Re: [sleuthkit-users] (no subject)
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] (no subject)
|
From: L. G. 'P. <po...@lg...> - 2012-03-20 12:40:49
|
Stefan, In "iOS Forensic Analysis (for iPhone, iPad and iPod touch)" by Sean Morrissey (Apress, 2010) there is a chapter (page 25 and more specifically pages 33-onwards) dedicated to the HFSX filesystem, which has a lot in common with HFS+. I think it may be helpful. -- Luis Gómez 'Pope' Enviado con Sparrow (http://www.sparrowmailapp.com/?sig) El martes 20 de marzo de 2012 a las 12:09, Stefan Kelm escribió: > Judson, > > > The reason for this (the long answer) is that HFS+ does not use a > > mark-as-deleted system for deleting files. In HFS+, both file metadata and > > the disk's entire directory structure are stored in a b-tree file, the > > Catalog B-Tree. (Technically, in the leaf nodes of the b-tree.) When files > > [...] > > > > > Thanks a lot for sharing that information. Do you have a source for that > info, or to put it differently, are there any (current) forensics books > on HFS+? > > Cheers, > > Stefan. > > -- > Stefan Kelm <sk...@bf... (mailto:sk...@bf...)> > BFK edv-consulting GmbH http://www.bfk.de/ > Kriegsstrasse 100 Tel: +49-721-96201-1 > D-76133 Karlsruhe Fax: +49-721-96201-99 > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
