The volume header is always located 1024 bytes from the start of the volume, with a backup copy located 1024 bytes before the end of the volume. It stores data about the file system, including the allocation blocks size, the volume creation time stamp, and the location of the special files required for HFS+ operation, discussed later in the chapter. The volume header is one of the core structures of an HFS+ volume.
HFS FILE SYSTEM CHECK PLUS
The best source of information available about HFS+ is an Apple technical document entitled “Technical Note TN1150: HFS Plus Volume Format. Beyond these extended capabilities, because these variants don't alter the function or artifacts available to the examiner, we will treat them all as “HFS+” throughout this chapter. There are currently two variant HFS+ formats used to support journaling ( HFSJ) and case-sensitive file names ( HFSX).
HFS FILE SYSTEM CHECK MAC
HFS+ is the successor to the Hierarchical File System (HFS) used on pre-OS X Mac operating systems.
HFS FILE SYSTEM CHECK MAC OS
The file system used by OS X is called HFS Plus or Mac OS Extended. Using an example similar to the preceding one, you can create a new data stream in a file and add some example data, as follows:Ĭory Altheide, Harlan Carvey, in Digital Forensics with Open Source Tools, 2011 OS X File System Artifacts To specify a specific data stream in an NTFS file, separate the filename and the name of the stream with a colon. However, the ability to support multiple data segments in a file has created the perfect hiding place for attackers wanting to hide data on the file system. There are many reasons that NTFS supports multiple data streams, one of them being to support Macintosh files (resource forks). Most files on NTFS have only one data attribute however, unlike HFS+ where there are two data streams, NTFS can have many data streams, because each stream is another attribute of the file. As mentioned earlier, an NTFS file consists of attributes the file's data is also an attribute.
Like HFS+, NTFS also has more than one data segment associated with a file, which are called Alternate Data Streams.
In Host Integrity Monitoring Using Osiris and Samhain, 2005 NTFS Alternate Data Streams There are a large number of research specific files available because these files are useful to law enforcement or other security engineers who perform digital forensics on computer systems. You can find more details about these different files, and their formats, by searching on the Internet. This is a new B-tree under HFS+ and doesn’t have a comparable counterpart in the earlier HFS.įor our purposes, the Startup File isn’t really useful since it’s really only intended for use in non-Mac OS systems that don’t support the file system we’re discussing. The Attributes File is another B-tree that stores three different types of records: Fork Data Attribute records, Inline Data Attribute records, and Extension Attribute records. As with the catalog file, each record entry in the Extents Overflow file is also 4 KB. In addition, any bad blocks on the disk are also records here. This file records the allocation blocks on the disk that are assigned to each extent. Once the 8 extent limit within the catalog file has been reached, the system begins recording the additional extents in the Extents Overflow File. It’s important to note that each entry in the catalog file is capable of holding up to 8 extents, per fork, in the file. Earlier we mentioned that filenames are allowed to contain 255 characters, and that’s reflected in the catalog file by the 4 KB records size of each entry (versus the 512 byte record in the original HFS). Bear in mind that this also includes directories, which function as modified files. In the simplest of definitions, it’s a catalog that contains records for each file in the file system. The Catalog File is one of the important B-trees in HFS+. This file exists in a normal file, not in a reserved spaced on the drive. You can find information about which allocation blocks are used, and which ones are free, with each block represented using a binary 1 or 0, based on whether the block is in use. This is where the file system tracks all the detailed information and usage statistics of each allocation block. The Allocation File in HFS+ contains information about the nearly 4.3 million allocation blocks in the file system. In addition, the information for locating all the metadata files in the file system is stored in the volume header. This includes the file system attributes that define the version of the file system and the size of each allocation block used.
The Volume Header contains important information about the file system itself. These components are, in no particular order: ▪ The HFS+ file system is comprised of 6 major components that are used to track how blocks are assigned to the disk, the file system attributes, all metadata for the file system, and the transaction log for the journaling function.
0 kommentar(er)
