Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Examining Mac File Structures

Download as PPTX, PDF

The document discusses Mac file structures and forensic acquisition methods. It explains that before OS X, Mac used HFS and HFS+ file systems, and that a Mac file consists of a data fork and resource fork. It also outlines that a volume stores files and has allocation blocks, and that plist files store application preferences. Acquiring images from Mac systems can be challenging due to difficult physical drive access.

1 of 10

1

EXAMINING MAC FILE STRUCTURES

2

Understanding Macintosh File Structures • Current Mac OS X version 10.12 • Code-named Sierra • Themed: Cats Yosemite MountainTheme • MAC OS X is built on a core called Darwin • Consists of a Berkeley Software Distribution (BSD) UNIX application layer • With OS X, Macintosh moved to the Intel processor and became UNIX based • Before OS X, Hierarchical File System (HFS) • Files stored in nested directories (folders) • Extended Format File System (HFS+) • Introduced with MacOS 8.1 • Supports smaller file sizes on larger volumes, resulting in more efficient disk use

3

An Overview of Mac File Structures • In Mac, a file consists of two parts: • Data fork and resource fork • The data fork typically contains data the user creates, such as text or spreadsheets • Applications also read and write to the data fork • The resource fork typically contains data in a specific form, containing details such as icon bitmaps, the shapes of windows, definitions of menus and their contents, finder data, and application code. • Stores file metadata and application information • For example, a word processing file might store its text in the data fork, while storing any embedded images in the same file's resource fork. Applications also read and write to the data fork

4

An Overview of MacVolumes • A volume is any storage medium used to store files • It can be all or part of the storage media for hard disks • Volumes have allocation and logical blocks • Logical blocks cannot exceed 512 bytes • Allocation blocks are a set of consecutive logical blocks • Two end of file (EOF) descriptors • Logical EOF • Actual size of the file • Physical EOF • The number of allocation blocks for that file

5

An Overview of MacVolumes(cont.) • Clumps • Groups of contiguous allocation blocks • Reduce fragmentation • First two logical blocks, 0 and 1, as boot blocks • Master Directory Block (MDB) or Volume Information Block (VIB) • Stores all information about a volume • Volume Control Block (VCB) • Stores information from the MDB when OS mounts • Extents overflow file • Stores any file information not in the MDB or aVCB • Catalog • The listing of all files and directories on the volume • Maintains relationships between files and directories • B*-tree file system in earlier Mac version • Actual file data is stored on the leaf nodes • B*-tree also uses header, index, and map nodes

6

Forensics Procedures in Mac • There are some differences between Linux and Mac OS X file systems • Linux has the /home/username and /root directories • In Mac, the folders are /users/username and /private/var/root • The /home directory exists in the Mac OS but it is empty • Mac users have limited access to other user accounts’ files and the guest account is disabled • For forensics procedures in Mac OS X: • You must know where file system components are located and how both files and file components are stored

7

Key Mac Files • Application settings are in three formats: • Plaintext, plist files, and the SQLite database • Plist files are preference files for installed applications on a system • FileVault is used to encrypt and decrypt a user’s /users directory • Keychains • Files used to manage passwords for applications,Web sites,Wi-Fi, Remote desktop, and other system files • Deleted files are in theTrashes folder • If a file is deleted at the command line, however, it doesn’t show up in the trash

8

MacintoshAcquisition Methods • Make an image of the drive • Static acquisition of the suspect drive is preferable to a live acquisition • Removing the drive from a Macintosh Mini’s CPU case is difficult • Attempting to do so without Apple factory training could damage the computer • Use a Macintosh-compatible forensic boot CD to make an image • MacQuisition is a forensic boot CD that makes an image of a Macintosh drive • Being able to turn off the auto mount function in OS X (disable Disk Arbitration) • Allows you to connect a suspect drive to a Macintosh Forensic workstation without a write- blocking device, ie Linux vs.Windows

9

Macintosh ForensicTools andVendors • BlackBagTechnologies Macintosh Forensic Software (OS X only) • Acquisition products specifically designed for OS 9 and earlier • As well as OS X • SubRosaSoft MacForensicsLab (OS X only) • Guidance EnCase • X-Ways Forensics • AccessData FTK

