- Uses copy-on-write architecture
- Designed for data integrity and reliability
Notes:
- Sun Microsystems:
- Stanford University Networking Microsystems
- Java came from Sun!
ZFS Storage Model
- Uses storage pools instead of partitions
- Pools (zpools) contain datasets
- Datasets can have independent properties
- Space dynamically allocated within the pool
/CYBR-405/Visual%20Aids/Pasted%20image%2020260225094113.png)
- This mirrors APFS containers conceptually
ZFS Copy-on-Write
- Never overwrites live data
- Writes new blocks and updates pointers
- Snapshots are lightweight and fast
- Prevents corruption during crashes
ZFS Data Integrity Model
- Every block is checksummed
- Checksums are stored separately from data
- Detects silent corruption (bit rot)
- Can self-heal when redundancy exists
Notes:
- It can self-heal itself if a file is corrupted
- Uses checksum to verify data
ZFS vs Ext4
- Ext4 uses journaling
- ZFS uses copy-on-write
- Ext4 does not checksum all data blocks
- ZFS provides end-to-end data integrity
IMPORTANT:
- Ext4 is default in most Linux distributions.
- ZFS is powerful but not default.
Summary
-
UNIX was created to be a multiuser, multithreaded, secure OS
-
The Linux kernel is usually packaged with other software components, such as a GUI and applications
-
Linux supports a wide range of file systems
-
UNIX and Linux have four components defining the file system: boot block, superblock, inode block, and data block
-
Linux forensic tools are often freeware
-
Before macOS, the file systems HFS and HFS+ were used
-
In older version of macOS, a file consists of two parts: a data fork and a resource fork
-
A volume is any storage medium used to store files
-
Plist files are preference files for installed applications on a macOS system
-
The biggest challenge in acquiring images from macOS systems is often physical access to the drive