paragon-software-group / paragon_apfs_sdk_ce Goto Github PK

View Code? Open in Web Editor NEW

126.0 14.0 24.0 420 KB

Paragon APFS SDK Free

Home Page: https://www.paragon-software.com/free/apfs-sdk-ce

License: Other

CMake 0.83% C++ 90.50% C 8.07% Shell 0.16% Objective-C 0.43%

apfs sdk linux windows macos paragon filesystem volume encryption forensics

paragon_apfs_sdk_ce's Introduction

Paragon APFS SDK Community Edition

Paragon APFS SDK allows developers to access APFS volumes from their forensic software, applications, devices, and appliances on non-Apple platforms

Changelog

Date	Event
2017	Create
June, 2019	Publication

Sources

Folder	Content
linutil	sources of apfsutil and UFSD interfaces implementation
ufs	UFSD SDK: interfaces, headers, Paragon APFS sources, common and 3rd-party components

Key Features

Cross-platform implementation for Windows, Linux, macOS, RTOSes, and UEFI environments
Regularly updated libraries. Every build is tested for reliability, functionality, and performance before leaving the lab
Full read-only access on any APFS volumes:
- Folder enumeration (both case-sensitive and case-insensitive)
- Files reading (including cloned and compressed)
- Get a list of file extended attributes (xattr)
- Accessing all APFS sub-volumes
- Reading encrypted volumes (if OpenSSL is present and detected by CMake)

Limitations

Read-only access to APFS volumes. A read-write version of Paragon APFS SDK will be available soon on site: https://www.paragon-software.com/
Only first sub-volume can be accessed on 32-bit platforms
Stable work with 16TB+ volumes is not guaranteed
No support for hardware-encrypted APFS volumes
No support for Big Endian platforms (MIPS, PowerPC)

apfsutil

The utility to test and show the UFSD SDK capabilities. Usage:

$ apfsutil <test_name> [options] /dev/xxx/path/to/file/or/folder

where:
    test_name      name of the test to run (see 'User scenarios' section)

options:
   --passN=password  use password for the volume N (for encrypted volumes). APFS volumes are listed from N=1 to 100
   --trace           turn on UFSD trace
   --subvolumes      mount all sub-volumes (All sub-volumes from the container will be "mounted" in the 'Ufsd_Volumes' folder in the root)

For example:

$ sudo apfsutil readfile /dev/sdb1/test_folder/newfile.txt
$ sudo apfsutil enumfolder --subvolumes --pass1=qwerty --pass2=qwerty2 /dev/sdb1/Ufsd_Volumes/Untitled/test_folder

or Windows

$ apfsutil enumfolder f:\test_folder

Important: All operations are only available for unlocked (unmounted) APFS containers!

Build prerequisites

C++ compiler
CMake
(Optional) OpenSSL library

How to build

Linux/Mac OS

$ mkdir .build
$ cd .build
$ cmake ..
$ cmake --build .

Windows

There are two ways for building apfsutil under Windows:

Compile with MSVC from VS2015 or later.
Download and install MinGW, add MinGW "bin" directory to the PATH system environment variable and run cmake with "MinGW Makefiles" generator.

$ mkdir .build
$ cd .build
$ cmake -G "MinGW Makefiles" ..
$ cmake --build .

If you have both MinGW "bin" and MSYS "bin" directories in PATH, use "MSYS Makefiles" generator instead.

Warning: option --trace is available only in the debug mode. To build:

$ cmake -DCMAKE_BUILD_TYPE=Debug ..

User scenarios

apfsutil already contains some simple user scenarios, such as

test name	test description
enumroot	root folder enumeration
enumfolder	sub-directory enumeration
readfile	file reading
listea	list and show all file extended attributes
listsubvolumes	show all sub-volumes from the container

Sub-volumes

apfsutil can work with all sub-volumes in an APFS container. To mount all ones, add option --subvolumes to the apfsutil arguments. Without this option, only the main (1st) volume will be mounted. Paragon APFS SDK puts sub-volumes in the "/Ufsd_Volumes" folder. To read or enumerate files and folders on a sub-volume, its full path should be specified. For example, first of all, get a list of sub-volumes. Note, for this user scenario the --subvolume is optional. If a required sub-volume name is known, this step can be skipped.

