A study on the APFS timestamps in MACOS

  • Authors

    • Jong Hwa Song
    • Se Ho Kim
    • Song Yi Hwang
    • Seung Gyu Kim
    • Sung Jin Lee
    2018-06-08
    https://doi.org/10.14419/ijet.v7i2.33.13870
  • APFS, Forensics, Timestamp, Log Archive, .DS Store, Document Revisions

  • Background/Objectives: There are not many time analysis studies on High Sierra, the latest macOS (10.13) that has changed the file system from HFS+ toAPFS (Apple File System).

    Methods/Statistical analysis: In this experiment, we tried various actions of the file and the directory with using the Sierra version of the internal drive and the High Sierra version of the external drive. The ‘mdls’ command and the time attributes of the Finder are used for comparing the metadata.The ‘log show’ command is also used for checking the system time modification. For analyzing the .DS_Store and the db.sqlite files, we used .DS_Store Parser and DB Browser for SQLite.

    Findings: First of all, we briefly review time synchronization and APFS. And then, we compare the time records of HFS+ with those of APFS with differences. The unified logging file (tracev3) file with using the ‘log show’ command is analyzed and it is confirmed that the relevant log is left when the system time is changed. Next, we performed various actions on the files and directories of Sierra and High Sierra, and compiled the results as the tables. As a result, we found that the accessed time values were not updated well at high Sierra for the performance purpose. Finally, we also found the file attribute values in the DS_Store file in the RecycleBin and the database files in Document Revisions by default, and found that they can be used in forensic analysis.

    Improvements/Applications: Furthermore, it is necessary to examine and analyze the change of the time attribute of the file when the file and folder are moved or copied with APFS formatted external storage device.

     

     

  • References

    1. [1] Tony Knutson, Filesystem Timestamps: What Makes Them Tick? , STI Graduate Student Research, 2016, (https://www.sans.org/reading-room/whitepapers/forensics/filesystem-timestamps-tick-36842)

      [2] Rob Lee, Windows 7 MFT Entry Timestamp Properties,SANS Digital Forensics and Incident Response Blog, (https://digital-forensics.sans.org/blog/2010/04/12/windows-7-mft-entry-timestamp-properties)

      [3] Desktop macOS Version Market Share Worldwide (http://gs.statcounter.com/os-version-market-share/macos/desktop/worldwide)

      [4] Kurt H. Hansen, Fergus Toolan, Decoding the APFS file system, Digital Investigation, 2017, 22, pp.107–132.

      [5] Technical Note TN1150 HFS Plus Volume Format (https://developer.apple.com/legacy/library/technotes/tn/tn1150.html)

      [6] Documentation of MDItem (https://developer.apple.com/documentation/coreservices/mditem-jb5)

      [7] Patrick Olsen, Mac DFIR – HFS+ Date Added Timestamp (http://sysforensics.org/2016/08/mac-dfir-hfs-filesystem-date-added/)

      [8] Lee Whitfield, MAC Times, Mac Times, and More (https://www.sans.org/summit-archives/file/summit-archive-1498168030.pdf)

      [9] Documentation of Logging (https://developer.apple.com/documentation/os/logging)

      [10] Xiaoxi Fan, Detection of Backdating the System Clock in Windows (https://www.sans.org/reading-room/whitepapers/forensics/detection-backdating-system-clock-windows-37682)

      [11] Hojung, Mac OS X Artifact (DS_Store) (http://www.ylabs.co.kr/index.php?mid=board_mac_forensics&listStyle=viewer&document_srl=30115).

  • Downloads

  • How to Cite

    Hwa Song, J., Ho Kim, S., Yi Hwang, S., Gyu Kim, S., & Jin Lee, S. (2018). A study on the APFS timestamps in MACOS. International Journal of Engineering & Technology, 7(2.33), 133-138. https://doi.org/10.14419/ijet.v7i2.33.13870