Michael Mirosnichenko
Posted on December 14, 2021
Read this article about top tools to recover data lost from ApFS drives used on Mac computers or other Apple devices. We will explore thoroughly what each of the utilities can do!
Introduction
Apple File System or ApFS is the new file system by Apple which is used with latest Mac devices. However, this file system is in no way an extension of HFS+. In APFS, you are not going to find the things we remember from HFS+: Catalog File, Attribute File, Allocation File, and Extent Overflow File, as well as the journal. The new file system uses a different approach to protect changes to the files and their data.
As we know, this file system has been optimized for flash drives and SSDs.
The main innovations in this operating system are improved encryption algorithms, optimized memory usage, crash protection, cloning of files and folders, and smart space usage patterns. In practice, it means more stable operation, increased read/write speeds and even more protection for user data. But what if crash protection didn’t work and some data was lost?
YouTube:
The method of recovery
ApFS offers an opportunity to restore certain states of the file system, including restoration of old or removed versions of files. The container superblock contains a link to the element known as checkpoint. Such checkpoint refers to the preceding container superblock which stores the information on an older state of the file system. This way, we can try to restore several older states of the file system by analyzing this chain of superblocks inside the container.
ApFS is a file system making use of the copy-on-write principle, and that is why every block is copied before changes are applied. Therefore, there is a kind of history for all files which have not been overwritten and comply with the file system structure. This fact leads to a number of artifacts which can be used in the course of file recovery.
Based on what we know about such artifacts, we have defined various approaches to file recovery, relying on various types of artifacts as starting points. All methods deal with the file system in blocks of 4096 bytes which is the smallest block size observed in ApFS. These blocks are checked for presence of metadata structures, which are, in their turn, analyzed and used for file extraction.
Only Mac computers with High Sierra operating system or higher can read and write to ApFS disks. Windows computers require special software to access such volumes.
Data recovery utilities let you recover data from APFS drives without having to use any additional software. They find partitions of this type and add them to the drive manager. In order to recover any information, you need to connect an APFS drive to a Windows computer.
The APFS file system is designed to store data in its root directory, which contains all other directories and files, including the ones we’re interested in.
We have conducted a benchmark involving most popular data recovery tools, and you can find all the results below.
Top Tools to Recover Data from APFS Drives
On a computer with mac OS Catalina, we have created a structure of several containers, with volumes inside each of them. After that, we have scanned the test disk with most popular data recovery solutions.
Initially, we have selected the following products for the test: Hetman Partition Recovery, R-Studio, EaseUS Data Recovery Wizard, Disk Drill, and Recuva. As we examined them more closely, we had to exclude DiskDrill and Recuva from the list as they don’t support APFS file system. It was an astonishing fact, because these products are among the most popular solutions, and DiskDrill even sets the recovery standard for Mac computers.
In the end, we have started the test to see which of the three utilities performs best of all: Hetman Partition Recovery, R-studio, or EaseUS Data Recovery Wizard.
We have copied some photos, videos, and documents to the test disk, and then removed some of the data.
We performed the tests on a computer running Windows 10.
Testing Hetman Partition Recovery
The program recognized the test disk with APFS file system properly. In this case of a simple deletion, a fast scan will suffice.
The program was able to find all the files without effort; both the existing files and the removed files are displayed, and the ones that have been deleted are marked with a red cross. Their contents can be previewed if necessary. The disk structure and file names are retained.
All we have to do is to save the recovered files to a disk.
Testing RStudio
This program also recognizes the test disk and identifies the file system type properly.
However, after a quick scan it can’t display any removed data.
After the full scan, the program managed to find the deleted data, and marked it with a red cross. The disk structure and file names are retained, and the files are available for preview.
Testing EaseUS
This program displays the test disk, but we could only identify it by its size, because neither its name nor file system type are shown.
There is no such thing as a quick scan here, so advanced scan starts immediately.
In the end, EaseUS fails to display the disk structure (as the other two candidates did), file names are lost, and the files are only sorted to folders by file type. There are no markings to suggest if this is the deleted data or the data which is still on the disk, so it’s hard to tell whether the program was able to find only removed files, or it decided to display all the files.
The only hint we could use was the number of documents, photos and videos which is shown in each folder.
This program has coped with the task, though it took more time, and it was unable to restore the directory tree!
Summing up, all the candidates have passed the first test, but some were rather inconvenient to use.
By the way, here’s one more important remark – EaseUS has no option to save a disk image and then mount it and use for further recovery operations, which is quite unsafe when you’re dealing with cases of data loss. Every time you run the scan, there is a risk of losing important data so the best way to scan the disk is actually using its image rather than the actual volume. Such approach will increase the chances to recover files without causing additional damage.
Container Superblock removed
We have decided to make things more complicated and simulate damage to the container superblock, which is located in the first two sectors of the test disk.
Using a Hex editor, we have erased these two sectors. After that, we have scanned the disk with each of the utilities and received some interesting results.
Posted on December 14, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
February 7, 2022
February 6, 2022