Joe Sylve   ​​​ 

@[email protected]
147 Followers
33 Following
97 Posts
Digital Forensics Researcher and Educator
Bloghttps://jtsylve.blog
LinkedInhttps://www.linkedin.com/in/jtsylve/
Joe Sylve   ​​​ Jun 12

Speculative telemetry is an APFS feature that tracks the lifecycle of speculatively downloaded files: content fetched to local storage before the user explicitly requests it, such as files prefetched by iCloud or the App Store.

https://jtsylve.blog/post/2026/06/12/APFS-Speculative-Telemetry

#dfir #apfs

Speculative Telemetry

Speculative telemetry is an APFS feature that tracks the lifecycle of speculatively downloaded files: content fetched to local storage before the user explicitly requests it, such as files prefetched by iCloud or the App Store. This post covers the on-disk structures and state machine that enable this tracking.

Joe T. Sylve, Ph.D.
Joe Sylve   ​​​ Jun 11

Volume grafting mounts a disk image's APFS contents as a subdirectory of an existing volume. This is the mechanism behind Cryptexes, RSRs, and system extensions.

New post on the lifecycle, constraints, and on-disk metadata:

https://jtsylve.blog/post/2026/06/11/APFS-Grafting

#dfir #apfs

Volume Grafting

Volume grafting is a mechanism introduced in macOS 13 that mounts a disk image’s APFS contents as a subdirectory of an existing volume. This is the technology behind Cryptexes, the cryptographically sealed, graftable disk images used for Rapid Security Responses and system extensions. This post covers the graft lifecycle, constraints, and on-disk metadata.

Joe T. Sylve, Ph.D.
Joe Sylve   ​​​ Jun 10

Today's post covers APFS encryption rolling, the background process that encrypts, decrypts, or re-keys an entire volume’s data while the system continues operating.

https://jtsylve.blog/post/2026/06/10/APFS-Encryption-Rolling

#apfs #dfir

Encryption Rolling

In our posts on Keybags, Wrapped Keys, and Decryption, we covered the static encryption architecture of APFS: how keys are stored, unwrapped, and used to decrypt data. This post covers encryption rolling, the background process that encrypts, decrypts, or re-keys an entire volume’s data while the system continues operating.

Joe T. Sylve, Ph.D.
Joe Sylve   ​​​ Jun 9
We previously covered how APFS clones files via shared extents. APFS also tracks which inodes share physical data through a higher-level structure: clonegroups. Today's post breaks down the clonegroup tree and how it manages cloned files. https://jtsylve.blog/post/2026/06/09/APFS-Clonegroups #dfir #apfs
Clonegroups

In our post on Data Streams, we discussed how APFS implements file cloning through shared extents and reference counting. While j_phys_ext_val_t reference counts and j_dstream_id_val_t track sharing at the extent level, APFS also maintains a higher-level grouping mechanism called clonegroups that tracks which inodes share physical data. This post covers the clonegroup tree and its role in managing cloned files.

Joe T. Sylve, Ph.D.
Joe Sylve   ​​​ Jun 8

APFS supports transparent file compression through DECMPFS. Files may appear normal to applications but store their data in a compressed form on disk. This post covers the on-disk format, compression types, and how to parse compressed files.

https://jtsylve.blog/post/2026/06/08/APFS-DECMPFS

#dfir #apfs

Transparent Compression (DECMPFS)

APFS supports transparent file compression through the DECMPFS (Decompression File System) framework, shared with HFS+. Compressed files appear normal to applications but store their data in a compressed form on disk, significantly reducing space usage on system volumes. This post covers the on-disk format, compression types, and how to parse compressed files.

Joe T. Sylve, Ph.D.
Joe Sylve   ​​​ Jun 5
How does APFS keep track of hard links, where multiple directory records all point to a single inode?
A mechanism called siblings. Today's post digs into the SIBLING_LINK and SIBLING_MAP record types:
https://jtsylve.blog/post/2026/06/05/APFS-Siblings
#dfir #apfs
Hard Links and Siblings

In our post on Inode and Directory Records, we noted that a single inode may be referenced by more than one directory record, as is the case with hard links. In File System Trees, we listed APFS_TYPE_SIBLING_LINK and APFS_TYPE_SIBLING_MAP among the record types. Today we examine how APFS explicitly tracks hard links through a mechanism called siblings.

Joe T. Sylve, Ph.D.
Joe Sylve   ​​​ Jun 4

APFS containers include an embedded EFI driver that allows UEFI firmware to boot from APFS partitions without requiring a built-in APFS driver. This post covers the nx_efi_jumpstart_t structure and the boot procedure that uses it.

https://jtsylve.blog/post/2026/06/04/APFS-EFI-Jumpstart

#dfir #apfs

EFI Jumpstart

APFS containers include an embedded EFI driver that allows UEFI firmware to boot from APFS partitions without requiring a built-in APFS driver. This post covers the nx_efi_jumpstart_t structure and the boot procedure that uses it.

Joe T. Sylve, Ph.D.
Joe Sylve   ​​​ Jun 3
Following up on our Containers post: the Reaper is APFS's garbage collector, handling deletions too large for a single transaction (entire volumes, snapshot cleanup). This post digs into its on-disk structures and multi-phase state machine.
https://jtsylve.blog/post/2026/06/03/APFS-Reaper
#dfir #apfs
The Reaper

In our post on Containers, we introduced the Reaper as the subsystem responsible for garbage collection in APFS. The Reaper handles deletions that are too large to complete within a single transaction, such as deleting an entire volume or cleaning up after a snapshot deletion. In this post, we will examine the Reaper’s on-disk structures and its multi-phase state machine.

Joe T. Sylve, Ph.D.
Joe Sylve   ​​​ Jun 2

How does APFS actually track which blocks are free across storage tiers? Our new post cracks open the Space Manager's on-disk structures: chunk tracking, free queues, internal pool, and allocation zones.

https://jtsylve.blog/post/2026/06/02/APFS-Space-Manager
#dfir #apfs

Space Manager

In our earlier post on Containers, we introduced the Space Manager as the subsystem responsible for tracking which blocks are in use across all storage tiers and for allocating and freeing blocks on behalf of volumes. That post promised more detail in the future. Today we deliver on that promise by examining the Space Manager’s on-disk structures, including its hierarchical chunk tracking system, free queues, internal pool, and allocation zones.

Joe T. Sylve, Ph.D.
Joe Sylve   ​​​ Jun 1

I've updated my APFS internals series for 2026. All my 2022 posts have been revised and expanded to cover the new on-disk structures and functionality.

I'll be releasing nine new sections over the next two weeks.

https://jtsylve.blog/post/2026/06/01/Revisiting-the-APFS-Series

#dfir #apple

Revisiting the APFS Series

Back in 2022 I started the APFS Advent Challenge: a daily run of posts dissecting the on-disk internals of Apple’s file system. Nearly four years later, both APFS and our collective understanding of it have moved on. So I’ve gone back through the entire series, brought every post up to date, and over the next two weeks I’ll be adding new parts to fill in the gaps.

Joe T. Sylve, Ph.D.