10

Summary • Before Mac OS X, the file systems HFS and HFS+ were used • In Mac, a file consists of two parts: a data fork and a resource fork • A volume is any storage medium used to store files • Plist files are files for installed applications on a Mac system • The biggest challenge in acquiring images from Mac systems is often physical access to the drive • Linux forensic tools are often free

More Related Content

Examining Mac File Structures

  • 2. Understanding Macintosh File Structures • Current Mac OS X version 10.12 • Code-named Sierra • Themed: Cats Yosemite MountainTheme • MAC OS X is built on a core called Darwin • Consists of a Berkeley Software Distribution (BSD) UNIX application layer • With OS X, Macintosh moved to the Intel processor and became UNIX based • Before OS X, Hierarchical File System (HFS) • Files stored in nested directories (folders) • Extended Format File System (HFS+) • Introduced with MacOS 8.1 • Supports smaller file sizes on larger volumes, resulting in more efficient disk use
  • 3. An Overview of Mac File Structures • In Mac, a file consists of two parts: • Data fork and resource fork • The data fork typically contains data the user creates, such as text or spreadsheets • Applications also read and write to the data fork • The resource fork typically contains data in a specific form, containing details such as icon bitmaps, the shapes of windows, definitions of menus and their contents, finder data, and application code. • Stores file metadata and application information • For example, a word processing file might store its text in the data fork, while storing any embedded images in the same file's resource fork. Applications also read and write to the data fork
  • 4. An Overview of MacVolumes • A volume is any storage medium used to store files • It can be all or part of the storage media for hard disks • Volumes have allocation and logical blocks • Logical blocks cannot exceed 512 bytes • Allocation blocks are a set of consecutive logical blocks • Two end of file (EOF) descriptors • Logical EOF • Actual size of the file • Physical EOF • The number of allocation blocks for that file
  • 5. An Overview of MacVolumes(cont.) • Clumps • Groups of contiguous allocation blocks • Reduce fragmentation • First two logical blocks, 0 and 1, as boot blocks • Master Directory Block (MDB) or Volume Information Block (VIB) • Stores all information about a volume • Volume Control Block (VCB) • Stores information from the MDB when OS mounts • Extents overflow file • Stores any file information not in the MDB or aVCB • Catalog • The listing of all files and directories on the volume • Maintains relationships between files and directories • B*-tree file system in earlier Mac version • Actual file data is stored on the leaf nodes • B*-tree also uses header, index, and map nodes
  • 6. Forensics Procedures in Mac • There are some differences between Linux and Mac OS X file systems • Linux has the /home/username and /root directories • In Mac, the folders are /users/username and /private/var/root • The /home directory exists in the Mac OS but it is empty • Mac users have limited access to other user accounts’ files and the guest account is disabled • For forensics procedures in Mac OS X: • You must know where file system components are located and how both files and file components are stored
  • 7. Key Mac Files • Application settings are in three formats: • Plaintext, plist files, and the SQLite database • Plist files are preference files for installed applications on a system • FileVault is used to encrypt and decrypt a user’s /users directory • Keychains • Files used to manage passwords for applications,Web sites,Wi-Fi, Remote desktop, and other system files • Deleted files are in theTrashes folder • If a file is deleted at the command line, however, it doesn’t show up in the trash
  • 8. MacintoshAcquisition Methods • Make an image of the drive • Static acquisition of the suspect drive is preferable to a live acquisition • Removing the drive from a Macintosh Mini’s CPU case is difficult • Attempting to do so without Apple factory training could damage the computer • Use a Macintosh-compatible forensic boot CD to make an image • MacQuisition is a forensic boot CD that makes an image of a Macintosh drive • Being able to turn off the auto mount function in OS X (disable Disk Arbitration) • Allows you to connect a suspect drive to a Macintosh Forensic workstation without a write- blocking device, ie Linux vs.Windows
  • 9. Macintosh ForensicTools andVendors • BlackBagTechnologies Macintosh Forensic Software (OS X only) • Acquisition products specifically designed for OS 9 and earlier • As well as OS X • SubRosaSoft MacForensicsLab (OS X only) • Guidance EnCase • X-Ways Forensics • AccessData FTK
  • 10. Summary • Before Mac OS X, the file systems HFS and HFS+ were used • In Mac, a file consists of two parts: a data fork and a resource fork • A volume is any storage medium used to store files • Plist files are files for installed applications on a Mac system • The biggest challenge in acquiring images from Mac systems is often physical access to the drive • Linux forensic tools are often free