APFS Disk Acquisition: From Live Data Capture to Seamless Image Mounting
- Oct 7, 2024
- 9 min read
Updated: Mar 31
Updated on 20 Feb,2025
Understanding .plist Files (Property List Files)
.plist files in macOS are like the registry in Windows. They store important configuration settings for apps and the system. These files come in two flavors:
XML FormatThis is the older, more human-readable format. If you open an XML .plist, you’ll see it starts with <?xml version=. You can easily view these files in a text editor like TextEdit or even a web browser.
Binary FormatNewer .plist files are stored in a binary format to save space and support more complex data (like Binary Large Objects (BLOBs)). They start with bplist00 and can be trickier to read directly, but they’re much more efficient for the system
----------------------------------------------------------------------------------------
How to Analyze .plist Files
If you ever need to dig into .plist files—maybe for troubleshooting or deeper investigation—here’s how you can go about it:
On macOS:
Xcode: Apple’s development environment, Xcode, can open .plist files with a friendly graphical interface, but it needs to be installed from the App Store.
plutil: For command-line fans, the plutil tool can convert binary .plist files into more readable formats like XML or JSON.
Note: Starting with macOS Catalina (10.15), some data, particularly BLOB content, may be truncated when viewed in Xcode or plutil. This issue was fixed in macOS Big Sur (11.0) for Xcode but remains for plutil.
On Windows:
iBackupBot or Notepad++ (with the bplist plugin) can open and edit binary .plist files.
Many forensic tools also support .plist analysis if you're doing advanced work.
On Linux:
Install the libplist-utils package to work with .plist files. The command plistutil can convert binary files to XML for easier reading.
sudo apt update
sudo apt install libplist-utils----------------------------------------------------------------------------------------------
macOS Directory Breakdown
macOS has a file system layout similar to Linux, but with some Apple-specific directories and uses:
/bin: Contains command utilities, just like Linux.
/sbin: Holds system binaries for managing the OS.
/dev: Device files live here, as in most Unix-like systems.
/opt: For optional software.
/private/var: Stores variable data like logs and system audits.
/private/etc: System configuration files, such as hosts and passwd.
/private/tmp: Temporary files directory (deleted automatically over time).
----------------------------------------------------------------------------------------------
macOS File System Extensions
macOS has its own set of file extensions, each serving a unique purpose. Here’s a quick overview:
.dmg: Disk image files used for distributing software. You mount them as if they were actual disks.
.kext: Kernel extensions (essentially drivers). With macOS Big Sur (11.0), third-party kernel extensions require user interaction and a reboot.
.plist: As discussed earlier, these are configuration files in XML or binary formats.
.app: These are macOS applications. While they look like single files, they’re actually bundles containing all the files and resources that make up the app.
.dylib: Dynamic libraries, similar to DLL files in Windows. They contain shared code used by applications.
.pkg: Installer package files. These packages moved to the XAR format with macOS 10.5 Leopard.
.xar: The eXtensible ARchive format is used for software installers and browser extensions.
----------------------------------------------------------------------------------------------
macOS Timestamps: How Time is Recorded
macOS, like many Unix-based systems, records time using the Unix Epoch—the number of seconds that have passed since midnight, January 1, 1970. This timestamp system is 64-bit and can be accurate down to the nanosecond. However, most tools only display time down to the second.
You’ll see timestamps like:
Example 1: 1633112007 (10 digits, second accuracy)
Example 2: 1633112007178798056 (19 digits, nanosecond accuracy)
On some older systems, you might also encounter the Mac Epoch timestamp, which records time from midnight, January 1, 2001. It uses a 32-bit system, so the timestamps are shorter (9 digits).
Here’s a quick way to tell which format you’re dealing with:
9 digits = Mac Epoch
10 or 19 digits = Unix Epoch
----------------------------------------------------------------------------------------------
Handy Commands for macOS Timestamps
If you want to view file timestamps on macOS, you can use these commands:
stat: Retrieves access, modification, and change times.
stat -x <filename> # Shows Access, Modify, and Change timestamps in secondsFor nanosecond accuracy, use:
stat -f %Fa <filename> # Access time
stat -f %Fm <filename> # Modification time
stat -f %Fc <filename> # Change time
GetFileInfo: This command gives you additional details about the file, including creation and modification times.
GetFileInfo <filename>----------------------------------------------------------------------------------------------
Hard Drive Acquisition: The Hardware Hurdles
Macs come in different flavors when it comes to storage. If you can remove the hard drive, you might be able to use traditional forensic acquisition methods. However, some Macs, especially MacBook Airs, use non-standard SSDs that are soldered directly onto the board. This means you can’t just pull out the drive and image it easily.
For those lucky enough to be working with a removable drive, websites like iFixit provide great guides on how to take Macs apart.
Just be warned—some models are notoriously difficult to dismantle!
If the SSD is non-removable, your best bet is a live acquisition method, such as Target Disk Mode or logical acquisition while the system is running.
