File Recovery/Imaging/Forensics from Apple Fusion Drives

Imaging

dd or ddrescue can be used to image individual physical components of a fusion drive. Individual images can be attached with hdiutil, and macOS will automatically load the fusion volume:

% sudo hdiutil attach -nomount -noverify fusion0.dmg
% sudo hdiutil attach -nomount -noverify fusion1.dmg

However, attempts to image the fusion volume directly have resulted in failure (host OS 10.15, Catalina)

% diskutil list

...
/dev/disk5 (disk image):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        +121.3 GB   disk5
   1:                        EFI EFI                     209.7 MB   disk5s1
   2:                 Apple_APFS Container disk7         121.1 GB   disk5s2

/dev/disk6 (disk image):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        +1.0 TB     disk6
   1:                        EFI EFI                     209.7 MB   disk6s1
   2:                 Apple_APFS Container disk7         1000.0 GB  disk6s2

/dev/disk7 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +1.1 TB     disk7
                                 Physical Stores disk5s2, disk6s2
   1:                APFS Volume Macintosh HD            417.0 GB   disk7s1
   2:                APFS Volume Preboot                 42.3 MB    disk7s2
   3:                APFS Volume Recovery                509.7 MB   disk7s3
   4:                APFS Volume VM                      20.5 KB    disk7s4

Determining Fusion Drive blocksize:

% sudo hdiutil partition /dev/disk7

Password:
scheme:     none
block size: 512
_ ## Type_________________ Name_________________ Start___ Size____
+    Apple_APFS            whole disk                   0 9007201207856480

+ synthesized

% sudo dd if=/dev/rdisk7 of=fusion.dd bs=64k conv=noerror,sync

Password:
...
dd: /dev/rdisk7: Invalid argument
dd: /dev/rdisk7: Invalid argument
1920773+0 records in
1920773+0 records out
125879779328 bytes transferred in 1601.331294 secs (78609454 bytes/sec)
dd: /dev/rdisk7: Invalid argument
dd: /dev/rdisk7: Invalid argument
1920774+0 records in
1920774+0 records out
125879844864 bytes transferred in 1601.331310 secs (78609495 bytes/sec)
...

Attempting to image the Fusion Volume failed using Mac OS (Catalina) Disk Utility, and hdiutil, also at about 128G:

% hdiutil create -srcdevice /dev/rdisk7 -format UDTO -layout NONE fusion.dmg

File Carving

Photorec can be used with moderate success to carve files from individual physics raw images, but will fail when run on the fusion volume. As with imaging, the failures appear to happen at the physical border of the logical volume (ie, 128G)

References

• Forensic Acquisition of Mac Computers With CoreStorage
• Forensic Acquisition of Mac Computers With Fusion Drive
• Apple Fusion Drive Imaging
• [Creating A Raw Disk Image](Creating A Raw Disk Image)