How Apple’s new filing system is thwarting law enforcement and could affect you

“While Apple’s new APFS system for organising data on solid state hard drives is wildly more efficient than its double decade old predecessor called HFS+, it also drives some third party programs wild,” Peter Moon reports for Australian Financial Review. “High on the list of casualties is crimefighter software – the forensic analysis tools that law enforcement cyber detectives rely on.”

“The new file system now organises data stored on iPhones, iPads, Apple TVs, Apple Watches and, since last September, MacBooks [sic] [recte Macs] that have been updated for it,” Moon reports. “APFS is not only faster, it’s more secure. Therein lies a problem for investigators.”

“Until they have a full set of APFS tools, some agencies think that all they can do is seize computers of interest and wait for the forensic tools to catch up with the new file system – whenever that might be. In the meantime, the owners of the computers may be hit hard,” Moon reports. “A victim of an email fraud might have their iPhone impounded as evidence. And if the drives are APFS-formatted they could be detained indefinitely, because investigators can’t process them. Police often need data from innocent bystanders… Today, there are businesses in Australia deprived of key data because it has been swept up in a third party investigation, stored on drives that just happened to be formatted with APFS.”

Read more in the full article here.

MacDailyNews Take: Which is why you backup your data in multiple locations with regularity. Those who find themselves “deprived of key data” in such circumstances have only themselves to blame.

We prefer security over crackability, thanks.


  1. Very one sided article in my opinion.
    “APFS is not only faster, it’s more secure. Therein lies a problem for investigators.”

    It’s also the same problem for hackers, criminals and corrupt investigators from unscrupulous nations.

    This is an exciting time if a device can be developed that is secure except to the end user. It’s a step forward, so obviously those who want to hold back such an advancement.

    There are good points on both sides of this, but I think that the benefits of security far outweigh the need to crack it.

    So I’m 100% on the MDN take for this one.

  2. Take a chill pill and exercise a bit of reason, MDN! Your binary thought pattern is showing…

    While I agree, in principle, that everyone should have multiple backups in multiple locations, that is far easier for some than others. Furthermore, you should consider the fact that many backup methods are at risk of seizure along with the source computer – local Time Machine backups, local HDD/SSD clones, and commercially backed up data can easily be seized and tied up by law enforcement. Sure, you could run a cloned HDD/SSD over to a friend’s house or put it in a safe deposit box. But those versions can be located and seized, too.Perhaps we should don disguises and sneak down to the train station to anonymously rent a locker?

    When it comes to government and law enforcement reach (and overreach), no one can fully protect their data. I challenge MDN to deeply consider how an FBI raid would impact MDN’s data access, especially if the seizure extended to offsite/remote backups. Then get back to us with a more realistic “take.”

    I, too, prefer security over crackability. But the secure approach appears to be accompanied by consequences, such as indefinite detainment of your electronic data. I wonder how that squares away with the concept of “reasonable search and seizure”? At any rate, this is a situation that involves a lot more thought and debate than “multiple backups!”

    1. Backups are a strategy, not a single object. This strategy consists of offsite and even cloud based backups. There is no grey area here, security is a good thing, especially when combined with common sense and best practices.

      If anything, I see this as a good advertisement for APFS.

    2. The key point is “multiple backups”. That does not require thought and debate.

      And one situation that would be taken care of is if your main computer is seized because of supposed evidence in it.

      I doubt they are going to be going on to seize backups, just to screw up your business. To hypothesize that is tin-foil hat area, I think. And, in any case, is not a reason to forego multiple backups.

      1. Law enforcement officers can seize any hardware but they can’t take away your iCloud or other on-line account. They could apply for a warrant to get a copy of your data and usage history if the investigation were serious enough, but you will still have access to your current data and can download it onto another phone or computer to keep your business going.

        I have an arrangement with a neighbour across the road where they keep encrypted thumb drives with my important data ( mostly data, documents and family photographs), while I do the same for them. It’s very unlikely that both of our houses will be destroyed simultaneously, so I feel reasonably confident that my on-site local backups, on-line backups and the stuff left with the neighbour offer me options to guard against most eventualities.

  3. SO if I’m an innocent bystander and my computer or phone is seized as evidence and I voluntarily unlock the machine/drive then what is the problem?
    Now I choose not to unlock the computer/drive than I can see where law enforcement might have problems unlocking or hacking the drive

    1. The “problem” is twofold:

      (1) What the forensic investigators are looking for may not be readily apparent on the surface, even to the owner or someone with his password. They are looking for traces of third-party tampering, deleted files, and hacking that requires access to the physical media, whether disk or solid state. The tools for doing that on HFS+ are well evolved, while those for APFS aren’t. Having the password is helpful for an investigation on that level, but it isn’t sufficient to get to all the information without prolonged physical possession of the device.

      (2) The government must provide the defense with access to all the potentially exculpatory evidence. They will not be satisfied with a copy, but will want an opportunity to subject the original device to essentially the same full range of forensic tests that the government has… and possibly a good deal more.

      So, absent an agreement between all the parties, the device is likely to remain locked up in an evidence locker until at least the trial and possibly through all the possible appeals.

    1. And how is law enforcement supposed to meet its burden if it cannot gain access to any admissible evidence?

      We are not talking here about searches of the defendant or his property. These are mostly searches conducted with the consent of the owner of the device–the same owner who initially called the police to report a crime and who will be unable to obtain restitution unless the criminal can be convicted. At most, they are searches of third parties who are not at jeopardy of prosecution and who are generally willing to cooperate because they are victims, too.

      Cracking encryption without the consent of the owner is a completely different subject than conducting a forensic examination with the owner’s approval. The same problem would apply if the owner was trying to develop admissible evidence of cybercrime in a civil case against the wrongdoer.

      I guess you figure it’s too effin’ bad for them, too.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.