# macOS Disk Imaging

## Executive Summary

Apple's APFS file system uses a **shared-container architecture**. This has important implications for forensic imaging:

* You can only obtain a forensically sound macOS image by acquiring an **entire APFS container**.
* It is **not possible** to acquire a usable APFS volume-level image, because APFS volumes do not contain the full metadata required to stand alone.
* This applies to Intel and Apple Silicon systems, encrypted and unencrypted APFS, and all imaging tools including AIR and `dd`.

{% hint style="success" %}
AIR fully supports forensically sound disk-level acquisition on macOS when SIP is disabled. The resulting full-container images can be analysed in AIR or third-party forensic tools.
{% endhint %}

## Understanding APFS Forensic Imaging

APFS containers host multiple volumes that share critical metadata:

* Object maps
* Checkpoints and snapshots
* Allocation tables
* Encryption state

Because APFS volumes cannot function independently, volume-only images cannot be mounted or parsed. **Forensically valid macOS imaging requires acquiring an entire APFS container.**

## System Integrity Protection (SIP)

macOS includes a security technology called **System Integrity Protection (SIP)**. This technology restricts user access to certain folders and processes to protect the operating system from malicious software.

{% hint style="warning" %}
**SIP Must Be Disabled for Disk Imaging**

If SIP is enabled on a macOS machine, disk image acquisition is not possible. When you attempt to assign an image task to a machine with SIP enabled, the AIR Console displays a warning.
{% endhint %}

<figure><img src="https://1662683669-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnA8kGzryHKp7UhDaLtzW%2Fuploads%2Fgit-blob-1bb27d2d15740563214788c36ab9d75030a3d4d7%2Fmacos_disk_imaging_air_console_warning_when_sip_is_enabled.png?alt=media" alt=""><figcaption><p>macOS Disk Imaging: AIR Console warning when SIP is enabled</p></figcaption></figure>

### Disabling SIP

To proceed with acquiring a disk image, SIP must be disabled. This requires booting the Mac into **Recovery Mode**. The method to access Recovery Mode varies depending on whether the Mac is Intel-based or Apple Silicon-based.

#### For Intel-based Macs

1. Restart your Mac.
2. Immediately press and hold **Command-R** until you see the startup screen.
3. If you see a lock, enter the password for your Mac.

#### For Apple Silicon Macs

1. On your Mac, choose **Apple menu > Shut Down**.
2. Press and hold the **power button** on your Mac until the system volume and the Options button appear.
3. Click the **Options** button, then click **Continue**.

#### Disabling SIP via Terminal

Once in Recovery Mode:

1. Select **Terminal** from the **Utilities** menu.
2. Enter the following command:

```bash
csrutil disable
```

3. After successfully disabling SIP, restart the machine.

You should now see that the warning in the AIR Console has disappeared, allowing you to assign a disk image acquisition task to the responder.

## Acquiring a Disk Image on macOS

### What You Can Do with AIR

#### Full APFS Container Imaging (Supported)

AIR can acquire a full, block-level image of the physical disk (capturing the APFS container) once SIP is disabled. A full-container image:

* Contains all APFS metadata and structure
* Is accepted by APFS-aware forensic tools
* Can be used directly inside AIR

**This is the correct and only method for creating a forensically sound image of an APFS container.**

#### APFS Volume-Level Imaging (Not Possible)

AIR, like all forensic tools, cannot produce a valid standalone image of an APFS volume. Volume images:

* Cannot be mounted
* Cannot be parsed
* Are not forensically useful

{% hint style="info" %}
This is a limitation of APFS itself, not AIR. The same behaviour occurs with any imaging tool including the native `dd` command.
{% endhint %}

### Disk Tab vs Volume Tab

When you select the **Acquire Image** task, you are presented with two tabs: **Disk** and **Volume**.

#### Disk Tab

The Disk tab (as seen below) displays entries that represent the system’s physical disks or virtual disk devices. APFS containers reside inside these disks, not at the same level.

**Best forensic choice** (The most common case)

On almost all APFS Macs: **rdisk0 is the actual physical internal SSD**

All other rdisk entries (rdisk1–rdisk4) are synthesized or virtual devices (APFS Preboot stores, VM stores, snapshots, container-derived devices, or disk images mounted in the OS)

Therefore, in most cases, to get a complete, integrity-preserving image you should acquire: **/dev/rdisk0 — the full physical disk**

<figure><img src="https://1662683669-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnA8kGzryHKp7UhDaLtzW%2Fuploads%2Fgit-blob-25a2afbaad04f32ee16f9605770bdc3ca3ff3c4f%2Fmacos_disk_imaging_apfs_disk_view_showing_available_physical_disks.png?alt=media" alt=""><figcaption><p>macOS Disk Imaging: APFS disk view showing available physical disks</p></figcaption></figure>

Images acquired from the Disk tab for APFS containers can be mounted and verified as accessible file systems.

