Filesystem
HFS+ (Hierarchical File System) (1998 – 2018)
APFS (Apple File System)
HFS+ Volume Header & Special FilesCatalog File (Forensics Gold) - BTree
Extents Overflow – B Tree
Attributes File (Forensics Gold) – BTree
Volume Header & Example
B-TreesThink of it as a FLAT File
HFS+ (Hierarchical File System) (1998 – 2018)
- macOS 10.12-
- iOS 10.2-
- Big Endian (Flip Hex Editor)
APFS (Apple File System)
- macOS 10.13+
- iOS 10.3+
- Similar to HFS and Additional Stuff like highly nested stuff
- Keep eye on Blog
HFS+ Volume Header & Special FilesCatalog File (Forensics Gold) - BTree
Extents Overflow – B Tree
Attributes File (Forensics Gold) – BTree
Volume Header & Example
- Lot of meta data
- Fsstat/hdiutil
B-TreesThink of it as a FLAT File
- Also used in APFS
- Used by Catalog, Attributes, Extents Overflow File
- Used for efficiency in searching stored data
- Made up of Nodes, Records, Keys (Catalog ID – Unique Value) & Data
- Ordered Key
- Header Node (always 1 and always at 0)
- Map Node (Allocation type of data)
- Index Data is like Pointers
- Leaf Node (Forensic Gold) – This will contain filesystem metadata.
- Read page 18-19
- FF notified a leaf node
- 01 is header
- Bottom of a tree
- Key Length – Always 2 Bytes in HFS +
- There are random null bytes for padding
- Hold File System Metadata
- CNID or i-node number
- First 15 Reserved by Apple
- 4 is catalog Files
- 6 is allocation File
- Sort by CNID
- Sleuth kit is used to extract out catalog file
- Used MMLS to find offset
- 2 bytes | Key length
- 4 Bytes | Parent CNID
- Variable | Node Name (File Name)
- Folder Record
- File Record
- Extense Overflow File
- KMDI Where from is the data downloaded via Internet
RSS Feed