APFS Forensic Analysis: The Hard Parts
While forensic tools are slowly catching up to support analysis of Apple’s new APFS file system, most are incapable of handling the difficulty that comes with APFS. How do you go back in time to review what happened on an APFS volume? In Apple’s latest file system, snapshots are now used to store the history of changes to files. In addition, the file system may be creating this back up data in snapshots whether the user knows it or not. Stu Hutchinson will review the snapshot functionality built into APFS and why snapshots will be useful in your investigations.