Computer Forensics for Dummies (ISBN by 0470371919)

Author:0470371919)
Language: eng
Format: mobi
Tags: &NEW
Published: 2011-07-01T01:27:32+00:00

NTFS also handles deleted files the same way that older FAT systems do.

The clusters are marked as being available for new files, and changes are made in the MFT to signify that the clusters are available too. This also happens when a user empties the Recycle Bin. At this point, the file system marks the clusters as available and considers the files permanently deleted, and the deleted files become part of unallocated space.

Chapter 10: Data Forensics

183

Apple: HFS

Developed by Apple in the mid-1980s and used until the company switched its operating system to Mac OS X, the Hierarchical File System (HFS) was designed to replace an earlier file system that couldn’t easily handle the larger hard drives introduced into the market at that time. One of the more notable features of HFS is the use of data and resource forks to separate the data and metadata of a file. The applications write to the data fork where data is saved (such as a word processing document or spreadsheet), whereas in the resource fork, information such as icons and menus are stored. The equivalent in the Microsoft operating system is the use of ADSs, as discussed earlier in the chapter.

The Apple HFS system uses the catalog file to keep track of all files and folders located within a volume. The catalog file stores several types of data, but the information you need resides in the file record. The types of information located in the file record area of the catalog file are described in this list: ߜ

CNID (catalog node identification): A unique number assigned by the HFS file system to each file and directory in a volume.

ߜ

Size: The size of the file located in the volume.

ߜ

Time stamp: The time and date when a file or directory was created, modified, and backed up.

ߜ

Extent: The area where the first part of the file is located on the volume.

ߜ

Fork: Pointer to where the resource fork extents are located on the volume.

The HFS system uses volumes to logically segment the physical storage device. A volume can be all or just part of a physical storage medium, with the exception of a floppy disk, which is always one entire volume. Files are stored in 512-byte logical blocks, and files that exceed this size are stored in allocation blocks, which are just strings of consecutive logical blocks. Much like the FAT and NTFS file systems, which also use a block or unit system to store files, when a file is smaller than the logical block or allocation block, data that had been written to the block previously but not overwritten is still there.

Even if you have never laid eyes on an Apple Macintosh computer running HFS, just follow basic forensic acquisition procedures. Computer forensic software, such as FTK and EnCase, read the HFS file system and do an excellent job of extracting forensic data from these systems, just as they do on Microsoft computer systems.

184 Part III: Doing Computer Forensics Investigations Since Mac OS X (Unix based) was first released in 1999, the use of HFS and its successor HFS Plus has become more remote.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.