$ apfsutil listsubvolumes /dev/xxx
Volumes:
Untitled Volume2 MyEncryptedVolume
APFS: listsubvolumes returns 0. finished in 4 ms

Then enumerate the root sub-volume folder, or read any file

$ apfsutil enumfolder /dev/xxx/Ufsd_Volumes/Untitled
$ apfsutil readfile /dev/xxx/Ufsd_Volumes/Untitled/testfile.txt

How to add your case

To create your own custom case, put its name (any, but not previously defined) in the list named s_Cmd (in the linutil/apfsutil.cpp) and create a command handler (function) there.

static const t_CmdHandler s_Cmd[] = {
  { "enumroot"        , OnEnumRoot         },   // readdir example
  { "enumfolder"      , OnEnumFolder       },   // enumerate folder
  { "readfile"        , OnReadFile         },   // file reading
  { "listea"          , OnListEa           },   // list all extended attributes
  { "listsubvolumes"  , OnEnumSubvolumes   },   // sub-volumes enumeration
  // handlers for RW version
  { "createfile"      , OnCreateFile       },   // create file
  { "createfolder"    , OnCreateFolder     },   // create folder
  { "queryalloc"      , OnQueryAlloc       },   // list file extents (allocations)
  { "fsinfo"          , OnFsInfo           },   // get file system information
  //
  // TODO: add your handlers here
  // ...
  { NULL      , NULL },
};

Test handler should be of type

typedef int (*HandlerFunc)(CFileSystem*, const char*);

Inside your specified handler all public functions from base UFSD classes CFileSystem, CFile, CDir are available (for more details see ufs\ufsd\include\ufsd\u_fsbase.h).

After rebuilding the utility selected test case will be available to start

$ sudo apfsutil my_new_case /dev/xxx/path/to/file/or/folder

Read-Write access

Some operations require the full Read-Write sources (The version will be available soon on site: https://www.paragon-software.com/). In the Community Edition these cases will return a "not implemented" error.

test name	test description
createfile	file creation
createfolder	folder creation
queryalloc	list file extents
fsinfo	information about the file system (all sub-volumes, even encrypted)

fsinfo example

$ sudo apfsutil fsinfo /dev/sdb1
APFS Volume [0] 0F7AFC7E-BDF6-4546-8494-2A0C449E8D1F
  Name               : volume1 (Case-insensitive)
  Creator            : newfs_apfs (945.200.129)
  Used Clusters      : 1187894
  Reserved Clusters  : 0
  Files              : 63478
  Directories        : 1630
  Symlinks           : 5
  Special files      : 0
  Snapshots          : 0
  Encrypted          : Yes

APFS Volume [1] D45089E3-D391-4246-9490-B4EAC8D4E395
  Name               : volume2 (Case-insensitive)
  Creator            : diskmanagementd (945.200.129)
  Used Clusters      : 270
  Reserved Clusters  : 0
  Files              : 71
  Directories        : 19
  Symlinks           : 1
  Special files      : 0
  Snapshots          : 0
  Encrypted          : No

APFS Volume [2] 9D8EBA18-B110-4FCB-86FC-3E18B304628E
  Name               : volume3 (Case-insensitive)
  Creator            : diskmanagementd (945.200.129)
  Used Clusters      : 265
  Reserved Clusters  : 0
  Files              : 64
  Directories        : 18
  Symlinks           : 0
  Special files      : 0
  Snapshots          : 0
  Encrypted          : No

apfsutil error codes

The utility can return following exit codes:

code	description
0	all is OK, no error
-1	invalid command line parameters
-2	invalid or empty device name
-3	the device is mounted (linux only)
-4	no handler specified for the selected test_name
-5	misuse of the --pass option
0xA0001001	Errors from the Paragon APFS SDK
...
0xA0001026	(console output will contain an error message)

