Monday, March 11, 2013

Mac File System

Mac File System

Hierarchical File System Plus (HFS+)
  • Replaced HFS.
  • Supports much larger files 32 bit in length, instead of 16.
  • Mac OS X is built on a core called Darwin, which consists of BSD Unix.
  • Mac is Unix based.
  • Primary difference between HFS and HFS+ is that HFS is limited to 512 bytes per volume, and HFS+ raised the number of blocks to 4 billion.
  • But HFS+ supports smaller file sizes on larger volumes (resulting in more efficient disk use).
  • Macintosh file systems maintain most of their information in the Catalog and Extent files.
Technologies
  • Bonjour
  • Filevault
  • Spotlight
  • Target Disk Mode
  • Bootcamp
File Manager
  • Is a utility that handles reading, writing, and storing data on the physical media.
  • It also collects data to maintain  the HFS and manipulates files, directories, and other items.
The Finder
  • Is another Mac utility that keeps track of files and maintains the users desktop.
HFS & HFS+
  • Each file will consist of a two "forks" connection:
    • Data Fork - where data is stored. Typically contains data the user creates.
    • Resource Fork - where file metadata and app information is stored.
      • If a mac file is copied to a file system that doesn't support resource forks, the fork will be lost (creating a hidden file)
      • Can be best equated to Windows Alternate Data Streams.
 B.Nelson, 2010

    • Example: A word processing file might store its text in the data fork, while storing any embedded images in the same file's resource fork. 
    • Resource forks are used mostly by executables, but every file is able to have a resource fork.
    • Both forks can be empty in HFS+ because file manager is in charge of reading and writing information to files, it can access both forks.
    • Resource forks are sometimes used to store metadata of a file, although it can also be used for storing the actual data.
      • Note that the Macintosh file systems also have a separate area for metadata distinct from either the Data or Resource fork. Being part of the catalog entry for the file, it is much faster to access this.
      • Catalog file: contains timestamps, and catalog nodes. (Metadata stuff).
        • is a B-tree that contains records for all the files and directories stored in a volume.
        • HFS+ is able to work with larger records to allow more fields and to allow for those fields to be larger than in HFS.
      • Extents Overflow file: is another B-Tree that records the allocation blocks that are allocated to each file as extents. Each file record in the Catalog File is capable of recording eight extents for each fork of a file, and once those are used, additional extents are recorded in the Extents Overflow file.
      • So resource forks and catalog files can both contain metadata of a file.
Mac Volumes
  • A volume is any storage medium used to store files.
  • It can either take up, or all of a storage medium.
  • Volumes have allocation blocks and logical blocks.
  • Logical block: is a collection of data that can't exceed 512 bytes.
    • When you save a file, the File manager assigns the file to an allocation block (which is a group of consecutive logical blocks.)
  • Allocation Blocks: HFS divides the total space on a volume into equal sized pieces called Allocation blocks - which is usually one logical block.
    • Allocation block numbers are stored as 32-bit integers, with 4Kb as a common block size.
    • As volumes increase in size, one allocation block might be composed of three or more logical blocks. And while this volume increases, so will the amount of unused space.
    • More allocation blocks means a smaller allocation block size
      • which in turns leaves less wasted space. which means you can have more files.
  • Allocation File: which keeps track of which allocation blocks are free and which are in use. It is similar to the Volume Bitmap in HFS, in which each allocation block is represented by one bit.
    • The Volume Bitmap in HFS is different in that the allocation file is stored as a regular file, it does not occupy a special reserved space near the beginning of the volume.
      • It tracks each block on a volume to determine which blocks are in use and which ones are available to receive data.
  • Volume Header: Stores a wide variety of data about the volume itself, for example the size of allocation blocks 
    • timestamps that indicates when the volume was created or the location of other volume structures such as the Catalog File or Extent Overflow File
    • the VH is always located in the same place.
The Volume Format:
Ryan R. Kubasiak, Sean Morrissey, 2009
From top to bottom, is the beginning to the end. At offset (or the beginning) is the byte 0 which is where the Boot Blocks are located. Followed by the Volume Header, then so on and so forth.

Additional Terms
HFS Wrapper: Made for older versions to be compatible with newer versions
Startup File: allows for storing large blocks of variable size in extent headers.
Alternate Volume Header: if there is a corrupt file in the startup volume header, this acts as a bakup.
Inodes: central location for data that is shared between hard links on a volume.
Property lists (plist): Are the greatest source of information for settings and configuration. They are often simple text files formatted in XML to be read on the system. They contain strings and encoded binary. (I will discuss examination of these valuable files at a later time).
Keychain: is an Apply password management system, along with other various types of data for websites, FTP servers, SSH accounts, encrypted disk images, certificates.

Sources
Guide to computer forensics and investigations, 2010
Wikipedia: http://en.wikipedia.org/wiki/HFS_Plus
Handbook of digital forensics and investigations, 2010
Mac OS X, iPod, and Iphone Analysis Toolkit, 2009







Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)