macOS 26 Tahoe Introduces New Image Formats: What Examiners Need to Know

Apple’s release of macOS 26 “Tahoe” brought several cosmetic changes and cloud-focused apps, but one of the most significant forensic developments is hidden inside Disk Utility. Users now have the option to create new image types, specifically the Apple Sparse Image Format (ASIF) and the updated Sparse Bundle Image (UDSB). These are not just minor updates. They directly impact how examiners must approach Mac evidence.

What is the Apple Sparse Image Format (ASIF)?

The Apple Sparse Image Format (ASIF) is a new type of virtualized disk image introduced in macOS 26. It is similar to legacy DMG and sparse images but with one critical difference: an ASIF container can be formatted to any file system. This means an ASIF could contain APFS, HFS+, FAT, exFAT, or even NTFS volumes.

From a forensic standpoint:

• An ASIF is a single file that behaves like an entire storage device when mounted on macOS.
• If encrypted, the image appears as random data until mounted with the correct credentials.
• Most importantly, ASIF images are a macOS-native format. They cannot be reliably mounted or examined outside of macOS without native support.
• Non-Mac forensic tools will typically see only a binary blob.

The Sparse Bundle Image (UDSB)

Apple also refreshed the Sparse Bundle Image (UDSB) format, which Mac users will see in Disk Utility when creating disk images. Sparse bundles are made up of many smaller “band” files that grow as needed, rather than storing everything in a single monolithic image.

Key points for examiners:

• Like ASIF, UDSB can be formatted to any file system.
• The bundle structure makes copying and syncing easier for Apple systems but can confuse third-party forensic tools.
• Modification times on the container do not always match activity inside the mounted volume.
• Outside of macOS, UDSB images are difficult to mount and often unreadable without Apple’s APIs.

Why This Matters

This reinforces a long-standing truth: you need a Mac to examine a Mac. With ASIF and UDSB, critical data may be invisible if the evidence is only processed on non-Mac platforms. Examiners must incorporate macOS-native environments into their workflows to ensure they do not overlook entire volumes of evidence.

Staying Ahead

At SUMURI, we design training to prepare examiners for changes like these. Our Mac Forensics courses are vendor-neutral and focused on teaching investigators how to identify, mount, and analyze new macOS formats properly. Apple will continue moving toward flexible, cloud-integrated storage. Examiners who stay in Windows-only or Linux-only workflows will be at a disadvantage.

Bottom line

ASIF and UDSB are not just technical curiosities. They are new ways evidence can be concealed in macOS 26 Tahoe. Examiners need updated workflows, native Mac tools, and the right training to ensure nothing is missed.