Comparison of our tool afro (APFS file recovery) with Blackbag Blacklight and Sleuthkit

At this years ARES conference, Jonas Plum (Siemens) and me (Andreas Dewald, ERNW Research GmbH) published a paper about the forensic analysis of APFS, file system internals and presented different methodologies for file recovery. We also publicly released a tool implementing our presented approaches, called afro (APFS file recovery).

APFS is the file system for Apple devices that is used by default on all current iOS mobile devices, as well as macOS since High Sierra, and is thus currently rolled out on a large number of devices. By using afro, we evaluated and compared the different approaches amongst each other and identified the method that so far delivers the best results and compared it to photorec. This showed that AFRO outperforms photorec on the evaluated APFS dataset. In the presentations of this research we were often asked if other tools like Blackbags Blacklight do not already support this recovery process. So, we decided to compare the file recovery capabilities of BlackLight and afro. We wanted to compare afro to the sleuth kit as well, as at the DFRWS conference it was discussed about adding APFS Support to The Sleuthkit Framework, but no implementations are public yet.

We present the results of this comparison in in remainder of this blogpost.

Stages of file deletion


In APFS different stages of deleted files exist. Some deleted files are still be referenced from versioning structures in the file system. These can be recovered just by parsing the file system. Partially unreferenced files are not referenced from the root file system hierarchy any more. Parsing cannot restore those files and the goal of afro was to restore partially unreferenced files as well. Completely unreferenced files and file fragments can only be recovered by file carving.

APFS Parsing
APFS is structured in a single container that can contain multiple APFS volumes. The container superblock is the entry point to the file system and is located in the first block of the file system. The container superblock contains references to the volume superblocks, which in turn point to their own root node and so to all file nodes. These nodes can be parsed to obtain file name, file metadata and file contents.


By design, APFS offers the ability to recover certain states of the file system including old or deleted versions of files. The container superblock contains a reference to the checkpoint structure. The checkpoint references the preceding container superblock, which contains information in an older state of the file system. In this way multiple older states can be recovered by parsing this chain of container superblocks.

Recovery Methodologies
APFS is a copy-on-write file system and thus each block is copied before changes are applied. Therefore, a history of all files which were not overwritten and according file system structures exist. This results in a high number of artifacts that can be utilized in forensic file recovery.

From those artifacts, we identified three different approaches for file recovery that rely on different artifacts as entry points, which we present in this section: The signature-based file system metadata carving methods “NXSB carving” and “APSB carving”, as well as the heuristic file system metadata carving method “node carving”. All methods iterate the file system in blocks of 4096bytes, which is the smallest block size observed in APFS. Those blocks are checked for metadata structures which in turn are parsed and used to extract files.

NXSB carving APSB carving Node carving
  1. Iterate file system in blocks of 4096 byte1
  2. Check whether bytes 32 to 36 equal ‘NXSB’
  3. Verify checksum to eliminates false positives
  4. Parse identified container superblock & descent into all structures inside this container
  1. Iterate file system in blocks of 4096 byte1
  2. Check whether bytes 32 to 36 equal ‘APSB’
  3. Verify checksum to eliminates false positives
  4. Parse identified volume superblock & descent into all structures inside this volume
  1. Iterate file system in blocks of 4096 byte1
  2. Check whether bytes 24 to 26 (object type) equal ‘0x2’ or ‘0x3’
  3. Check if bytes 28 to 30 (subtype) equal ‘0xe’ (file subtype)
  4. Verify checksum to eliminates false positives
  5. Parse file node


Image Generation
For the ARES conferences we created a 100MB APFS image “wsdf.dmg”. We added a hierarchy of files of different types and folders to this image. Afterwards the “document” folder, which contains a pdf, txt, docx, pptx, and a xslx file was deleted. The image can be downloaded here. We use that simple image as a testcase for both tools.

Blacklight parses the filesystem and lists all non-deleted files. The extracted metadata is correct. It does not parse any of the deleted documents in the “document” folder. Even the carving process on unallocated space was not able to recover well-known file formats like pdf, docx, xslx and pptx. A screenshot of the recognized files can be seen below.


With afro we used the carving of volume superblocks to recover the data from the image.

afro -e bodyfile -e files -o 40 carve apsb wsdf.dmg

afro recovers all documents which existed in the “document” folder. They are even recovered twice: from the .Trash folder as well as the original location.


APFS support is still a developing topic and even blacklight’s advertised “leading APFS support” lacks recovery capabilities. afro does not handle some APFS features like snapshots, encryption or compression but is still the only tool we are aware of to recover all files from the image. We hope recovery from APFS will improve in the future and commercial tools like blacklight as well as open source solutions like the sleuth kit will add or enhance APFS support, as APFS is already rolled out widely.


P.S.: See also Jonas’ blogpost.

Continue reading

Multiple Vulnerabilities in UNIFY OpenScape Desk Phone CP600

We recently identified security issues in the UNIFY OpenScape Desk Phone CP600 HFA software. We disclosed the vulnerabilities to Unify, as a fix is now provided we want to give a brief overview of the vulnerability affecting the web interface.


