Sarah Edwards (SANS Institute)

Abstract

Do you know what happens when a new file system comes out? ABSOLUTE MAYHEM! All your forensic analysis tools are broken and you are thrown into the forensic dark ages - stuck with just a hex editor and cold sweat.  APFS was introduced on iOS devices with 10.3 and natively on macOS with 10.13, High Sierra. This workshop will go through the current state of Apple’s new Apple File System (APFS). Topics discussed will include file system features, imaging, analysis methods, and current tool support.