Licensing

The license for this project is defined in a separate document "LICENSE.txt" Paragon APFS SDK also contains the following code:

lzfse - Copyright (c) 2015-2016, Apple Inc. All rights reserved. https://github.com/lzfse/lzfse/blob/master/LICENSE
zlib - Copyright (c) 1995-2017 Jean-loup Gailly and Mark Adler
icu - Copyright (c) 1991-2019 Unicode, Inc. All rights reserved. https://www.unicode.org/copyright.html.

paragon_apfs_sdk_ce's People

Contributors

Stargazers

Watchers

paragon_apfs_sdk_ce's Issues

On MacOS X Mojave cannot list APFS volumes

Trying list APFS volumes on MacOS X Mojave (10.14.5) and get access error:

┖─── ♨  sudo -EHs bin/apfsutil listsubvolumes /dev/disk1s1                                                                                                                     254 ↵
Can't open "/dev/disk1s1" : Operation not permitted
"apfsutil": Error 0x1

But diskutil can return list of volumes

┖─── ♨  diskutil apfs list                                                                                                                                                     255 ↵
APFS Container (1 found)
|
+-- Container disk1 71ED49CC-9A97-4615-B755-E3959E311126
    ====================================================
    APFS Container Reference:     disk1
    Size (Capacity Ceiling):      121123069952 B (121.1 GB)
    Capacity In Use By Volumes:   102188486656 B (102.2 GB) (84.4% used)
    Capacity Not Allocated:       18934583296 B (18.9 GB) (15.6% free)
    |
    +-< Physical Store disk0s2 E4F693A5-A1D1-4787-8F31-C4CBFD192893
    |   -----------------------------------------------------------
    |   APFS Physical Store Disk:   disk0s2
    |   Size:                       121123069952 B (121.1 GB)
    |
    +-> Volume disk1s1 38311238-EFE5-33A8-B349-D1FFDDAD0882
    |   ---------------------------------------------------
    |   APFS Volume Disk (Role):   disk1s1 (No specific role)
    |   Name:                      Macintosh HD (Case-insensitive)
    |   Mount Point:               /
    |   Capacity Consumed:         97213472768 B (97.2 GB)
    |   FileVault:                 No
    |
    +-> Volume disk1s2 976C60B8-B9C1-4A8A-8415-33647CE92BE9
    |   ---------------------------------------------------
    |   APFS Volume Disk (Role):   disk1s2 (Preboot)
    |   Name:                      Preboot (Case-insensitive)
    |   Mount Point:               Not Mounted
    |   Capacity Consumed:         43548672 B (43.5 MB)
    |   FileVault:                 No
    |
    +-> Volume disk1s3 B596F7EA-27B4-4FDF-BFA5-6639B694BF7B
    |   ---------------------------------------------------
    |   APFS Volume Disk (Role):   disk1s3 (Recovery)
    |   Name:                      Recovery (Case-insensitive)
    |   Mount Point:               /Volumes/Recovery
    |   Capacity Consumed:         509833216 B (509.8 MB)
    |   FileVault:                 No
    |
    +-> Volume disk1s4 832372DB-55A5-4DC9-82B1-9BE6D688F452
        ---------------------------------------------------
        APFS Volume Disk (Role):   disk1s4 (VM)
        Name:                      VM (Case-insensitive)
        Mount Point:               /private/var/vm
        Capacity Consumed:         4295245824 B (4.3 GB)
        FileVault:                 No

How to uninstall?

Hi
I was able to install but it's not stable enough for my use case so I intended to purchase the "pro" version from paragon.com but I can't find any uninstall instructions. Can I get som guidance?

