Revisiting Data Hiding Techniques for Apple File System.

Data hiding is an important part of anti-forensic research since the continuous development of operating systems, file systems and other software may close some previously known vulnerabilities but will often inadvertently create new ones. Many of the currently used file systems such as FAT, NTFS or ext4 have been thoroughly analysed. There are quite a few theoretical approaches and also some practical tools that help us to hide data in the existing file systems in different ways. For the Apple File System (APFS), the new standard file system for all Apple devices, only part of the previous work is transferable. There are only a few published forensic analyses of APFS so far and some forensic tools like the Sleuthkit have at least partially adapted APFS functionality. However, anti-forensic techniques specific to APFS have not yet been explored. This paper aims to introduce APFS and some of its noncritical areas which can be exploited to hide data. A recently published modular anti-forensics framework called fishy allows the implementation of modules containing a file system interface and corresponding data hiding techniques. After a short theoretical introduction to the framework, we present, as a practical part of this work, specific data hiding techniques for APFS which are implemented in a separate module for fishy. Finally, the newly found techniques are evaluated, e.g., on the basis of their detectability, stability and capacity.