dissect.apfs.objects

Submodules

• dissect.apfs.objects.base
• dissect.apfs.objects.btree
• dissect.apfs.objects.btree_node
• dissect.apfs.objects.checkpoint_map
• dissect.apfs.objects.efi_jumpstart
• dissect.apfs.objects.er_recovery_block
• dissect.apfs.objects.er_state
• dissect.apfs.objects.fs
• dissect.apfs.objects.gbitmap
• dissect.apfs.objects.gbitmap_block
• dissect.apfs.objects.integrity_meta
• dissect.apfs.objects.keybag
• dissect.apfs.objects.nx_fusion_wbc
• dissect.apfs.objects.nx_fusion_wbc_list
• dissect.apfs.objects.nx_reap_list
• dissect.apfs.objects.nx_reaper
• dissect.apfs.objects.nx_superblock
• dissect.apfs.objects.omap
• dissect.apfs.objects.snap_meta_ext
• dissect.apfs.objects.spaceman
• dissect.apfs.objects.spaceman_bitmap
• dissect.apfs.objects.spaceman_cab
• dissect.apfs.objects.spaceman_cib

Package Contents

Classes

Object	Base class for APFS objects.
BTree	APFS B-tree object.
BTreeNode	APFS B-tree Node object.
CheckpointMap	APFS Checkpoint Map object.
EfiJumpstart	APFS EFI Jumpstart object.
EncryptionRollingRecoveryBlock	APFS Encryption Rolling Recovery Block object.
EncryptionRollingState	APFS Encryption Rolling State object.
FS	APFS Filesystem object, also referred to as the "volume".
GBitmap	APFS General Bitmap object.
GBitmapBlock	APFS General Bitmap Block object.
IntegrityMeta	APFS Integrity Meta object.
NxFusionWbc	APFS Fusion Write-Back Cache object.
NxFusionWbcList	APFS Fusion Write-Back Cache List object.
NxReapList	APFS NX Reap List object.
NxReaper	APFS NX Reaper object.
NxSuperblock	APFS NX Superblock object.
ObjectMap	APFS Object Map (OMAP) object.
SnapMetaExt	APFS Snapshot Metadata Extension object.
Spaceman	APFS Spaceman object.
SpacemanBitmap	APFS Spaceman Bitmap object.
SpacemanChunkInfoAddressBlock	APFS Spaceman Chunk Info Address Block object.
SpacemanChunkInfoBlock	APFS Spaceman Chunk Info Block object.

class dissect.apfs.objects.Object(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Base class for APFS objects.

The way we use this is a little unorthodox OOP-wise, but it works well for our use case. For the core of our APFS implementation we want to be able to read any object directly from a known type, but for interactive use it would also be nice to be able to read an object from its address and have it automatically be the correct subclass.

Subclasses should define the __type__ and __struct__ class variables.

Parameters:

• container – The APFS container the object belongs to.

• address – The block address of the object within the container.

• block – Optionally, the raw block data of the object. If not provided, it will be read from the container.

• cipher – Optionally, a cipher to decrypt the object (or child objects).

__type__

__struct__

__known_types__: ClassVar[dict[int, type[Object]]]

classmethod __init_subclass__()

container

address

block

cipher = None

object

__repr__() → str

classmethod from_address(container: dissect.apfs.apfs.APFS, address: int, count: int = 1, *, cipher: dissect.fve.crypto.Cipher | None = None) → typing_extensions.Self

Load an object from its address, automatically determining the correct subclass.

classmethod from_block(container: dissect.apfs.apfs.APFS, address: int, block: bytes, *, cipher: dissect.fve.crypto.Cipher | None = None) → typing_extensions.Self

Load an object from its raw block data, automatically determining the correct subclass.

property checksum: int

The object’s checksum.

is_valid() → bool

Check if the object’s checksum is valid.

property oid: int

The object’s ID.

property xid: int

The object’s transaction ID.

property type: dissect.apfs.c_apfs.c_apfs.OBJECT_TYPE

The object’s type.

property type_flags: dissect.apfs.c_apfs.c_apfs.OBJ

The object’s type flags.

property storage_type: dissect.apfs.c_apfs.c_apfs.OBJ

The object’s storage type.

property is_virtual: bool

Check if the object is stored as a virtual object.

property is_ephemeral: bool

Check if the object is stored as an ephemeral object.

property is_physical: bool

Check if the object is stored as a physical object.

property is_encrypted: bool

Check if the object is encrypted.

property subtype: dissect.apfs.c_apfs.c_apfs.OBJECT_TYPE

The object’s subtype.

class dissect.apfs.objects.BTree(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS B-tree object.

