Re: [sleuthkit-developers] Macintosh disks, Apple Partition Map problem
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] Macintosh disks, Apple Partition Map problem
|
From: Jon S. <jo...@li...> - 2016-09-17 15:02:27
|
The system partition filesystem types are unknown and TSK can't process them (probably not a big loss as they're just boot partitions). I don't know about the behavior of tsk_recover and tsk_loaddb, but there's no inherent reason why the HFS+ partitions can't be accessed and processed. Jon > On Sep 17, 2016, at 9:35 AM, Edward Diener <eld...@tr...> wrote: > > The code in tsk/vs/mac.c in the mac_load_table function marks every > partition in an Apple Partition Map as an allocated partition unless the > entry for the status partition field of the partition map entry is 0. > Since the description for the Apple Partition Map at Wikipedia ( > https://en.wikipedia.org/wiki/Apple_Partition_Map#Partition_status ) > basically implies that this field is never 0, all partitions in the > Apple Partition Map are marked as allocated. > > Then when walking through the entries an attempt to find files in these > volumes, failure occurs unless the partition map entry is an HFS/HFS+ > partition. For the attempt to find files on the Macintosh disk failure > always occurs because of this reason. Therefore tsk_loaddb and > tsk_recover always fail on images of Macintosh disks. > > Is this a known problem of SleuthKit ? Is essentially trying to find > files on a Macintosh disk broken because of this failure, so that > finding files for the Macintosh only works when the image is a single > logical HFS/HFS+ partition instead of an entire Macintosh disk ? > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
