- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Independent forensic analysis of Mac file systems — APFS containers, volumes, snapshots, clones, sparse files, and encryption; and HFS+ catalog, extents overflow, and journal — anchoring the file evidence at the block level.
Quick Answer. Mac File System Forensics parses the on-disk structures of APFS (containers, volumes, snapshots, clones, encryption, checkpoint maps, object maps) and HFS+ (catalog B-tree, extents overflow B-tree, attributes B-tree, journal), verifies checksums, recovers deleted files from unallocated blocks, and reconstructs prior file states from snapshots. Because APFS is copy-on-write and content-addressable at the block level, deleted file content persists long after the filename disappears.
| Structure | Contents | Forensic use |
|---|---|---|
| NX Superblock | Container UUID, block size, checkpoint descriptor address | Container-level integrity and layout |
| Checkpoint Maps | Historical container state snapshots | Roll back the container to an earlier consistent state |
| Object Map (omap) | Virtual → physical object mapping per volume | Locate previous versions of the same object |
| File System Tree (fs-tree) | Inodes, directory entries, extents, xattrs | Files and metadata |
| Snapshot Metadata Tree | Per-snapshot fs-tree roots | Every APFS snapshot ever taken and preserved |
| Extent Reference Tree | Physical extent reference counts | Which extents are shared vs. free |
| Fusion (if present) | Tier 2 SSD/HDD mapping | Locates hot vs cold blocks |
APFS is copy-on-write. Every snapshot is a preserved fs-tree root pointing at the object versions that existed at snapshot time. macOS creates automatic local snapshots (~hourly, retained ~24h; nightly retained for Time Machine), and every Time Machine backup adds one. Because each snapshot references the original extent objects, “deleted” files remain fully readable within any snapshot that predated the deletion.
We enumerate snapshots with tmutil listlocalsnapshots /, mount each read-only during acquisition, and produce hash-verified copies of the target files at each preserved point in time. Where tmutil deletelocalsnapshots has been run, the underlying extents remain in APFS free space until overwritten — carving is often successful even after “cleanup.”
APFS clone (cp -c) copies share extents at the block level, incrementing a reference count. Analysing clone lineage is essential in exfiltration matters: a “new” file created by copy may share every extent with the original, which is provable at the physical layer even when the filename and path have changed. The extent reference tree makes this decisive.
Since macOS 10.15, APFS separates System (read-only, signed) and Data (user) into distinct volumes within the same container, joined via firmlinks. Both are typically FileVault-encrypted with keys wrapped by the user password and the Secure Enclave. Acquisition requires:
Once unlocked, the Data volume snapshots, xattrs, and content are readable normally. We document the unlock method used in every report.
Older Macs and many external drives still use HFS+. The catalog B-tree stores files, folders, and thread records; the extents overflow B-tree stores fragmented file locations; the attributes B-tree stores extended attributes. The journal, when enabled, records the last N transactions and often recovers file names and directory changes that occurred immediately before deletion. Carving from the allocation file recovers content of unlinked files whose blocks have not yet been reallocated.
/private/var/vm/.Elite Digital Forensics is an independent, defense-aligned Mac forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Mac Forensics hub for the full analytical framework we bring to every matter.
Very often yes, via local snapshots and Time Machine. Beyond the snapshot window, carving the extent tree recovers content until the blocks are reallocated.
Without the password, an institutional recovery key, or a live-image acquisition while unlocked, encrypted APFS is not practically parseable. This is why acquisition planning matters as much as analysis.
Not for the examination — clone and hardlink relationships are recorded in the fs-tree and extent reference tree, so we can prove which files share which extents. This is often decisive in “the copy is the same file as the original” arguments.
The Secure Enclave wraps the volume key. Physical extraction is not practical; forensic acquisition is performed live while the volume is unlocked with valid credentials, and the resulting logical image is analyzed the same way.
Tell us about the Mac, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.
Request Confidential Consultation Call (833) 292-3733This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.
Elite Digital Forensics Assistant