[sleuthkit-developers] Macintosh disks, Apple Partition Map problem
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] Macintosh disks, Apple Partition Map problem
|
From: Edward D. <eld...@tr...> - 2016-09-17 13:35:30
|
The code in tsk/vs/mac.c in the mac_load_table function marks every partition in an Apple Partition Map as an allocated partition unless the entry for the status partition field of the partition map entry is 0. Since the description for the Apple Partition Map at Wikipedia ( https://en.wikipedia.org/wiki/Apple_Partition_Map#Partition_status ) basically implies that this field is never 0, all partitions in the Apple Partition Map are marked as allocated. Then when walking through the entries an attempt to find files in these volumes, failure occurs unless the partition map entry is an HFS/HFS+ partition. For the attempt to find files on the Macintosh disk failure always occurs because of this reason. Therefore tsk_loaddb and tsk_recover always fail on images of Macintosh disks. Is this a known problem of SleuthKit ? Is essentially trying to find files on a Macintosh disk broken because of this failure, so that finding files for the Macintosh only works when the image is a single logical HFS/HFS+ partition instead of an entire Macintosh disk ? |
