Welcome to Part 5 of the Perfect Acquisition series! In case you missed the previous parts, please check them out for background information. This section provides a comprehensive guide to performing the Perfect APFS Acquisition procedure.

• Perfect Acquisition Part 1: Introduction
• Perfect Acquisition Part 2: iOS Background
• Perfect Acquisition Part 3: Perfect HFS Acquisition
• Perfect Acquisition Part 4: The Practical Part
• Perfect Acquisition Part 5: Perfect APFS Acquisition (this article)

In the previous articles, we discussed the inner workings of iOS and introduced the concept of Perfect Acquisition. Since then, we have worked hard to remove existing limitations and extend Perfect Acquisition support to more devices, realizing our vision of providing the best tools and techniques available for forensic acquisition.

This article focuses on overcoming one of the two previous limitations – support for the APFS file system. At first glance, this may seem unusual, as no iPhones without SEP use APFS. However, there is (to our knowledge) one unique Apple device that uses APFS but lacks SEP: the Apple Watch S0.

Below is the updated compatibility chart:

Compatibility

Perfect Acquisition applies to devices that meet the following conditions:

• iOS devices using the HFS file system – APFS NOW SUPPORTED!
• iOS devices without SEP

Currently, our software does not support iPhone 2G, iPhone 3G, iPod Touch 1, or iPod Touch 2. This may change in the future.

Fully supported devices:

• iPhone 3Gs – iPhone 5c
• iPod Touch 3 – iPod Touch 5
• iPad 1 – iPad 4, iPad Mini 1
• Apple TV 2 – Apple TV 3
• Apple Watch S0 (NEW!)

Apple Watch S0

The “Apple Watch (1st generation)” was Apple’s first smartwatch. It came in four variants: Apple Watch, Apple Watch Sport, Apple Watch Hermès, and Apple Watch Edition. Internally, these models are labeled Watch1,1 and Watch1,2 and originally shipped with watchOS 1.0, receiving updates through watchOS 4.3.2.

This should not be confused with the “Apple Watch Series 1” (Watch2,6 and Watch2,7), which was the second generation and shares the same CPU as the Series 2. The first-generation Apple Watch is sometimes referred to as “Apple Watch Series 0” or simply “S0.” It’s particularly interesting from a forensic standpoint: while it syncs with a paired iPhone, it is actually less secure than the phone. The S0 runs on a 32-bit ARMv7k processor, has no SEP, but uses the APFS file system (at least in later OS versions).

This made it an ideal candidate to study APFS encryption without needing to extract keys from SEP. Using the S0, we improved our in-house APFS implementation and can now decrypt and analyze data from raw iOS/WatchOS APFS dumps.

Because Perfect Acquisition operates at a very low level and requires a deep understanding of how the components work together, turning “one attempt” of deriving the keys into “many attempts” is trivial. Therefore, we also support passcode cracking for the Apple Watch S0.

Thanks, Apple!

Incidentally, Apple Watches do not support complex alphanumeric passcodes, and there is a hard limit on numeric passcode length – 10 digits on modern watches.

At a cracking speed of 26 passcodes per second (on-device), here are the estimated times to break various passcode lengths:

Realistically, how often do you encounter 6-digit passcodes on Apple Watches – let alone longer ones? Four-digit passcodes were especially common even on iPhones back in the S0 era, and currently remain the most common even on last-generation Apple Watch models.

The Practical Part

From the user’s perspective, not much differs between HFS and APFS Perfect Acquisition. The process and most commands remain the same.

Step 1) Boot the EIFT ramdisk:

./EIFT_cmd boot -w

Step 2) Dump the disk:

./EIFT_cmd ramdisk diskdump -o data.dmg

Step 3) Dump BFU keys:

./EIFT_cmd ramdisk dumpkeys -n -o keys_bfu.plist

At this point, you have a Perfect Dump. Even if the device is upgraded, wiped, or erased, your data dump remains intact. However, you still need to extract the full set of keys – using the same device.

