Archive for November, 2010

Advanced HFS+ Forensics and Content Recovery

Monday, November 22nd, 2010

Besides its other capabilities, fileXray has an extensive feature set geared for HFS+ file system forensics. This is a quick overview of the relevant features—details can be found in the fileXray User Guide and Reference ebook. To begin with, the –disallow_mounting option provides a convenient solution to an often cited problem: that of preventing volumes [...]

fileXray Example: The Mach-O Filter

Monday, November 15th, 2010

fileXray contains over two dozen built-in “filters” that allow you to locate file system objects on an HFS+ volume using a variety of criteria. A filter is a piece of code that gets executed by fileXray for each file system object as fileXray rapidly runs through the entire file system hierarchy of an HFS+ volume. [...]

fileXray Example: FreespaceFS

Thursday, November 11th, 2010

In a previous blog post we saw how the trawling mechanism in fileXray provides a way of looking for patterns on an HFS+ volume. There are times when you really must be able to just manually “go through” the free (unallocated) space in a volume. Perhaps you are an end user who wants to look [...]

fileXray Example: Disallowing Automatic Mounting

Wednesday, November 10th, 2010

By default, the Disk Arbitration mechanism in Mac OS X probes newly discovered storage devices for mountable volumes. Mounting an HFS+ volume in read-write mode, which is the default, will modify the volume in question because both low-level and high-level file system activity can occur at mount time. For example, timestamps and counters can get [...]

fileXray Example: ArbitraryFS

Monday, November 8th, 2010

One of fileXray’s features is that it uses virtual file systems to provide access to certain types of volume information. The Trawling for Data blog post contained a mention of ArbitraryFS, which is one of the several such file systems built into fileXray. Let us look at ArbitraryFS in a little more detail. ArbitraryFS contains [...]

fileXray Example: Trawling for Data

Friday, November 5th, 2010

fileXray provides several ways of looking for elusive or missing data on an HFS+ volume. One of these ways is fileXray’s trawling mechanism, wherein it will scan a volume looking for blocks that match “magic” patterns (signatures) contained in a given query file. You don’t usually need to come up with the patterns—fileXray understands the [...]

fileXray Example: Who Owns This Byte?

Thursday, November 4th, 2010

Suppose you want to know which file or folder (if any) “owns” a given byte on an HFS+ volume. If no regular file or folder owns the byte, is the byte part of a free block, or is it allocated to some internal file system data structure, such as the HFS+ Catalog B-Tree, etc.? There [...]

fileXray Example: The Time Filters

Wednesday, November 3rd, 2010

fileXray has the ability to rapidly run all file system objects on an HFS+ volume through a piece of code called a “filter”. A filter can examine a file system object and use arbitrary criteria to either accept or reject it. fileXray comes with more than two dozen built-in filters and you can even write [...]


Monday, November 1st, 2010

Does the idea of wielding power—a lot of power—intrigue you? Check out fileXray. Start with the ebook. If you are one of the target audiences, it will be worth your time.

All contents of this site, unless otherwise noted, are ©1994-2014 Amit Singh. All Rights Reserved.