APFS Snapshots (Local Time Machine Snapshots)

macosFilesystem & TimelineDisk Image

Location

tmutil listlocalsnapshots / (APFS snapshot metadata embedded in volume)

Description

APFS local snapshots created automatically by Time Machine and the macOS update process. These point-in-time snapshots of the entire filesystem volume are space-efficient copy-on-write snapshots that capture the complete state of every file at creation time. Snapshots can be listed with tmutil and mounted for browsing.

Forensic Value

APFS snapshots act as forensic time capsules, preserving the complete filesystem state from before a compromise. Mounting a pre-incident snapshot and comparing it against the current filesystem reveals every file the attacker created, modified, or deleted. Malware samples that were deleted after execution may still exist in older snapshots. Unlike backup media, local snapshots reside on the same volume and are immediately available without external hardware. Ransomware targeting macOS may attempt to delete snapshots, but failure to do so provides a complete recovery path.

Tools Required

tmutildiskutilmac_aptAPFS FuseAutopsy

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical