Affiliate disclosure
Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases β at no additional cost to you.
Chapter 17 β Further Reading
macOS and Linux forensics are less crowded shelves than Windows, but the best sources are deep and free. Start with one practitioner authority per platform, then go to the byte-level format references when you must defend a finding β and remember that the strongest learning here is hands-on, because these artifacts only make sense once you have parsed your own.
Foundations (π¬ deeper / format-level)
- Apple, Apple File System Reference (official PDF). The authoritative byte-level APFS specification: container and volume superblocks (
NXSB/APSB), the object map, checkpoints, and snapshots. When you need to explain why a transaction id means what it means, this is the source. - The Linux kernel ext4 documentation and Brian Carrier, File System Forensic Analysis. Carrier remains the canonical treatment of file-system internals (inodes, journaling, and what "deleted" means); the kernel docs cover the ext4 extent tree (
0xF30A) and thejbd2journal (0xC03B3998) precisely. - Yogesh Khatri (swiftforensics.com). The author of
mac_aptwrites up the hard internals β Spotlightstore.db, knowledgeC, biome, the Unified Log β at the level you cite in a report. Pair with the format notes behind his parsers.
Approachable explanations (everyone)
- Sarah Edwards (mac4n6.com) and the mac4n6 podcast. The clearest working examples of Apple "pattern of life" analysis β knowledgeC, FSEvents, Quarantine, the Unified Log β and the origin of much of what this chapter teaches about Mac absolute time and activity reconstruction.
- Hal Pomeranz, "Understanding EXT4" blog series and SANS Linux forensics material. A readable, example-driven tour of ext4 internals, the journal, and why Linux deleted-file recovery behaves the way it does. The best on-ramp to Group F of the exercises.
- Apple, Platform Security Guide (official). Plain-spoken on FileVault, the Secure Enclave/T2, and the Keychain β exactly the limits at the end of this chapter, from the vendor that built the wall.
In practice (πΎ Recovery Β· π Examiner Β· π‘οΈ IR Β· π Legal)
- π
mac_apt(Yogesh Khatri) and APFS-Fuse (sgan81), on GitHub. The open core of macOS examination used throughout this chapter β one for broad plugin coverage, one for read-only mounting of containers and individual snapshots. Free, and they teach the structures a GUI hides. - ππ‘οΈ Sarah Edwards' APOLLO, Mandiant's
macos-UnifiedLogs, andplaso/log2timeline(Kristinn GuΓ°jΓ³nsson). APOLLO normalizes Apple "pattern of life" databases; the UnifiedLogs parsers render.tracev3offline; plaso fuses every artifact in this chapter into one supertimeline (Chapter 21). - πΎ
ext4magic,extundelete, and TestDisk/PhotoRec (Christophe Grenier / CGSecurity). The ext4 recovery ladder β journal-based recovery first, carving as the metadata-free fallback. Know which one handles extents (it isext4magic). - π‘οΈπ SANS FOR518 (Mac and iOS Forensic Analysis, Sarah Edwards) and Philip Polstra, Linux Forensics. Course and book that cover the cross-platform caseload end to end, including the legal scoping a π reader needs.
Reference (this book)
- Appendix D β Forensic Artifact Locations: the macOS/Linux path cheat sheet for every artifact above.
- Appendix G β File System Reference: APFS structures, the ext4 inode/extent tree, and the
utmprecord layout. - Appendix H β Command-Line Reference and Appendix B β Python Forensics Toolkit:
last/lastb/journalctl/plutil/debugfssyntax and the SQLite deleted-row recovery script. - Chapter 29 β Encrypted Device Forensics and Appendix E β Legal Frameworks: the FileVault/LUKS wall and the compelled-decryption question.
Do, don't just read
- Find your own past. On any Mac, run
tmutil listlocalsnapshots /anddiskutil apfs listSnapshots /. Then query your ownknowledgeC.dbfor/app/inFocusβ and convert one timestamp by hand with+978307200. You do not understand snapshots or Mac absolute time until you have seen your own. - Break and recover an ext4 file. On a Linux loopback image,
rma file, rundebugfs -R 'lsdel', recover it through the journal withext4magic, pull the filename from directory slack, and hash the result against the original. Feeling the(none)block map β and then beating it β teaches the chapter better than any list.
Next: Chapter 18 β Browser and Internet Forensics: the SQLite skills you just built open places.sqlite, History, and Web Data β where intent and online activity are written down, on every one of these platforms.