### Identifying the Correct APFS Container

macOS systems—particularly Apple Silicon Macs—often contain **multiple APFS containers** on a single physical disk. These may include separate containers for system recovery, preboot, and virtual machine storage, in addition to the primary system container.

For forensic purposes, the container of interest is typically **the largest one**, which houses the **Macintosh HD** system volume and the associated **Data** volume containing user files. In the AIR Disk tab, this is usually represented by the primary physical disk entry (e.g., `/dev/rdisk0`). Examiners should verify the container contents after acquisition to confirm they have captured the intended system and user data.

#### Volume Tab

The Volume tab displays individual volumes. For APFS volumes, acquisition from this tab will fail due to the container architecture limitations.

<figure><img src="https://1662683669-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnA8kGzryHKp7UhDaLtzW%2Fuploads%2Fgit-blob-72934fffb797dcfcc9a111f016bac305b6d07217%2Fmacos_disk_imaging_volumes_tab_showing_available_volumes.png?alt=media" alt=""><figcaption><p>macOS Disk Imaging: Volumes tab showing available volumes</p></figcaption></figure>

Attempting to acquire an APFS volume image results in an error:

<figure><img src="https://1662683669-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnA8kGzryHKp7UhDaLtzW%2Fuploads%2Fgit-blob-62b9e1c6f699296f5fee8b871b38793b2371dcf4%2Fmacos_disk_imaging_volume_imaging_fails_due_to_apfs_architecture.png?alt=media" alt=""><figcaption><p>macOS Disk Imaging: Volume imaging fails due to APFS architecture</p></figcaption></figure>

### Verifying a Successful Acquisition

After acquiring a full APFS container image, you can verify the image by mounting it in a forensic tool or within AIR.

<figure><img src="https://1662683669-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnA8kGzryHKp7UhDaLtzW%2Fuploads%2Fgit-blob-eee805b35515537a254d1d63a024cce7fa5362c5%2Fmacos_disk_imaging_test_the_mounted_image_to_verify_acquisition_success.png?alt=media" alt=""><figcaption><p>macOS Disk Imaging: Test the mounted image to verify acquisition success</p></figcaption></figure>

## File System Support and Expected Outcomes

The following table summarises acquisition behaviour across different file systems:

| File System                          | Disk Tab        | Volume Tab     | Image Usability              |
| ------------------------------------ | --------------- | -------------- | ---------------------------- |
| **APFS**                             | ✅ Supported     | ❌ Not possible | Usable (full container only) |
| **APFS (Encrypted)**                 | ✅ Supported     | ❌ Not possible | Usable (full container only) |
| **APFS (Case-Sensitive)**            | ✅ Supported     | ❌ Not possible | Usable (full container only) |
| **APFS (Case-Sensitive, Encrypted)** | ✅ Supported     | ❌ Not possible | Usable (full container only) |
| **Mac OS Extended (HFS+)**           | Does not appear | ✅ Supported    | Usable                       |
| **Mac OS Extended (Case-Sensitive)** | Does not appear | ✅ Supported    | Usable                       |
| **MS-DOS (FAT)**                     | Does not appear | ✅ Supported    | Often not usable             |
| **ExFAT**                            | Does not appear | ✅ Supported    | Often not usable             |

## Working With APFS Images

A full APFS container image acquired via AIR can be:

* Mounted in forensic tools
* Processed by AIR
* Parsed by APFS libraries

It contains snapshots, deleted artifacts, system and user data, and full filesystem structure.

## Recommended Workflow

1. **Disable SIP** via Recovery Mode
2. **Acquire an APFS container** from the Disk tab
3. **Validate hashes** to confirm integrity
4. **Mount/import image** in your forensic tool
5. **Analyse** the complete APFS dataset

## Key Takeaways

{% hint style="success" %}
**Summary**

1. **APFS volumes cannot be imaged individually** — this is a limitation of APFS architecture, not AIR.
2. **Full APFS container imaging is required** for forensically sound macOS acquisition.
3. **SIP must be disabled** before attempting disk image acquisition.
4. **AIR fully supports correct APFS acquisition** — use the Disk tab for APFS systems.
5. **HFS+ (Mac OS Extended) volumes** can be successfully acquired and mounted from the Volume tab.
6. For **encrypted APFS volumes** on T2/Apple Silicon Macs, consider using **logical collection** via acquisition profiles as an alternative to physical imaging.
   {% endhint %}

## Related Pages

* [Disk and Volume Imaging Overview](https://kb.binalyze.com/air/features/acquisition/disk-and-volume-imaging)
* [Imaging with interACT](https://kb.binalyze.com/air/features/acquisition/disk-and-volume-imaging/imaging-with-interact)