Photo of Joe T. Sylve

Joe T. Sylve, Ph.D.

Digital Forensic Researcher and Educator

APFS Internals

A deep dive into the Apple File System. The series began as the 2022 APFS Advent Challenge and has since grown into a 27-part reference covering the container layer, B-Trees, the volume and file-system layer, integrity and encryption, and APFS’s advanced features. The original posts have been revised and kept up to date rather than left as 2022 snapshots. The on-disk structures documented throughout are current as of macOS 27 Beta (apfs-3277.0.0.0.1).

Foundations

  1. Anatomy of an ObjectAPFS is a copy-on-write file system, consisting of a set of immutable objects that are...
  2. Kinds of ObjectsAs we discussed in our last post, objects are the fundamental building blocks of APFS....

The Container Layer

  1. ContainersAPFS is a pooled storage, transactional, copy-on-write file system. Its design relies on a core...
  2. NX Superblock ObjectsThe NX Superblock Object is a key component of APFS. It stores key information about...
  3. Checkpoint Maps and Ephemeral ObjectsIn our last post, we discussed NX Superblock Objects and how they can be used...

B-Trees and Indexing

  1. B-Trees (Part 1)In yesterday’s post, we discussed Checkpoint Maps, the simple linear-time data structures that APFS uses...
  2. B-Trees (Part 2)Mastering the skill of B-Tree traversal is essential in parsing information from APFS. Our last...
  3. Object MapsEarlier in this series, we discussed APFS Containers and how they address physical objects via...

Container Internals

  1. Space ManagerIn our earlier post on Containers, we introduced the Space Manager as the subsystem responsible...
  2. The ReaperIn our post on Containers, we introduced the Reaper as the subsystem responsible for garbage...
  3. EFI JumpstartAPFS containers include an embedded EFI driver that allows UEFI firmware to boot from APFS...

The Volume and File-System Layer

  1. Volume Superblock ObjectsThe Volume Superblock is a data structure containing key information about an individual APFS volume....
  2. File System TreesEach APFS volume has a logical file system stored on disk as a collection of...
  3. Inode and Directory RecordsEach APFS file system entry has both an inode and directory record. The inode record...
  4. Hard Links and SiblingsIn our post on Inode and Directory Records, we noted that a single inode may...
  5. Data StreamsData in APFS that is too large to store within records is stored elsewhere on...
  6. Transparent Compression (DECMPFS)APFS supports transparent file compression through the DECMPFS (Decompression File System) framework, shared with HFS+....
  7. ClonegroupsIn our post on Data Streams, we discussed how APFS implements file cloning through shared...

Integrity and Encryption

  1. Sealed VolumesWith the release of macOS 11, Apple added a security feature to APFS called sealed...
  2. KeybagsAPFS is designed with encryption in mind and removes the need for the Core Storage...
  3. Wrapped KeysIn our last post, we discussed both Volume and Container Keybags and how they protect...
  4. DecryptionNow that we know how to parse the File System Tree, analyze keybags, and unwrap...
  5. Encryption RollingIn our posts on Keybags, Wrapped Keys, and Decryption, we covered the static encryption architecture...

Snapshots and Advanced Features

  1. Snapshot MetadataEarlier in this series, we covered how Object Maps facilitate the implementation of point-in-time Snapshots...
  2. Volume GraftingVolume grafting is a mechanism introduced in macOS 13 that mounts a disk image’s APFS...
  3. Fusion ContainersAs we discussed in an earlier post, Apple’s Fusion Drives combine the storage capacity of...
  4. Speculative TelemetrySpeculative telemetry is an APFS feature that tracks the lifecycle of speculatively downloaded files: content...