Final days to save $300 off practical cyber security training during SANSFIRE 2021! Choose from 30 Live Online courses.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Apple's latest file system - is APFS a blessing or a curse to digital investigators?

  • Tuesday, April 03, 2018 at 1:00 PM EDT (2018-04-03 17:00:00 UTC)
  • Derrick Donnelly

You can now attend the webcast using your mobile device!



The latest release of Mac OSX and iOS devices utilizes a new file system called APFS. In this webcast, digital investigators will learn how the file system differs from prior Apple and Microsoft filesystems and how that will impact investigations. Derrick will cover how data storage and encryption has changed and what techniques can be used to ensure you acquire an image you can successfully examine. In addition, we'll examine why the new write on copy features used during the deletion process leave more artifacts for examiners to trace than prior Mac file systems. Understanding these changes and the ability to identify these artifacts will be critical for all forensic investigators. At the end of this session forensic examiners will know the following: how to identify a computer with APFS, what techniques to consider when acquiring APFS drives, the write on copy feature file history implications, and how to locate that information when handling encrypted Macs.

Join SANS at the annual Digital Forensics & Incident Response (DFIR) Summit, June 7-14, in Austin, TX. This is the most comprehensive DFIR event of the year, bringing together an influential group of experts, immersion-style training, and industry networking opportunities in one place. Over the course of this training event, you'll enjoy:

  • Highly technical digital forensics and incident response presentations from the industry's top practitioners during the two-day Summit.
  • Nine SANS DFIR courses to choose from to advance your training, build your arsenal of defenses and learn how to better protect your organization.
  • DFIR NetWars: The Coin Slayer - Earn DFIR course coins by correctly answering all questions from all four levels of one (or more) of the six DFIR domains.

Speaker Bio

Derrick Donnelly

Derrick Donnelly serves as the Chief Scientist of BlackBag Technologies. Derrick was an instructor for the FBI Computer Analysis and Response Team (CART) for over 8 years and has taught numerous other agencies around the World. Derrick has completed analysis and given testimony in connection with Federal and state criminal and civil cases.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.