Digital Forensics with Open Source Tools: Using Open Source Platform Tools for Performing Computer Forensics on Target Systems: Windows, Mac, Linux, Unix, etc by Altheide Cory & Carvey Harlan

Author:Altheide, Cory & Carvey, Harlan [Altheide, Cory]
Language: eng
Format: mobi, pdf
Published: 0101-01-01T00:00:00+00:00

FIGURE 6.1 File

system information

in HFSExplorer.

We can continue our

examination

using fls

from the Sleuth Kit.

forensics:~$ fls nps-2009-

hfsjtest1/image.gen1.dmg

r/r 3: $ExtentsFile

r/r 4: $CatalogFile

r/r 5: $BadBlockFile

r/r 6: $AllocationFile

r/r 7: $StartupFile

r/r 8: $AttributesFile

d/d 21: .fseventsd

d/d 19: .HFS+ Private

Directory Data^

r/r 16: .journal

r/r

17:

.journal_info_block

d/d 20: .Trashes

r/r 24: file1.txt

r/r 25: file2.txt

d/d 18: ^^^^HFS+ Private

Data

T he “dollar” files are

HFS+ special files used as

the backbone of the HFS+

file system.

HFS+ Special Files

T he bulk of the structures

that an HFS+ relies upon

for proper function are

stored in the volume as

hidden files, much like

the MFT and associated

files on an NT FS volume.

An HFS+ volume has five

such files, which are not

directly accessible using

standard

file

system

utilities:

1. The allocation file is a

bitmap that tracks the

allocation status of

each block of the

volume.

2. The catalog file

contains records for

each file and directory

on the volume. It

serves many of the

same functions that

the Master File Table

serves on an NTFS file

system. By necessity,

the location of the

first extent of the

catalog file is stored

in the volume header.

The location of all

other files is stored in

catalog records. HFS+

catalog records are 8K

in length and include

the catalog node ID

(CNID) of the file or

folder, the parent

CNID, time stamp

metadata, and

information about the

data and resource

forks of the file.

3. The extents overflow

file contains records

for forks that have

more than eight

extents allocated to

them. This file should

be fairly sparse, as

having more than

eight extents indicates

fairly severe

fragmentation on an

HFS+ file system.

4. The startup file is

used to hold

information used

when booting from a

system that doesn’t

have knowledge of

HFS+.

5. The attributes file can

be used to store

extended attributes for

files. The attributes

file is used in the per-

file compression

found in OS X 10.6.

One important item to

note is that the allocation

strategy for CNIDs is

interesting

from

an

analysis

perspective.

CNIDs are 32-bit values

allocated

sequentially

starting from 16. T hey

are not reused until all

32-bit integers (minus the

reserved CNIDs) have

been

assigned.

T his

allows the CNID to serve

as a relative time marker.

Files with higher CNID

values are newer than

files with lower CNID

values, despite what any

time stamp information

would

indicate.

Additionally,

missing

CNID values indicate that

a file was once present

and

has

been

subsequently deleted. See

Chapter 9

for

more

information on relative

time values and extended

time analysis.

Next, we will examine

metadata for a single

regular file in detail

using istat.

forensics:~$ istat nps-

2009-

hfsjtest1/image.gen1.dmg 24

Catalog Record: 24

Allocated

Type: File

Mode: rrw-r--r--

Size: 28

uid / gid: 501 / 501

Link count: 1

Admin flags: 0

Owner flags: 0

File type: 0000

File creator: 0000

Text encoding: 0

Resource fork size: 0

Times:

Created:

Thu

Jan

29

09:33:35 2009

Content Modified: Thu Jan

29 09:33:42 2009

Attributes Modified: Thu

Jan 29 09:33:42 2009

Accessed:

Thu

Jan

29

09:33:35 2009

Backed Up: Wed Dec 31

16:00:00 1969

Data Fork Blocks:

2315

As you can see from

the output just given, a

Catalog Record supports

five

time

stamps;

however, only the first

four are in active use on

current

HFS+

implementations.

Created: Updated when

the file is created.

Content Modified:

Updated when the file

content is modified.

Attributes Modified:

Updated when

attributes (metadata)

associated with the

file are modified. This

is similar to the

inoded/metadata

change time on Linux

file systems.

Accessed: Updated

when the file content

is accessed.

Backed Up: Field is

deprecated and

usually null (as seen

earlier).

Finally, to extract the

file content we can use

two different methods.

First, the indirect method

using icat.

forensics:~$

icat

nps-

2009-

hfsjtest1/image.gen1.dmg 24

New file 1 contents -

snarf

Alternatively, we can

dump

the

allocation

block

directly

using

blkcat. We can see the

block value in the istat

output

shown

earlier

under

“Data

Fork

Blocks”:

forensics:~$ blkcat nps-

2009-

hfsjtest1/image.gen1.dmg

2315

New file 1 contents -

snarf

Note

that

HFS+

volumes are capable of

maintaining a journal;

however, currently there

are

no

open

source

forensic utilities capable

of processing the journal

for artifacts.

T ip

DMG/UDIF

Containers

T he majority

of

OS

X

software

is

distributed as

“DMG” files.

DMG

files

are

standalone

disk-like

images in the

Universal

Disk Image

Format

(UDIF). UDIF

is the native

image

file

format

for

OS X and, as

expected,

these image

files

will

generally

contain

a

HFS+

file

system. UDIF

images

can

be

compressed,

sparse,

or

encrypted.

UDIF/DMG

images

can

be examined

using

HFSExplorer.

Deleted Data

Unfortunately, recovery

of deleted files from

HFS+ volumes is quite

difficult. Because of the

constant rebalancing of

the

B-T ree

structures

inside of the Catalog

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.