Filesystem
APFS Metadata
Overview
Apple File System (APFS) replaced HFS+ as the default filesystem starting with macOS High Sierra (10.13). APFS maintains rich metadata including nanosecond-precision timestamps, snapshot capabilities, cloning, and space sharing across volumes.
From a forensic perspective, APFS metadata reveals file creation, modification, and access times with high precision, along with volume snapshots that can preserve deleted data.
This article is under development. Detailed APFS forensic analysis documentation is coming soon.
Key Forensic Areas
- Timestamps: APFS stores creation, modification, access, and attribute-change times with nanosecond precision
- Snapshots: Time Machine and system update snapshots preserve point-in-time filesystem state
- Clones: APFS clones share data blocks — important for understanding file relationships
- Encryption: Per-file and per-volume encryption affects acquisition strategies
- Volume Groups: Signed System Volume (SSV) in macOS 11+ separates system and data volumes
File Locations
| Item | Path | Description |
|---|---|---|
| Container superblock | Partition start | APFS container metadata |
| Volume superblock | Within container | Per-volume metadata |
| Snapshots | Within volume | Point-in-time filesystem state |
| Sealed System Volume | /System/Volumes/ | macOS 11+ system/data split |