Thanks

Retail_9.7.11_b776: Umount volume issue

umount volume issue
https://archive.org/details/pearOS_Monterey_64bit-12-beta-2021.07.01

$ uname -a
Linux macmini71 5.14.0-1036-oem #40-Ubuntu SMP Mon May 9 09:15:08 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

$ dmesg | grep apfs
[ 6.310401] uapfs: module license 'Commercial product' taints kernel.
[ 6.311527] uapfs: driver (UFSD_HEAD lke_9.7.11_b776, acl, sd2(5)) loaded at 000000009e19f90c
[ 6.311529] uapfs: PAGE_SIZE=4K, THREAD_SIZE=16k
[ 6.311530] uapfs: Kernel .config hash: original 0x4719d2c6, current can't check.
[ 529.732679] uapfs: "mount" (sda2): is mounted as apfs(rw) at 2023-06-04 05:01:33
[ 831.387621] uapfs: "pool-udisksd" (sda2): is unmounted at 2023-06-04 05:06:35

$ umount /dev/sda2
umount: /dev/sda2: not mounted.

$ umount /media/me/uapfs
umount: /media/me/uapfs: not mounted.

$ sudo umount -t apfs uapfs fuse
umount: bad usage

$ sudo umount -t apfs /dev/sda2 /media/me/uapfs
umount: /dev/sda2: not mounted.
umount: /media/me/uapfs: not mounted.

~/Downloads/ParagonAPFS/install/ufsd_driver_Retail_APFS_lke_9.7.11_b776$ sudo ./install.sh
By installing this software you accept the terms of End User License Agreement listed in License file.
Continue installing? [yes/no/read].
yes
Searching and removing previously installed UFSD driver in /lib/modules/5.14.0-1036-oem/
Would you like UFSD driver to rebuild after kernel updates? [yes/no]
yes
Setting DKMS configuration
Preparing to install
This system doesn't support Secure Boot
Secure Boot not enabled on this system.
Building and installing driver to kernel 5.14.0-1036-oem
Driver was installed to system
Setting driver autoload at system startup
Setting driver autoload at system startup
Installation complete!
~/Downloads/ParagonAPFS/install/ufsd_driver_Retail_APFS_lke_9.7.11_b776$

$ apfsutil
apfsutil: command not found
$ apfsutils
apfsutils: command not found
$ apfs-utils
apfs-utils: command not found

Decryption doesn't seem to work

Tried reading an encrypted volume, code didn't work, wrong IV. AES256

apfsutil: Parameters of APFS->le:
apfsutil: === Main superblock header ======
apfsutil: Magic [NXSB]  : NXSB
apfsutil: Version       : 2 (macOS 10.13)
apfsutil: Checkpoint id : 0x5a, next: 0x5b
apfsutil: Total blocks  : 0xfff6, ro
apfsutil: BlockSize     : 0x1000
apfsutil: Current SB    : 0x2 + 2
apfsutil: SB area       : 0x1 + 0x8, next: 0x4
apfsutil: Meta area     : 0x9 + 0x14c, next: 0x5d
apfsutil: CSB map       : 0x3
apfsutil: Volume root   : 0xf89f
apfsutil: KeyBag        : 0x17d + 0x1
apfsutil: =====================================
apfsutil: === Last checkpoint superblock header ======
apfsutil: Magic [NXSB]  : NXSB
apfsutil: Version       : 2 (macOS 10.13)
apfsutil: Checkpoint id : 0x5a, next: 0x5b
apfsutil: Total blocks  : 0xfff6, ro
apfsutil: BlockSize     : 0x1000
apfsutil: Current SB    : 0x2 + 2
apfsutil: SB area       : 0x1 + 0x8, next: 0x4
apfsutil: Meta area     : 0x9 + 0x14c, next: 0x5d
apfsutil: CSB map       : 0x3
apfsutil: Volume root   : 0xf89f
apfsutil: KeyBag        : 0x17d + 0x1
apfsutil: =====================================
apfsutil: Apfs container has 1 volumes
apfsutil: === Parameters of APFS volume 0 ======
apfsutil: Magic [APSB]    : APSB
apfsutil: Object id       : 0x402
apfsutil: Checkpoint id   : 0x5a
apfsutil: Features        : 0x2 ro=0 inc=0x8
apfsutil: Role            : 0
apfsutil: Volume name     : SevenZip
apfsutil: Blocks used     : 0xd77b
apfsutil: LocTree root    : 0xf88e
apfsutil: ExtentTree root : 0xf88b
apfsutil: SnapTree root   : 0x177
apfsutil: Dirs            : 0x24c
apfsutil: Files           : 0x24fe
apfsutil: Symlinks        : 0
apfsutil: Other           : 0
apfsutil: Snapshots       : 0
apfsutil: FileNames       : case sensitive
apfsutil: =====================================
apfsutil: Encrypted volume, ReadOnly Support
apfsutil: Start loading keybag...
apfsutil: Wrong initialization vector value for kek 0x9c3c5e4af3e641ef, should be 0xa6a6a6a6a6a6a6a6
apfsutil: ~CUnixSuperBlock -> 0
apfsutil: ~CUnixFileSystem -> 0

