Biskus APFS Capture

Copy files from APFS volumes for forensics analysis (DFIR).

Download Windows Trial Windows Trial Version
Download Mac Trial Mac Trial Version
Purchase Now


Biskus APFS Capture is made for one particular task:
Retrieve file information from disks formatted in Apple's new APFS file system format, without the need to mount the disk on a Macintosh computer running macOS High Sierra. Instead, it runs as a stand-alone program that reads the disk structures and copies files and meta information from it.

Disk Reports

CSV Report

The CSV Report file lets you search the metadata of every file in a spreadsheet program such as Microsoft Excel or Apple's Numbers.

SQLite Report

The SQLite Report file gives you even more control over all APFS metadata because it's organized the same way as the on-disk APFS directory structures, giving you individual access to every named key, inode, xattr and extent record, including CNIDs and block numbers. This enables you to perform powerful searches for hardlinks, cloned file content and other relatioships the flat CSV file can't offer. You can even use this information to access every file extent on disk yourself, e.g. for integration into other forensic toolkits, such as TheSleuthKit.

Windows and Mac Support

The program runs on macOS 10.9 and later, and on Windows 7 and later. Linux may be supported later as well.

macOS High Sierra

Windows 10

Are you a DFIR tools developer?

The code is available for licensing.

If you like to add support for reading APFS disks in your own forensics products, this tool's source code can be acquired royalty-free and be used in your products without restrictions (the code has no GPL dependencies).

Please inquire via the contact link below.

Questions, Feedback, Special Requests?

Contact (Thomas Tempelmann)