__type__

object: dissect.apfs.c_apfs.c_apfs.btree_node_phys

container

address

root

block

cipher = None

header

info

__repr__() → str

property flags: dissect.apfs.c_apfs.c_apfs.BTREE

The B-tree’s flags.

search(key: bytes, *, exact: bool = False, cmp: collections.abc.Callable[[Any, bytes], Literal[-1, 0, 1]] = cmp_default, omap: dissect.apfs.objects.omap.ObjectMap | None = None, oid: int = 0, xid: int | None = None) → bytes | None

Search for a key in the B-tree.

Parameters:

• key – Key to search for.

• exact – If True, only return if an exact match is found.

• cmp – Comparison function to use. Should return -1, 0, or 1.

• omap – The object map to use for resolving virtual child objects.

• oid – The base object ID to use for resolving virtual child objects.

• xid – The transaction ID to use for resolving virtual child objects.

class dissect.apfs.objects.BTreeNode(*args, **kwargs)

Bases: dissect.apfs.objects.base.Object

APFS B-tree Node object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.btree_node_phys

__repr__() → str

property toc: list[dissect.apfs.c_apfs.c_apfs.kvoff | dissect.apfs.c_apfs.c_apfs.kvloc]

The B-tree node’s table of contents.

property flags: dissect.apfs.c_apfs.c_apfs.BTNODE

The B-tree node’s flags.

property is_root: bool

Whether the node is the root node.

property is_leaf: bool

Whether the node is a leaf node.

property is_nonleaf: bool

Whether the node is a non-leaf node.

property level: int

The B-tree node’s level.

property nkeys: int

The number of keys in the B-tree node.

class dissect.apfs.objects.CheckpointMap(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS Checkpoint Map object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.checkpoint_map_phys

class dissect.apfs.objects.EfiJumpstart(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS EFI Jumpstart object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.nx_efi_jumpstart

class dissect.apfs.objects.EncryptionRollingRecoveryBlock(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS Encryption Rolling Recovery Block object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.er_recovery_block_phys

class dissect.apfs.objects.EncryptionRollingState(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS Encryption Rolling State object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.er_state_phys

class dissect.apfs.objects.FS(*args, **kwargs)

Bases: dissect.apfs.objects.base.Object

APFS Filesystem object, also referred to as the “volume”.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.apfs_superblock

inode

root

__repr__() → str

property index: int

The volume index within the container.

property features: dissect.apfs.c_apfs.c_apfs.APFS_FEATURE

The features supported by this filesystem.

property incompatible_features: dissect.apfs.c_apfs.c_apfs.APFS_INCOMPAT

The incompatible features supported by this filesystem.

property is_case_insensitive: bool

Whether the filesystem is case insensitive.

property is_normalization_insensitive: bool

Whether the filesystem is normalization insensitive.

property is_sealed: bool

Whether the filesystem is sealed (read-only).

property unmount_time: datetime.datetime

The last unmount time of the filesystem.

property omap: dissect.apfs.objects.omap.ObjectMap

The object map for the filesystem.

property root_tree: dissect.apfs.objects.btree.BTree

The root B-tree for the filesystem.

property snap_meta_tree: dissect.apfs.objects.btree.BTree

The snapshot metadata B-tree for the filesystem.

property uuid: uuid.UUID

The filesystem UUID.

property mtime: datetime.datetime

The last modification time of the filesystem.

property flags: dissect.apfs.c_apfs.c_apfs.APFS_FS

property is_unencrypted: bool

Whether the filesystem is unencrypted.

property is_encrypted: bool

Whether the filesystem is encrypted.

property is_onekey: bool

Whether the filesystem uses the volume encryption key for all.

property formatted_by: tuple[str, datetime.datetime, int]

Information about the tool that formatted the filesystem.

property modified_by: list[tuple[str, datetime.datetime, int]]

Information about the tools that modified the filesystem.

property name: str

The volume name.

property role: dissect.apfs.c_apfs.c_apfs.APFS_VOL_ROLE

The volume role.

