fileXray Example: FreespaceFS
In a previous blog post we saw how the trawling mechanism in fileXray provides a way of looking for patterns on an HFS+ volume.
There are times when you really must be able to just manually “go through” the free (unallocated) space in a volume. Perhaps you are an end user who wants to look for lost data using some unusual technique. Perhaps you are a forensics or security professional who wants a convenient and easy mechanism to isolate the free extents of an HFS+ volume, and then be able to examine those extents using tools of your choice. The Free Space File System (FreespaceFS), one of fileXray’s built-in virtual file systems, provides just that mechanism.
Simply put, FreespaceFS contains virtual files that represent the free extents of a given HFS+ volume. The idea is to isolate free space in easy-to-read contiguous chunks, exposing each chunk as a virtual file that can be normally read, which makes searching through free space much more convenient and faster in most cases.
When you mount an HFS+ volume through FreespaceFS, a top-level virtual directory called freespace in the resultant volume contains one or more virtual subdirectories whose names are of the format X_Y. X is a monotonically increasing decimal number starting at 0. Y represents a block number in hexadecimal, which is the starting block number of the first extent within that directory. Consider the following example.
# Create a mount point. $ mkdir /Volumes/freespace # Use the Free Space File System to mount the root volume. $ sudo fileXray --userfs_type freespace --userfs_mount /Volumes/freespace $ ls -las /Volumes/freespace/freespace/ total 0 0 drwxr-xr-x 38 root wheel 0 Nov 2 20:58 . 0 drwxr-xr-x 3 root wheel 0 Nov 2 20:58 .. 0 dr-xr-xr-x 1026 root wheel 0 Nov 2 20:58 00000000_00014d87 0 dr-xr-xr-x 1026 root wheel 0 Nov 2 20:58 00000001_003e4772 0 dr-xr-xr-x 1026 root wheel 0 Nov 2 20:58 00000002_004e8ae8 0 dr-xr-xr-x 1026 root wheel 0 Nov 2 20:58 00000003_00550783 0 dr-xr-xr-x 1026 root wheel 0 Nov 2 20:58 00000004_005b8023 0 dr-xr-xr-x 1026 root wheel 0 Nov 2 20:58 00000005_00bda9bd … 0 dr-xr-xr-x 1026 root wheel 0 Nov 2 20:58 00000034_02d66310 0 dr-xr-xr-x 389 root wheel 0 Nov 2 20:58 00000035_02ec061a
Inside each such directory named X_Y, there are at most 1024 virtual files—a new directory is created after the previous one is populated with 1024 files. Each file represents a free extent—that is, a range of contiguous free blocks. Each file’s name is of the form U_V. U is the extent’s starting block number and V is the number of blocks in the extent. Both U and V are represented in hexadecimal. As noted earlier, the value of U for the first extent contained within the X_Y directory is the same as the value of Y.
Reading from such a file will return data from the volume blocks the file represents. The following excerpt shows the last few contents of the last X_Y directory in the above example.
$ ls -asl /Volumes/freespace/freespace/00000035_02ec061a
…
848 -rw-r--r-- 1 root wheel 424K Nov 2 21:18 02f0db4e-02f0dbb7
88 -rw-r--r-- 1 root wheel 44K Nov 2 21:18 02f0dc69-02f0dc73
2272 -rw-r--r-- 1 root wheel 1.1M Nov 2 21:18 02f0dc77-02f0dd92
114176 -rw-r--r-- 1 root wheel 56M Nov 2 21:18 02f0dd94-02f11553
530184 -rw-r--r-- 1 root wheel 259M Nov 2 21:18 02f11556-02f21836
16608 -rw-r--r-- 1 root wheel 8.1M Nov 2 21:18 02f21840-02f2205b
92345904 -rw-r--r-- 1 root wheel 44G Nov 2 21:18 02f2205d-03a24322
$
Note that that last file, 02f2205d-03a24322, contains about 44GB of free space.
In case you are wondering if there is an analog for used extents, the answer is yes: fileXray also provides a “Used Space File System” that exposes the in-use (allocated) extents of an HFS+ volume as virtual files.