A study on the APFS timestamps in MACOS

Abstract

Background/Objectives: There are not many time analysis studies on High Sierra, the latest macOS (10.13) that has changed the file system from HFS+ toAPFS (Apple File System).Methods/Statistical analysis: In this experiment, we tried various actions of the file and the directory with using the Sierra version of the internal drive and the High Sierra version of the external drive. The ‘mdls’ command and the time attributes of the Finder are used for comparing the metadata.The ‘log show’ command is also used for checking the system time modification. For analyzing the .DS_Store and the db.sqlite files, we used .DS_Store Parser and DB Browser for SQLite.Findings: First of all, we briefly review time synchronization and APFS. And then, we compare the time records of HFS+ with those of APFS with differences. The unified logging file (tracev3) file with using the ‘log show’ command is analyzed and it is confirmed that the relevant log is left when the system time is changed. Next, we performed various actions on the files and directories of Sierra and High Sierra, and compiled the results as the tables. As a result, we found that the accessed time values were not updated well at high Sierra for the performance purpose. Finally, we also found the file attribute values in the DS_Store file in the RecycleBin and the database files in Document Revisions by default, and found that they can be used in forensic analysis.Improvements/Applications: Furthermore, it is necessary to examine and analyze the change of the time attribute of the file when the file and folder are moved or copied with APFS formatted external storage device.