--------------------------------------------------------------------------------------------------------
Encryption Challenges: FileVault Can Slow You Down
macOS uses two types of encryption:
Legacy FileVault – Encrypts only the user’s home directory.
FileVault 2 – Provides full-disk encryption.
If you’re dealing with an encrypted disk, you can still image it, but you’ll need the user’s password to decrypt the data. If the system is already up and running, your best bet is to acquire data in an unencrypted state while you have access.
--------------------------------------------------------------------------------------------------------
Target Disk Mode (TDM): Your Best Friend
If the Mac is functional, Target Disk Mode (TDM) can be a lifesaver. This turns the Mac into an external drive, allowing you to connect it to another system via FireWire or Thunderbolt. However, note that:
Some MacBook Airs don’t have FireWire or Thunderbolt ports, making TDM impossible.
If the system uses FileVault 2, you’ll need to unlock the encrypted volume first.
If the Mac has a Boot Camp partition (a Windows partition), you’ll see two separate volumes.
Newer Macs with Apple Silicon (M1/M2) require additional security steps.
To enable Target Disk Mode, restart the Mac while holding “T” until the appropriate symbol appears on the screen.
--------------------------------------------------------------------------------------------------------
Dealing with Open Firmware and EFI Passwords
Older Macs may have an Open Firmware password, and newer systems use an EFI password for added security.
If you’re locked out, you can try the following:
Change the RAM amount and reboot.
Reset the PRAM by holding Command + Option + P + R at startup.
If it’s an EFI password, you’ll need to send a request to Apple with a key hash (good luck with that).
--------------------------------------------------------------------------------------------------------
System Integrity Protection (SIP): Another Hurdle
System Integrity Protection (SIP) is macOS’s security feature that prevents unauthorized modifications to system files, even with root access.
If SIP is enabled, you may run into acquisition errors
To disable SIP:
Boot into Recovery Mode (Restart + hold CMD + R).
Open Terminal and run:
csrutil disableReboot the system.
However, if the user has encryption enabled and you don’t have the password, disabling SIP won’t help much.
--------------------------------------------------------------------------------------------------------
Important concept to understand while acquisition for MACOS
Disk Arbitration: Controlling Auto-Mounting
Disk Arbitration automatically mounts disks when connected, which can cause unwanted writes to forensic evidence.
You can check if it’s enabled and disable it if needed.
To disable Disk Arbitration:
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plistTo enable it again:
sudo launchctl load /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plistTo check if it’s running:
ps auxw | grep diskarbitrationd--------------------------------------------------------------------------------------------------------
Boot Camp and Multi-Boot Systems
Many Macs have Boot Camp, which allows them to dual-boot macOS and Windows. If you’re imaging a system in Target Disk Mode, be aware that Windows partitions might automatically mount when connected to a Windows system.
Some users even triple-boot with Linux using tools like rEFInd.
--------------------------------------------------------------------------------------------------------
Tips for Disk Acquisition
Live collection is usually your best bet. Capturing data from a running system avoids many of the challenges mentioned above. Here are a few strategies:
Endpoint monitoring tools like EDR (Endpoint Detection and Response) are essential for tracking suspicious activity or capturing data. Examples include Velociraptor or remote access agents like F-Response.
Forensic tools: If you have access to commercial forensic software, you’re in good hands. Some commonly used options include:
Cellebrite Digital Collector
FTK Imager
OpenText EnCase
Magnet Acquire
Direct Access Methods:If you have direct access to the system but not commercial tools, you can still use open-source solutions.
dd or dcfldd/dc3dd: These tools can create a disk image that can be sent to external storage or even a remote address using netcat.
Sumuri PALADIN: A live forensic USB tool for capturing disk images.
---------------------------------------------------------------------------------------------------------
Lets start what you came for Mounting APFS and HFS+ Images on macOS (With or Without FileVault)
If you’re dealing with forensic images on macOS, mounting APFS or HFS+ images is a key step in analyzing disk contents. Whether your image is encrypted with FileVault or not, here’s a simple, hands-on guide to getting it done.
Mounting APFS Images (macOS 10.13 and Later)
Step 1: Create Mount Points
Before you mount an image, create directories to serve as mount points:
mkdir /Volumes/apfs_image/
mkdir /Volumes/mounted_apfs/If you have an E01 forensic image, you need to convert it to DMG using xmount:
sudo xmount --in ewf Collectedimage.E01 --out dmg /Volumes/apfs_image/Step 2: Attach the DMG Without Mounting
Use hdiutil to attach the DMG without auto-mounting:
hdiutil attach -nomount /Volumes/apfs_image/Collectedimage.dmgThis creates a /dev/disk# entry for the attached image.
Step 3: Find the APFS Volume
Run:
diskutil ap listLocate the correct volume with OS or user data.
Step 4: Unlock FileVault (If Encrypted)
If FileVault is enabled, unlock the disk:
diskutil ap unlockVolume <GUID> -nomountIt will prompt you for the password.
