Re: [sleuthkit-users] (no subject)
Brought to you by:
carrier
From: Judson P. <jp...@at...> - 2012-03-20 03:57:52
|
Greg, The short answer is that SleuthKit does not support obtaining any information about deleted files on HFS+. The reason for this (the long answer) is that HFS+ does not use a mark-as-deleted system for deleting files. In HFS+, both file metadata and the disk's entire directory structure are stored in a b-tree file, the Catalog B-Tree. (Technically, in the leaf nodes of the b-tree.) When files are deleted, their entries are removed from the b-tree and the leaf node is rewritten. The leaf nodes always appear to be compact -- that is, there are no gaps between entries where deleted entries might live. So, you would only possible see deleted-file information in the unused space at the end of a node or in unused nodes (which could be produced by deleting a diretory). That's only the case if Mac OS X doesn't zero those areas when rewriting them. I haven't looked into whether such an approach would actually produce useable data. -- Judson ________________________________ From: Greg Grasmehr [mailto:gre...@ya...] Sent: Monday, March 19, 2012 9:31 PM To: sle...@li... Subject: [sleuthkit-users] (no subject) Greetings, I have quite a bit of experience with Windows and *nix and have been recently working with MacOS X. What strikes me as immediately noticeable about the most recent timeline of a MacOS X hfs+ image is that there is absolutely no file or directory deleted information as would usually be printed when creating timelines of Windows or Linux systems. Such as deleted or deleted-realloc in case of inode reallocation. I find nothing of the sort in the timeline for the MacOS disk. Seeing as I have retrieved some files from unallocated space, I am concerned that the timeline output is inaccurate and am wondering if it is usually the case where lines will be marked to signify deletions and reallocations for files and directories when working with hfs+ similar to NTFS or ext In general I am interested in learning if the timeline will show every path that has existed on the MacOS X hfs+ partition regardless if it has been deleted, or if I can be sure I am missing data generally found in a properly rendered timeline when dealing with other formats because this is a Mac disk. Thanks in advance for any reply, Greg |