search
Back to binalyze.com

macOS Disk Imaging

Definitive guidance for imaging APFS disks on Intel and Apple Silicon Macs

hashtag
Executive Summary

Apple's APFS file system uses a shared-container architecture. This has important implications for forensic imaging:

  • You can only obtain a forensically sound macOS image by acquiring an entire APFS container.

  • It is not possible to acquire a usable APFS volume-level image, because APFS volumes do not contain the full metadata required to stand alone.

  • This applies to Intel and Apple Silicon systems, encrypted and unencrypted APFS, and all imaging tools including AIR and dd.

circle-check

AIR fully supports forensically sound disk-level acquisition on macOS when SIP is disabled. The resulting full-container images can be analysed in AIR or third-party forensic tools.

hashtag
Understanding APFS Forensic Imaging

APFS containers host multiple volumes that share critical metadata:

  • Object maps

  • Checkpoints and snapshots

  • Allocation tables

  • Encryption state

Because APFS volumes cannot function independently, volume-only images cannot be mounted or parsed. Forensically valid macOS imaging requires acquiring an entire APFS container.

hashtag
System Integrity Protection (SIP)

macOS includes a security technology called System Integrity Protection (SIP). This technology restricts user access to certain folders and processes to protect the operating system from malicious software.

circle-exclamation

SIP Must Be Disabled for Disk Imaging

If SIP is enabled on a macOS machine, disk image acquisition is not possible. When you attempt to assign an image task to a machine with SIP enabled, the AIR Console displays a warning.

macOS Disk Imaging: AIR Console warning when SIP is enabled

hashtag
Disabling SIP

To proceed with acquiring a disk image, SIP must be disabled. This requires booting the Mac into Recovery Mode. The method to access Recovery Mode varies depending on whether the Mac is Intel-based or Apple Silicon-based.

hashtag
For Intel-based Macs

  1. Restart your Mac.

  2. Immediately press and hold Command-R until you see the startup screen.

  3. If you see a lock, enter the password for your Mac.

hashtag
For Apple Silicon Macs

  1. On your Mac, choose Apple menu > Shut Down.

  2. Press and hold the power button on your Mac until the system volume and the Options button appear.

  3. Click the Options button, then click Continue.

hashtag
Disabling SIP via Terminal

Once in Recovery Mode:

  1. Select Terminal from the Utilities menu.

  2. Enter the following command:

  1. After successfully disabling SIP, restart the machine.

You should now see that the warning in the AIR Console has disappeared, allowing you to assign a disk image acquisition task to the responder.

hashtag
Acquiring a Disk Image on macOS

hashtag
What You Can Do with AIR

hashtag
Full APFS Container Imaging (Supported)

AIR can acquire a full, block-level image of the physical disk (capturing the APFS container) once SIP is disabled. A full-container image:

  • Contains all APFS metadata and structure

  • Is accepted by APFS-aware forensic tools

  • Can be used directly inside AIR

This is the correct and only method for creating a forensically sound image of an APFS container.

hashtag
APFS Volume-Level Imaging (Not Possible)

AIR, like all forensic tools, cannot produce a valid standalone image of an APFS volume. Volume images:

  • Cannot be mounted

  • Cannot be parsed

  • Are not forensically useful

circle-info

This is a limitation of APFS itself, not AIR. The same behaviour occurs with any imaging tool including the native dd command.

hashtag
Disk Tab vs Volume Tab

When you select the Acquire Image task, you are presented with two tabs: Disk and Volume.

hashtag
Disk Tab

The Disk tab (as seen below) displays entries that represent the system’s physical disks or virtual disk devices. APFS containers reside inside these disks, not at the same level.

Best forensic choice (The most common case)

On almost all APFS Macs: rdisk0 is the actual physical internal SSD

All other rdisk entries (rdisk1–rdisk4) are synthesized or virtual devices (APFS Preboot stores, VM stores, snapshots, container-derived devices, or disk images mounted in the OS)

Therefore, in most cases, to get a complete, integrity-preserving image you should acquire: /dev/rdisk0 — the full physical disk

macOS Disk Imaging: APFS disk view showing available physical disks

Images acquired from the Disk tab for APFS containers can be mounted and verified as accessible file systems.

hashtag
Identifying the Correct APFS Container

macOS systems—particularly Apple Silicon Macs—often contain multiple APFS containers on a single physical disk. These may include separate containers for system recovery, preboot, and virtual machine storage, in addition to the primary system container.

For forensic purposes, the container of interest is typically the largest one, which houses the Macintosh HD system volume and the associated Data volume containing user files. In the AIR Disk tab, this is usually represented by the primary physical disk entry (e.g., /dev/rdisk0). Examiners should verify the container contents after acquisition to confirm they have captured the intended system and user data.

hashtag
Volume Tab

The Volume tab displays individual volumes. For APFS volumes, acquisition from this tab will fail due to the container architecture limitations.

macOS Disk Imaging: Volumes tab showing available volumes

Attempting to acquire an APFS volume image results in an error:

macOS Disk Imaging: Volume imaging fails due to APFS architecture

hashtag
Verifying a Successful Acquisition

After acquiring a full APFS container image, you can verify the image by mounting it in a forensic tool or within AIR.

macOS Disk Imaging: Test the mounted image to verify acquisition success

hashtag
File System Support and Expected Outcomes

The following table summarises acquisition behaviour across different file systems:

File System
Disk Tab
Volume Tab
Image Usability

APFS

✅ Supported

❌ Not possible

Usable (full container only)

APFS (Encrypted)

✅ Supported

❌ Not possible

Usable (full container only)

APFS (Case-Sensitive)

✅ Supported

❌ Not possible

Usable (full container only)

APFS (Case-Sensitive, Encrypted)

✅ Supported

❌ Not possible

Usable (full container only)

Mac OS Extended (HFS+)

Does not appear

✅ Supported

Usable

Mac OS Extended (Case-Sensitive)

Does not appear

✅ Supported

Usable

MS-DOS (FAT)

Does not appear

✅ Supported

Often not usable

ExFAT

Does not appear

✅ Supported

Often not usable

hashtag
Working With APFS Images

A full APFS container image acquired via AIR can be:

  • Mounted in forensic tools

  • Processed by AIR

  • Parsed by APFS libraries

It contains snapshots, deleted artifacts, system and user data, and full filesystem structure.

hashtag
Recommended Workflow

  1. Disable SIP via Recovery Mode

  2. Acquire an APFS container from the Disk tab

  3. Validate hashes to confirm integrity

  4. Mount/import image in your forensic tool

  5. Analyse the complete APFS dataset

hashtag
Key Takeaways

circle-check

Summary

  1. APFS volumes cannot be imaged individually — this is a limitation of APFS architecture, not AIR.

  2. Full APFS container imaging is required for forensically sound macOS acquisition.

  3. SIP must be disabled before attempting disk image acquisition.

  4. AIR fully supports correct APFS acquisition — use the Disk tab for APFS systems.

  5. HFS+ (Mac OS Extended) volumes can be successfully acquired and mounted from the Volume tab.

  6. For encrypted APFS volumes on T2/Apple Silicon Macs, consider using logical collection via acquisition profiles as an alternative to physical imaging.

hashtag
Related Pages

PreviousImaging with interACTNextScheduling Tasks

Last updated

Was this helpful?