Apple File System (APFS) for macOS was officially released in High Sierra, September 2017, and it still is a hot topic. This article is only meant to provide a short answer to a popular question. We highly recommend that forensic examiners attend the Essential Forensics Techniques Course I to learn in more depth how to acquire and examine APFS.
When booting to MacQuisition attached directly to a Mac with single disk (non-Fusion), disk0 is usually the physical disk and disk1 is the APFS container.
In the example image above, BlackLight can support processing an image of disk0 or an image of disk1. However, we typically recommend for non-T2 chip, single disk APFS, to image the entire physical disk (disk0). Below are the reasons why:
1- The physical disk contains all user and system data.
2- If the user created a Boot Camp partition for Windows OS, the Boot Camp partition is on the physical disk and not within the APFS container.
3- There are some cases where an examiner may want to mount the image on macOS to view or export data. It is possible to mount an image of the physical disk on macOS, however it is not possible to mount an image of the APFS container.
4- Apple implemented FileVault encryption differently with APFS in comparison to CoreStorage and HFS+. For examiners used to unlocking CoreStorage FileVault and seeing a new disk with decrypted data, Apple did not make this possible for APFS. Therefore, it does not benefit to unlock FileVault and create an image of the APFS container (disk1). For more information on APFS encryption, see this article.
Notice we specified non-T2 chip in the description above. It is important if you are using a version of MacQuisition prior to 2019R1, that you check for the T2 chip. The late 2017 iMac Pro and all 2018 models have a T2 chip with built-in SSD encryption. Version 2019R1 will detect the T2 chip and provide a solution for creating an image with decrypted data. If using a version prior to 2019R1, we recommend following this blog post and conducting a Data Collection.
For Macs with APFS Fusion and 2 physical disks, please refer to this article.