fileXray Example: Disallowing Automatic Mounting

By default, the Disk Arbitration mechanism in Mac OS X probes newly discovered storage devices for mountable volumes. Mounting an HFS+ volume in read-write mode, which is the default, will modify the volume in question because both low-level and high-level file system activity can occur at mount time. For example, timestamps and counters can get updated, the journal can get replayed, file system objects can get created or deleted, and so on. This is highly undesirable if you wish to attach and access the storage device for recovery or forensic purposes or otherwise wish to keep it unmodified.

With fileXray, you can not only fully analyze an unmounted (offline) volume, you can prevent the volume of interest from being automatically mounted as you attach the corresponding storage device to the computer. When this option is used, fileXray will wait for a specified number of seconds, during which time any new volumes that appear will not be allowed to automatically mount. However, the devices underlying these volumes will be allowed to attach, which in turn means that you can use fileXray on the devices. As a device attaches, fileXray will print the corresponding block device name(s) and if possible, the corresponding file system type(s) and volume name(s).

In the following example, we use fileXray to disallow automatic mounting for 60 seconds. While mounting is disabled, we attach an external disk drive containing a GUID Partition Table with four volumes on it. We see that fileXray prints information about each volume as that volume’s mounting is attempted by the system. Since the volumes are attached, we can now use fileXray on the corresponding device names.

$ fileXray --disallow_mounting 60
Disallowing mounting for 60 seconds.
# Now attach an external device
disk1s2    hfs                        Untitled 2
disk1s4    hfs                        Untitled 4
disk1s3    hfs                        Untitled 3
disk1s1    msdos                      UNTITLED 1

Comments are closed.

All contents of this site, unless otherwise noted, are ©1994-2014 Amit Singh. All Rights Reserved.