about 10.15 Catalina volume group

Can't access MacOS Catalina system volume

Some directories not loading from Mac SSD - what could be the problem?

Hi! Thanks for any help.

I am running the apfs utility from a USB bootable ubuntu version 20.04 for a Mac OS X SSD. I notice some directories are missing and not being read by the apfsutil; these show up on my normal Mac OS X environment. The directories are the User directories. What could be the problem that they are not showing up? The files in the user directories are of most interest to me.

ubuntu@ubuntu:~/paragon_apfs_sdk_ce/.build/bin$ sudo /home/ubuntu/paragon_apfs_sdk_ce/.build/bin/apfsutil enumfolder /dev/sda2/Users
Dir content:
-rw-r--r-- 644 1 0 0 0 .localized
drwxrwxrwx 777 2 0 0 0 Shared
APFS: enumfolder returns 0. finished in 0 ms

Retail: Free space Error

main SSD 120GB
APFS 120GB
40GB used, 3GB free,

because uapfs drive/partition its mounted like a \folder,
detects free space of the main drive, Not the mounted drive,
IF main drive has 0KB left, Mounted 100GB free,
does Not allow to copy or move files into.

instead another partition formatted in HFSplus,
is detected as a drive, with individual Free Space.

Tweak for compilation on cygwin

I made a few tweaks to allow for compilation on cygwin. I don't know the official way to submit this to you guys, and actually a final tweak involved a manual compilation line. Perhaps someone else can create a proper pull request, or tell me how to do this?

>git diff
diff --git a/linutil/ufsdio.cpp b/linutil/ufsdio.cpp
index c7c6ed8..05012a9 100644
--- a/linutil/ufsdio.cpp
+++ b/linutil/ufsdio.cpp
@@ -35,6 +35,10 @@
 //#include <assert.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+#ifdef __CYGWIN__
+  #define stat64 stat
+  #define fstat64 fstat
+#endif
 #include <fcntl.h>

 #ifdef _WIN32
@@ -159,9 +163,14 @@
     #include <sys/disk.h>
   #else
     #include <malloc.h>
-    #ifndef __QNX__
-      #include <linux/hdreg.h>
-      #include <linux/fs.h>
+    #ifdef __CYGWIN__
+      #include <cygwin/hdreg.h>
+      #include <cygwin/fs.h>
+    #else
+      #ifndef __QNX__
+        #include <linux/hdreg.h>
+        #include <linux/fs.h>
+      #endif
     #endif
   #endif
   #include <sys/ioctl.h>

I did not use the usual make.sh, because it is not detecting cygwin properly. I created a folder called "build" and from there I launched cmake with ">ccmake ../", and then generated the makefile.

"make" fails at the last step, because somehow cmake can't find the correct extension for libssl and libcrypt. This is the command that stops me to make a clean pull request for you guys, I don't know how to change CMakeLists.txt to make it work. The final link command (manually) is :

>/usr/bin/c++.exe -pipe [...] -lssl.dll -lcrypto.dll -ldl
Note the "-lssl.dll -lcrypto.dll".