At this years ARES conference, Jonas Plum (Siemens) and me (Andreas Dewald, ERNW Research GmbH) published a paper about the forensic analysis of APFS, file system internals and presented different methodologies for file recovery. We also publicly released a tool implementing our presented approaches, called afro (APFS file recovery).
the last post was about a fuse filesystem which provides a read-only access to the proprietary bluecoat filesystem. After some further investigations based on the possibilities this offered us, I started to implement a tool which allows to modify parts of the filesystem.
You may remember our last post regarding the SGOS system and the proprietary file system. Since then, we got access to a newer version of the system (126.96.36.199). Still not the most current one (which seems to be 188.8.131.52) nor of the 6.6.x branch (which seems to be 184.108.40.206) though. As this system version also used the same proprietary filesystem (although it initially booted from a FAT32 partition), I decided to take a deeper look into this.