Services
Contact Us
Support
About Us
Resources

Pulling data from an Apple Filesystem (APFS) Partition with Linux

Preface

In a recent ticket, we needed to pull data from a Macbook hard drive without having access to another Mac device. We decided to use Linux using the APFS-Fuse by sgan81.

Definitions

APFS(Apple File System): This the organizational system Apple uses to organize files on Mac OS storage drives (Hard Disk Drives, Solid State Drives…).
Virtual Machine (VM): Virtual Machines are guest operating systems running on an application inside of another operating system.
Package: Software/Resources.
Package Manager: Software to control to installation/updating/removal of packages.
Repository: A location containing a project/code.
Path (Terminal): A file with a list of all the locations terminal will look for to find the application/command you type in.
Superuser: Elevated User (Administrator is the Windows equivalent to Superuser).
Mount (Mount Point): Location where a drive's files are displayed.

Commands

sudo: the user is in the “Sudoers” group this command will elevate the command written behind it.
apt: Advanced Package Tool, Debian based package manager. “apt install” is used to install packages.
ls: List files in the request directory. If no path is given it will list files in the current directory.
cp: Copy command, copies the given the entered file to the given path. If a folder was targeted the recursive flag must be used.
git: Version control software. This is for managing repositories and in this writeup will only be used for preparing a repository to be build.
cmake: Software used for building/compiling code into software.

System

Because I don't expect to see many APFS recoveries I opted to create a Linux Mint VM to install APFS-Fuse onto. For the VM, I created a restore drive to hold the recovered data. However, I did not create a drive for the OS, as the live environment will work just fine.

Setup

Sgan81's APFS-Fuse installation instructions are great and make it easy to follow.
The first step was to update the system, and then install the required packages. Since I was using a live environment, I chose not to do the update. The next command was for the packages:

sudo apt install fuse libfuse3-dev bzip2 libbz2-dev cmake gcc-c++ git libattr1-dev zlib1g-dev

I was unable to install gcc-c++ which would have been used with cmake for building the project folder. However, because g++ was working I knew cmake would work and moved on.
After installing the required packages, I needed to use git clone to copy the repository. Once it had finished downloading, I went into the directory and ran the following commands:

git submodule init
git submodule update

From there we are ready to build to package. We made a folder to build the package in and went into it and ran 'cmake ..'. This run compiles project in the folder above, but have it dump the files in the build folder. After it finished, we then ran 'make' to build out the rest of the software. From there we are ready to open the APFS filesystem.

Opening APFS

Because the APFS-Fuse folder is not in terminal's path, we will have to run the software by appending './' so our command should look like:

“./apfs-fuse [device-location] [mount-point]”

In my case the partition was at /dev/sdb2, and I want to send it to /mnt. To send it to /mnt I will need to have superuser permissions. My command was:

“sudo ./apfs-fuse /dev/sdb2 /mnt”

When I opened a file explorer, and went to /mnt the drive stopped responding. This meant I had to unmount the drive using:

"sudo umount /mnt"

I then had to remount using the same apfs command as above. The file explorer didn't work. I then tried to use 'ls' in terminal, but it replied back saying I didn't have permission to access that folder. I then ran 'ls' as a superuser and did not have any issues. I started looking into the drive. Whenever I pushed the drive to much, the transport layer would close forcing me to unmount and remount the drive again.

Copying the Data

With the drive now mounted, I am able to explore the drive. I took the restore drive and formatted it as a FAT filesystem to make sure that any OS would be able to access the drive. I then had to slowly try to copy each folder in the users root directory. If it failed, then I had to go into the failed directory and copy each file individually. The cycle of commands looked as follows:

“sudo ls /mnt/path-to-user”
“sudo cp /mnt/path-to-user/subdirectory /media/mint/recovery-drive”

and if there was a failure:

“sudo ls /mnt/path-to-user/subdirectory”
“sudo cp /mnt/path-to-user/subdirectory/FileorFolder /media/mint/recovery-drive/subdirectory”

Once the data was recovered, it was copied to an external hard drive. Then it was ready for delivery.