Besides its other capabilities, fileXray has an extensive feature set geared for HFS+ file system forensics. This is a quick overview of the relevant features—details can be found in the fileXray User Guide and Reference ebook.

• To begin with, the --disallow_mounting option provides a convenient solution to an often cited problem: that of preventing volumes on external devices to be automatically mounted when devices are connected to the computer. The --disallow_mounting option lets you temporarily disable such automatic mounting without having to remove or rename any configuration files and without having to stop any system daemons such as diskarbitrationd.
• The --journal_names option dissects the volume’s journal and harvests file system object names. When displaying the harvested names, it annotates the output with the type of file system activity that’s likely to have occurred involving each name—for example, if an object with that name was deleted, moved, renamed, and so on. When run with the --exhaustive option, --journal_names “diffs” the journal and volume copies of the blocks recorded in the journal and indicates which parts of the metadata, if any, have changed.
• The --trawl option scans the volume looking for blocks that match “magic” patterns (signatures). This option uses the same magic mechanism that underlies the file command on Mac OS X. The set of signatures is easily extensible by the user.
• The --scavenge option scans the volume looking for deleted files and folders. The result of the scavenge operation is a list of potentially recoverable files. It shows you a list of such files along with their metadata details, including which of the deleted blocks are likely to have been overwritten. It also allows you to “undelete” such scavenged files, if possible. The Scavenger File System provides a virtual file system view of the results of scavenging a volume, so you can actually inspect scavengable data using tools of your choice!
• The Free Space File System provides a convenient way to identify and search through the free extents of a volume. The analog for used extents is the Used Space File System.
• The Arbitrary File System provides a novel and powerful way of accessing arbitrary byte ranges on a given storage device.
• fileXray filters can be used to search a volume for objects with specific attributes. In particular, the bmactime family of filters can be used to search for objects one or more of whose timestamps fall within a given range. The result of the bmactime filter can provide a “timeline” view of past file system activity.
• The --checksum option can be used to compute hashes of one or more on-disk components of file system objects.
• fileXray provides several ways to read content—both metadata and data—from an HFS+ volume regardless of whether the volume is online or offline.

This entry was posted on Monday, November 22nd, 2010 at 12:20 am and is filed under fileXray, Mac OS X. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.