Continuing with leading APFS (Apple File System) support from BlackBag (a Cellebrite company), Cellebrite Inspector 2018 R3 is now the only forensic solution to allow examiners to parse APFS snapshots.  

As part of Apple’s latest filesystem, APFS was designed using snapshots as a means for built-in backup support. Snapshots leverage the copy-on-write property of APFS to provide “instant” backups of the entire state of an APFS volume. Snapshots can also be mounted as “read-only” volumes that are exact copies of the file system state at the time they were taken.

Processing APFS Snapshots

To examine snapshots, simply choose the “Parse Snapshots / Volume Shadow Copies” option from the advanced processing options.

When selecting the ellipsis next to the “Parse Snapshots / Volume Shadow Copies” option, a new window will appear showing you any snapshots that exist.  Select the ones to be processed then click “OK.” Those snapshots will then be added to the case where they can be viewed, searched, and filtered.

Choose which APFS Snapshots to process

APFS snapshots are automatically enabled if Time Machine is enabled, even if a back-up disk is not connected.  Snapshots are created approximately every hour (before each Time Machine backup) and before certain system updates. 

The snapshot lifetimes depend on a number of factors but they generally stick around for about 24 hours. Older snapshots may be deleted if the disk is low on space.  We have found that devices with unsuccessful Time Machine backups tend to retain snapshots the longest.

Examining APFS Snapshots

Once processed, the APFS Snapshots are displayed in the evidence tree under the APFS volume it is associated with.  Each snapshot is numbered and labeled with the volume name, for example, VolumeName (Snap 1)

Examiners can choose to view multiple volumes and snapshots together using the checkboxes in the Evidence tree.  Examiners can also filter snapshot differences on the “File Filter” tab. Finally, when viewing a file, the file history view will show if the file has changed in a previous snapshot.

APFS snapshots display under the volume with “(Snap #)” listed after the volume name.

Keep Up with all of Apple’s Changes

Apple’s latest file system and updated hardware have changed how examiners, image, carve and handle encryption on devices. 

Learn more about Cellebrite Inspector here.

Share this post