property snapshots: list[Snapshot]

All snapshots in the filesystem.

property fext_tree: dissect.apfs.objects.btree.BTree

The file extent B-tree for the filesystem.

property keybag: dissect.apfs.objects.keybag.VolumeKeybag | None

The volume keybag, if present.

property password_hint: str | None

The password hint for the volume, if present.

unlock(password: str, uuid: uuid.UUID | str | None = None) → None

cursor() → dissect.apfs.cursor.Cursor

Create a new cursor for the volume’s root B-tree.

records(oid: int) → dict[dissect.apfs.c_apfs.c_apfs.APFS_TYPE, list[Any]]

Get all records for a given object ID.

Parameters:

oid – The object ID to search for.

inodes() → collections.abc.Iterator[INode]

Iterate over all inodes in the filesystem.

get(path: str | int | DirectoryEntry, node: INode | None = None) → INode

Get an inode by its path, object ID, or directory entry.

Parameters:

• path – The path, object ID, or directory entry of the inode to retrieve.

• node – The starting inode for relative paths. Defaults to the root inode.

class dissect.apfs.objects.GBitmap(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS General Bitmap object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.gbitmap_phys

class dissect.apfs.objects.GBitmapBlock(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS General Bitmap Block object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.gbitmap_block_phys

class dissect.apfs.objects.IntegrityMeta(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS Integrity Meta object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.integrity_meta_phys

class dissect.apfs.objects.NxFusionWbc(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS Fusion Write-Back Cache object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.fusion_wbc_phys

class dissect.apfs.objects.NxFusionWbcList(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS Fusion Write-Back Cache List object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.fusion_wbc_list_phys

class dissect.apfs.objects.NxReapList(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS NX Reap List object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.nx_reap_list_phys

class dissect.apfs.objects.NxReaper(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS NX Reaper object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.nx_reaper_phys

class dissect.apfs.objects.NxSuperblock(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS NX Superblock object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.nx_superblock

check() → None

Check the validity of the superblock.

compare(other: NxSuperblock) → None

Compare this superblock to another superblock.

property block_size: int

The block size of the container.

property block_count: int

The total number of blocks in the container.

property features: dissect.apfs.c_apfs.c_apfs.NX_FEATURE

The features supported by this container.

property incompatible_features: dissect.apfs.c_apfs.c_apfs.NX_INCOMPAT

The incompatible features supported by this container.

property uuid: uuid.UUID

The UUID of the container.

property checkpoint_objects: list[dissect.apfs.objects.checkpoint_map.CheckpointMap | NxSuperblock]

All checkpoint objects in the container.

property ephemeral_objects: dict[int, dissect.apfs.objects.base.Object]

All ephemeral objects in the container.

property omap: dissect.apfs.objects.omap.ObjectMap

The object map of the container.

property filesystems: list[dissect.apfs.objects.fs.FS]

All the filesystems in the container.

property fusion_uuid: uuid.UUID

The Fusion Drive UUID.

property keylocker: dissect.apfs.objects.keybag.ContainerKeybag | None

The container keybag, if present.

class dissect.apfs.objects.ObjectMap(*args, **kwargs)

Bases: dissect.apfs.objects.base.Object

APFS Object Map (OMAP) object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.omap_phys

lookup

is_valid() → bool

Check if the object’s checksum is valid.

property btree: dissect.apfs.objects.btree.BTree

The B-tree of the object map.

class dissect.apfs.objects.SnapMetaExt(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS Snapshot Metadata Extension object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.snap_meta_ext_obj_phys

class dissect.apfs.objects.Spaceman(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS Spaceman object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.spaceman_phys

class dissect.apfs.objects.SpacemanBitmap(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS Spaceman Bitmap object.

__type__

class dissect.apfs.objects.SpacemanChunkInfoAddressBlock(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS Spaceman Chunk Info Address Block object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.cib_addr_block

class dissect.apfs.objects.SpacemanChunkInfoBlock(container: dissect.apfs.apfs.APFS, address: int, *, block: bytes | None = None, cipher: dissect.fve.crypto.Cipher | None = None)

Bases: dissect.apfs.objects.base.Object

APFS Spaceman Chunk Info Block object.

__type__

__struct__

object: dissect.apfs.c_apfs.c_apfs.chunk_info_block