Step 4) Extract the system keybag:

./EIFT_cmd apfstool -i data.dmg -p /keybags/systembag.kb -e -o systembag.kb -k keys_bfu.plist --no-passcode

If a very old version of watchOS is installed, HFS may still be used. In that case replace apfstool with hfstool:

./EIFT_cmd hfstool -i data.dmg -p /keybags/systembag.kb -e -o systembag.kb -k keys_bfu.plist --no-passcode

Unfortunately, Apple does not provide IPSW files for Apple Watch, so we could not downgrade and test ourselves (as we did for every iOS version we list as supported).

How do I know if APFS or HFS is used?

When you run the diskdump command, EIFT will display this info. Alternatively, use:

./EIFT_cmd info

Example output:

[INFO] Commandline args: ramdisk diskdump -o data.dmg
[INFO] Got device:
Mode: [ramdisk]
CPID: 7002
BDID: 4
KernelVersionBooted: xnu-4570.70.24~1
PlatformUUID: <PUUID>
ProductType: Watch1,2
udid: <UUID>
Mounts:
[RW] (hfs) /dev/md0 -> /
[RW] (devfs) devfs -> /dev
APFS Volumes:
/dev/disk0s1s1 (Bahar13S661.N28aOS) [NONE]
	Snapshot: com.apple.os.update-740A86696B3644B57CC6DE4400FB720F0C55620E
/dev/disk0s1s2 (Data) [NONE]
[INFO] [*] APFS filesystem detected!
[INFO] Writing dump to 'data.dmg'
[INFO] Dumping full disk! (APFS)

Indicators such as [INFO] [*] APFS filesystem detected! and listed APFS volumes confirm the use of APFS. If there’s no mention of APFS, it must be HFS.

Step 5) Crack the passcode (skip if you already know it):

./EIFT_cmd ramdisk passcode -b systembag.kb -k keys_bfu.plist

Step 6) Obtain a full set of keys:

./EIFT_cmd ramdisk dumpkeys -k keys_bfu.plist -b systembag.kb -o keys.plist -p <PASSCODE>

Replace <PASSCODE> with the actual passcode, e.g.:

./EIFT_cmd ramdisk dumpkeys -k keys_bfu.plist -b systembag.kb -o keys.plist -p 0000

If no passcode is set, omit the -p parameter.

You should now have keys.plist, the complete set of decryption keys.

Congratulations – you have completed Perfect Acquisition. The device is no longer needed; the dump and keys can now be used to decrypt all data.

APFS Dump Analysis

APFS is still relatively new. Unlike HFS+, which has been around for nearly 30 years, APFS was introduced in iOS only in late 2017 and has undergone several changes, including some that break backward compatibility.

Unfortunately, to our knowledge, no commercial forensic tool supports raw iOS APFS dumps (which differ slightly from non-Apple Silicon macOS dumps). Even with a decrypted dump (which is harder to achieve than with HFS), no tool is available to process the data further.

This is unfortunate because APFS is a forensic goldmine, offering features like transactions and copy-on-write. These can help reconstruct recently deleted files or sometimes recover a history of the most recent file modifications.

Until a tool that fully supports APFS is available, we still need a way to access data. That’s why we developed an APFS FUSE driver, and shipped it with EIFT. It allows you to mount the dump as if it were a USB drive, and is available on macOS, Linux, and Windows (with macFUSE, FUSE, and WinFSP respectively).

To mount the image:

./EIFT_cmd apfstool -i data.dmg -k keys.plist --mount

You can also mount HFS images (quite useful, especially on Windows):

./EIFT_cmd hfstool -i data.dmg -k keys.plist --mount

The mount point is always read-only (non-configurable) to ensure sound forensic practices. Files are decrypted on-the-fly using the full set of keys that have been dumped earlier.

You can also extract the keychain:

./EIFT_cmd tools keychain -i data.dmg -k keys.plist -o keychain.xml

Conclusion

In this article, we introduced Perfect APFS Acquisition – removing one of the final limitations of Perfect Acquisition and adding Apple Watch S0 to the list of supported devices.

We provided background on S0 and APFS and walked through a complete step-by-step guide for performing Perfect Acquisition on this unique device.

Although this feature has existed in EIFT for some time, we hadn’t announced it broadly due to the rarity of the S0 in real-world forensic cases. However, we’re publishing this now because we’re on the verge of releasing an update that removes the final limitation – adding passcode cracking inside SEP.

Stay tuned for more exciting updates soon!