Step 5: Mount the APFS Volume
Now, mount the APFS volume in read-only mode:
sudo mount_apfs -o rdonly,noexec,noowners /dev/disk# /Volumes/mounted_apfs/Your APFS image is now accessible at /Volumes/mounted_apfs/.
---------------------------------------------------------------------------------------------------------
Unmounting APFS Images
When you’re done, cleanly unmount the image:
diskutil list
diskutil eject /dev/disk#
mount
umount /Volumes/mounted_apfs/If it refuses to unmount, force it:
sudo umount -f /Volumes/mounted_apfs/---------------------------------------------------------------------------------------------------------
Mounting HFS+ Images
Method 1: Using xmount
Step 1: Create Mount Points
mkdir /Volumes/hfs_image/
mkdir /Volumes/mounted_hfs/Step 2: Convert and Attach Image
sudo xmount --in ewf hfs_Collectedimage.E01 --out dmg /Volumes/hfs_image/
hdiutil attach -nomount /Volumes/hfs_image/Collectedimage.dmgStep 3: Mount the HFS+ Volume
sudo mount_hfs -j -o rdonly,noexec,noowners /dev/disk# /Volumes/mounted_hfs/Now, you can access the mounted volume.
Method 2: Using ewfmount
If xmount isn’t available, ewfmount is an alternative.
Step 1: Create Mount Points
mkdir /Volumes/hfs_ewf/
mkdir /Volumes/mounted_hfs/Step 2: Mount the E01 Image
ewfmount hfs_Collectedimage.E01 /Volumes/hfs_ewf/Step 3: Create a Symbolic Link
ln -s /Volumes/hfs_ewf/ewf1 /Volumes/hfs_ewf/Collectedimage.dmgStep 4: Attach and Mount
hdiutil attach -nomount /Volumes/hfs_ewf/Collectedimage.dmg
sudo mount_hfs -o rdonly,noexec,noowners /dev/disk# /Volumes/mounted_hfs/Mounting HFS+ 4K Images (With or Without FileVault)
Some images use a 4K block size, which requires a different approach.
Step 1: Create a Mount point
Step 2: Convert to DMG
sudo xmount --in ewf hfs_Collectedimage.E01 --out /Volumes/hfs_image/Step 2: Attach the DMG With 4K Block Size
hdiutil attach -nomount -blocksize 4096 /Volumes/hfs_image/Collectedimage.dmgStep 3: Unlock FileVault (If Needed)
diskutil cs unlockVolume <LogicalVolumeGUID>Step 4: Mount the HFS+ Volume
sudo mount_hfs -o rdonly,noexec,noowners /dev/disk# /Volumes/mounted_hfs/Now your HFS+ 4K image is mounted and accessible.
If Commercial Tools Aren’t Available:
Mounting the image on macOS is straightforward, but it requires a few key options:
rdonly: Mounts the image as read-only, ensuring no accidental changes.
noexec: Prevents any code from executing on the mounted image.
noowners: Ignores ownership settings, minimizing access issues.
-------------------------------------------------------------------------------------------------------------
Mounting in Linux
Mounting an APFS image on Linux is possible but requires FUSE (Filesystem in Userspace) drivers. Here’s a simplified guide:
Install APFS FUSE Drivers: First, you’ll need to install the necessary dependencies and clone the APFS FUSE repository from GitHub.
sudo apt updatesudo apt install libicu-dev bzip2 cmake libz-dev libbz2-dev fuse3 clang git libattr1-dev libplist-utils -ycd /optgit clone https://github.com/sgan81/apfs-fuse.gitcd apfs-fusegit submodule initgit submodule updatemkdir buildcd buildcmake ..makeln /opt/afps-fuse/build/apfs-dump /usr/bin/apfs-dumpln /opt/afps-fuse/build/apfs-dump-quick /usr/bin/apfs-dump-quickln /opt/afps-fuse/build/apfs-fuse /usr/bin/apfs-fuseln /opt/afps-fuse/build/apfsutil /usr/bin/apfsutilNOTE: ln commands are to make it easier to run the commands without needing to add the /opt/apfsfuse/ build folder to the path. This may vary depending on your environment.
Mount the Image: After setting up FUSE, you can mount the image using this command:
mkdir /mnt/apfs_mount #create mount point
cd /mnt/ewf_mount #change to the directory where the E01 file is located.apfs-fuse -o ro,allow_other ewf1 /mnt/apfs_mount # mount the image read onlyIf you want a script to automate this for Debian-based distros (like Ubuntu), check out the one available at this link.
-------------------------------------------------------------------------------------------------------------
Final Thoughts
In forensic investigations, especially on macOS systems, APFS disk acquisition can be tricky. Between encrypted disks, System Integrity Protection (SIP), and Apple's tight security measures, your best option is often live data capture.
Mounting forensic disk images on macOS, whether APFS or HFS+, takes a few careful steps, especially when dealing with FileVault encryption. With xmount, ewfmount, and hdiutil, you have multiple ways to mount images while keeping them forensically sound.
------------------------------------------------Dean------------------------------------------------------
Comments