Within the DFIR community, support for fundamental structures, like file systems, across tools is essential for examiners to complete their work. BlackBag has provided industry-leading support for Apple devices this past year by quickly releasing complete support for Apple’s latest file system (APFS), all of the encryption variations, and APFS Snapshots.

With macOS and iOS rapidly driving adoption rates of this new file system, we want to make sure examiners have access to the best and most complete support for APFS.

That is why BlackBag (a Cellebrite company) has decided to release our source code for the APFS file system in a format that can be used by The Sleuth Kit (TSK) framework – it is a way for us to give back to the DFIR community.

The Sleuth Kit® is a collection of command-line tools and a C library that allows examiners to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open-source and commercial forensics tools.

To learn more about what we are releasing and how the community can help, please see our Director of Research and Development, Dr. Joe Sylve, the primary developer for this support, discuss this announcement in the video below.

Starting today, you can find BlackBag’s source code for APFS at: https://github.com/blackbagtech/sleuthkit-APFS/

BlackBag (a Cellebrite company) believes the work DFIR examiners do makes a difference. We are committed to providing law enforcement, government, and corporations the crucial ability to determine facts pertinent to solving criminal and civil matters and examining security incidents. We hope this holiday, and really all year, we’ve made it easier to reveal the truth.

Share this post