We were able to identify the following vulnerabilities in the Web interface of the telephone:


  • Command Injection in Picture Delete function of OpenScape Desk Phone Webportal
  • Unauthenticated Arbitrary File Access in the OpenScape Desk Phone Webportal
  • Memory Corruption in the OpenScape Desk Phone Webservice
  • Missing Hardening of the OpenScape Desk Phone Webservice Binary
  • Cross Site Request Forgery Missing in the OpenScape Desk Phone Webservice


For this blog post we will take a look at the command injection and how we exploited it.


The fixed version is V1 R2.7.0. More information about the OpenScape CP Desk Phones including release notes can be found under:

Continue reading “Multiple Vulnerabilities in UNIFY OpenScape Desk Phone CP600”

Continue reading

Incident Analysis and Digital Forensics Summit 2018, 14th of November of 2018

*This event will be held in German*

Inspiriert durch die erfolgreichen Round-Table-Diskussionen der Troopers-Konferenz freuen wir uns, Ihnen heute mit dem Incident Analysis and Digital Forensics Summit 2018, eine weitere Veranstaltung in einer Reihe zu Trend-Themen im Bereich der IT-Sicherheit vorzustellen.

Die Veranstaltung beginnt am Morgen mit einem Eröffnungsvortrag von Thomas Schreck (Chairman of the Board des internationalen CERT Verbunds FIRST), gefolgt von Fallstudien und Vorträgen durch weitere Referenten aus der Industrie und Strafverfolgung.

Im Anschluss werden alle Teilnehmer in moderierten Round-Table-Diskussionen typische Problemstellungen und mögliche Lösungsansätze miteinander und den ERNW Experten diskutieren.

Die Veranstaltung eignet sich für Interessierte im Bereich der forensischen Informatik/digitalen Forensik, der Incident Analyse und Incident Response.

Durch die Fallstudien und die aktiven Round-Table Diskussionen lernen Sie aktuelle Probleme sowie Methoden und Möglichkeiten kennen, die Sie anschließend in Ihrem Alltag für die Behandlung kritischer IT-Sicherheitsvorfälle umsetzen können.

Der Summit ist Teil von den ERNW Insight Summit Series https://ernw-insight.de/de/events/ und findet in Heidelberg statt. Weitere Informationen finden Sie auf https://www.ernw-insight.de/de/events/2018-11-14-summit18-forensics/

Andreas Dewald

Continue reading
Breaking, Misc

Vulnerabilities in Sitefinity WCMS – A Success Story of a Responsible Disclosure Process


For those who never heard of Sitefinity before, it is an ASP.NET-based Web Content Management System (WCMS), which is used to deploy and manage applications as other CMS‘s do. A bitter quick glance at Sitefinity and its advantages can be found in this overview.

Delving into the core of this blog post, recently I had the opportunity to look at Sitefinity WCMS in which I found two reflected Cross Site Scripting (XSS) (CVE-2018-17053 and CVE-2018-17056), a stored XSS (CVE-2018-17054) and an arbitrary file upload (CVE-2018-17055) vulnerabilities.

I admit that the vulnerabilities mentioned in here are classical ones, but because of the huge spectrum of the platform versions affected, I thought it would be helpful to send a loud signal to whomever are using Sitefinity, so they can apply fixes and be safe 😉

Continue reading “Vulnerabilities in Sitefinity WCMS – A Success Story of a Responsible Disclosure Process”

Continue reading

Spraying arbitrary objects into the non-paged pool

Recently, I had some time to play around with HEVD [1], an extremly vulnerable Windows driver available for 32-bit and 64-bit systems.

Since exploits for all vulnerabilities of the 32-bit variant are publically available, I was wondering why this is not the case for the 64-bit version, especially for the pool corruption and UAF vulnerabilities.

Continue reading “Spraying arbitrary objects into the non-paged pool”

Continue reading

Active Directory Security Summit 2018, 13th. of November of 2018

I have the pleasure to announce the Active Directory Security Summit 2018 at 13th. of November of 2018. The summit covers current Active Directory security related topics such as challenging tasks of hybrid Active Directory operations as well as new security best practices and some ‘evergreens’ – Admin Tiering implementations (what about Exchange and DNS…??), ESAE operations etc. 😉 Continue reading “Active Directory Security Summit 2018, 13th. of November of 2018”

Continue reading

A few notes on WordPress Security

Taking a look at the CVE List for WordPress, most vulnerabilities aren’t found within the WordPress core but inside of third-party plugins and themes.

Today, let’s talk about WordPress.

Performing a WordPress assessment might seem boring at first as core functionality [tested] and configuration does not allow for extensive security misconfigurations. Luckily, most instances use plugins and themes to add features not offered by the WordPress core.

In this blog post I would like to discuss the findings and how I discovered them. Also, I will describe different vendor responsiveness reaching from not responding at all, to not understanding the issue to fast and professional responses kindly asking for a review of the updated code ready for deployment. Continue reading “A few notes on WordPress Security”

Continue reading

IPython Support for Binary Ninja

This blogpost is about the release of a plugin for Binary Ninja that allows you to run a Python Kernel inside the Binary Ninja GUI environment to which you can attach a Jupyer (QT) console, formerly known as IPython shell. The first section is about why this is useful, the second is about some issues I encountered and how to solve them, and the third contains everything you need to know to set it up. Continue reading “IPython Support for Binary Ninja”

Continue reading