Skip to main content

Getting Started

Learn the basic principles of exhuming an Apple FileSystem (APFS) container from a disk image.

The exhume APFS module is helping the investigator with the analysis of the Apple APFS container, allowing to list volumes, resolve paths and extract file content.

🛠️ Prerequisites

Installing Rust

The Exhume Toolkit is built with Rust and requires it for development or compilation.

curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf | sh

Installing Exhume APFS

The following will install Exhume APFS globally.

cargo install exhume_apfs

🚀 Basic Usage

Options

OptionDescription
-b, --body <body>The path to the body to exhume.
-f, --format <format>The format of the file, either 'raw', 'ewf', or 'auto'.
-o, --offset <offset>The APFS container start address (decimal or hex).
-s, --size <size>The size of the APFS container in sectors (decimal or hex).
--volume-index <index>Select a specific volume index (default is 0).
--list-volumesList all discovered APFS volumes with metadata.
--root-inodeAuto-detect and print the root inode id for the selected volume.
--inode <inode>Show inode metadata for a specific inode number.
--dir_entryIf --inode is specified and it is a directory, list its directory entries.
--path <path>Resolve a path and show its inode metadata.
--dumpIf --inode is a regular file, dump its raw content to stdout.
--omap-oid <oid>Query selected volume OMAP for this object id.
-j, --jsonOutput in JSON format.
-l, --log-level <log_level>Set the log verbosity level. Default: info.
-h, --helpPrint help.
-V, --versionPrint version.
exhume_apfs -b <path_to_image> -f <format> -o <offset> -s <size> [options]

📘 Example

Listing volumes

exhume_apfs -b disk.E01 -f ewf --offset 0x5000 --size 0x100000 --list-volumes

Listing a directory

exhume_apfs -b disk.E01 -f ewf --offset 0x5000 --size 0x100000 --inode 2 --dir_entry

Resolving a path

exhume_apfs -b disk.E01 -f ewf --offset 0x5000 --size 0x100000 --path "/Users/k1nd0ne/Desktop"