In recent years, the use of communication devices such as computers and smartphones has become indispensable in most people’s lives, and the number of people using Apple’s products has increased. This means that analysis of APFS, Apple’s file system today, is becoming increasingly important in a digital forensic investigation environment. However, many studies have been conducted on existing file systems, and detailed information such as where data is located can be found and how to recover the deleted data. In APFS, information about user credentials, usage history, and downloaded files remains artifacts. Currently, however, study of APFS is focused on file recovery. Therefore, in this paper, we not only propose a method to recover deleted files, but also analyze and organize the important artifacts for digital forensics investigation. We also describe the applicability of existing HFS + methods to APFS. Lastly, We describe the applicability of this analytical method and discuss further research.
Acknowledgements. This research was supported by Energy Cloud R&D Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT (NRF-2019M3F2A1073385)