Paragon APFS SDK allows developers to access APFS volumes from their forensic software, applications, devices, and appliances on non-Apple platforms

• Cross-platform implementation for Windows, Linux, macOS, RTOSes, and UEFI environments
• Regularly updated libraries. Every build is tested for reliability, functionality, and performance before leaving the lab
• Full read-only access on any APFS volumes:
  • Folder enumeration (both case-sensitive and case-insensitive)
  • Files reading (including cloned and compressed)
  • Get a list of file extended attributes (xattr)
  • Accessing all APFS sub-volumes
  • Reading encrypted volumes (if OpenSSL is present and detected by CMake)

• Read-only access to APFS volumes. A read-write version of Paragon APFS SDK will be available soon on site: https://www.paragon-software.com/
• Only first sub-volume can be accessed on 32-bit platforms
• Stable work with 16TB+ volumes is not guaranteed
• No support for hardware-encrypted APFS volumes
• No support for Big Endian platforms (MIPS, PowerPC)

The utility to test and show the UFSD SDK capabilities. Usage:

$ apfsutil <test_name> [options] /dev/xxx/path/to/file/or/folder where: test_name name of the test to run (see 'User scenarios' section) options: --passN=password use password for the volume N (for encrypted volumes). APFS volumes are listed from N=1 to 100 --trace turn on UFSD trace --subvolumes mount all sub-volumes (All sub-volumes from the container will be "mounted"in the 'Ufsd_Volumes' folder in the root)

For example:

$ sudo apfsutil readfile /dev/sdb1/test_folder/newfile.txt $ sudo apfsutil enumfolder --subvolumes --pass1=qwerty --pass2=qwerty2 /dev/sdb1/Ufsd_Volumes/Untitled/test_folder

or Windows

$ apfsutil enumfolder f:\test_folder

Important: All operations are only available for unlocked (unmounted) APFS containers!

• C++ compiler
• CMake
• (Optional) OpenSSL library

$ mkdir .build $ cd .build $ cmake .. $ cmake --build .

There are two ways for building apfsutil under Windows:

1. Compile with MSVC from VS2015 or later.
2. Download and install MinGW, add MinGW "bin" directory to the PATH system environment variable and run cmake with "MinGW Makefiles" generator.

$ mkdir .build $ cd .build $ cmake -G "MinGW Makefiles" .. $ cmake --build .

If you have both MinGW "bin" and MSYS "bin" directories in PATH, use "MSYS Makefiles" generator instead.

Warning: option --trace is available only in the debug mode. To build:

$ cmake -DCMAKE_BUILD_TYPE=Debug ..

apfsutil already contains some simple user scenarios, such as

apfsutil can work with all sub-volumes in an APFS container. To mount all ones, add option --subvolumes to the apfsutil arguments. Without this option, only the main (1st) volume will be mounted. Paragon APFS SDK puts sub-volumes in the "/Ufsd_Volumes" folder. To read or enumerate files and folders on a sub-volume, its full path should be specified. For example, first of all, get a list of sub-volumes. Note, for this user scenario the --subvolume is optional. If a required sub-volume name is known, this step can be skipped.

$ apfsutil listsubvolumes /dev/xxx Volumes: Untitled Volume2 MyEncryptedVolume APFS: listsubvolumes returns 0. finished in 4 ms

Then enumerate the root sub-volume folder, or read any file

$ apfsutil enumfolder /dev/xxx/Ufsd_Volumes/Untitled $ apfsutil readfile /dev/xxx/Ufsd_Volumes/Untitled/testfile.txt

To create your own custom case, put its name (any, but not previously defined) in the list named s_Cmd (in the linutil/apfsutil.cpp) and create a command handler (function) there.

staticconstt_CmdHandlers_Cmd[] = { { "enumroot" , OnEnumRoot }, // readdir example { "enumfolder" , OnEnumFolder }, // enumerate folder { "readfile" , OnReadFile }, // file reading { "listea" , OnListEa }, // list all extended attributes { "listsubvolumes" , OnEnumSubvolumes }, // sub-volumes enumeration// handlers for RW version { "createfile" , OnCreateFile }, // create file { "createfolder" , OnCreateFolder }, // create folder { "queryalloc" , OnQueryAlloc }, // list file extents (allocations) { "fsinfo" , OnFsInfo }, // get file system information//// TODO: add your handlers here// ... { NULL , NULL }, };

Test handler should be of type

typedefint (*HandlerFunc)(CFileSystem*, constchar*);

Inside your specified handler all public functions from base UFSD classes CFileSystem, CFile, CDir are available (for more details see ufs\ufsd\include\ufsd\u_fsbase.h).

After rebuilding the utility selected test case will be available to start

$ sudo apfsutil my_new_case /dev/xxx/path/to/file/or/folder

Some operations require the full Read-Write sources (The version will be available soon on site: https://www.paragon-software.com/). In the Community Edition these cases will return a "not implemented" error.

$ sudo apfsutil fsinfo /dev/sdb1 APFS Volume [0] 0F7AFC7E-BDF6-4546-8494-2A0C449E8D1F Name : volume1 (Case-insensitive) Creator : newfs_apfs (945.200.129) Used Clusters : 1187894 Reserved Clusters : 0 Files : 63478 Directories : 1630 Symlinks : 5 Special files : 0 Snapshots : 0 Encrypted : Yes APFS Volume [1] D45089E3-D391-4246-9490-B4EAC8D4E395 Name : volume2 (Case-insensitive) Creator : diskmanagementd (945.200.129) Used Clusters : 270 Reserved Clusters : 0 Files : 71 Directories : 19 Symlinks : 1 Special files : 0 Snapshots : 0 Encrypted : No APFS Volume [2] 9D8EBA18-B110-4FCB-86FC-3E18B304628E Name : volume3 (Case-insensitive) Creator : diskmanagementd (945.200.129) Used Clusters : 265 Reserved Clusters : 0 Files : 64 Directories : 18 Symlinks : 0 Special files : 0 Snapshots : 0 Encrypted : No

The utility can return following exit codes:

The license for this project is defined in a separate document "LICENSE.txt" Paragon APFS SDK also contains the following code:

• lzfse - Copyright (c) 2015-2016, Apple Inc. All rights reserved. https://github.com/lzfse/lzfse/blob/master/LICENSE
• zlib - Copyright (c) 1995-2017 Jean-loup Gailly and Mark Adler
• icu - Copyright (c) 1991-2019 Unicode, Inc. All rights reserved. https://www.unicode.org/copyright.html.