APFS Snapshots (Local Time Machine Snapshots)

Location

Description

APFS local snapshots created automatically by Time Machine and the macOS update process. These point-in-time snapshots of the entire filesystem volume are space-efficient copy-on-write snapshots that capture the complete state of every file at creation time. Snapshots can be listed with tmutil and mounted for browsing.

Forensic Value

APFS snapshots act as forensic time capsules, preserving the complete filesystem state from before a compromise. Mounting a pre-incident snapshot and comparing it against the current filesystem reveals every file the attacker created, modified, or deleted. Malware samples that were deleted after execution may still exist in older snapshots. Unlike backup media, local snapshots reside on the same volume and are immediately available without external hardware. Ransomware targeting macOS may attempt to delete snapshots, but failure to do so provides a complete recovery path.

Tools Required

Collection Commands

tmutil listlocalsnapshots / > /forensics/apfs_snapshots_list.txt

tmutil mountlocalsnapshots / && ls /Volumes/ > /forensics/mounted_snapshots.txt

diskutil apfs listSnapshots disk1s1 > /forensics/apfs_snapshot_details.txt

python mac_apt.py -i /path/to/image -o /forensics/output APFS_SNAPSHOTS

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

MITRE ATT&CK Techniques

References