Filesystem HFS+/APFS

​Filesystem 
HFS+ (Hierarchical File System) (1998 – 2018)

• macOS 10.12-
• iOS 10.2-
• Big Endian (Flip Hex Editor)

 
APFS (Apple File System)

• macOS 10.13+
• iOS 10.3+
• Similar to HFS and Additional Stuff like highly nested stuff
• Keep eye on Blog

 
HFS+ Volume Header & Special FilesCatalog File (Forensics Gold) - BTree
Extents Overflow – B Tree
Attributes File (Forensics Gold)  – BTree
 
Volume Header & Example

• Lot of meta data
• Fsstat/hdiutil

 
B-TreesThink of it as a FLAT File

• Also used in APFS
• Used by Catalog, Attributes, Extents Overflow File
• Used for efficiency in searching stored data
• Made up of Nodes, Records, Keys (Catalog ID – Unique Value) & Data
• Ordered Key
• Header Node (always 1 and always at 0)
• Map Node (Allocation type of data)
• Index Data is like Pointers
• Leaf Node (Forensic Gold) – This will contain filesystem metadata.
• Read page 18-19
• FF notified a leaf node
• 01 is header

Leaf Node

• Bottom of  a tree
• Key Length – Always 2 Bytes in HFS +
• There are random null bytes for padding

Catalog File

• Hold File System Metadata
• CNID or i-node number
• First 15 Reserved by Apple
• 4 is catalog Files
• 6 is allocation File
• Sort by CNID
• Sleuth kit is used to extract out catalog file
• Used MMLS to find offset

Catalog file key

• 2 bytes | Key length
• 4 Bytes | Parent CNID
• Variable | Node Name (File Name)
• Folder Record
• File Record
• Extense Overflow File
• KMDI Where from is the data downloaded via Internet