Besides its other capabilities, fileXray has an extensive feature set geared for HFS+ file system forensics. This is a quick overview of the relevant features—details can be found in the fileXray User Guide and Reference ebook.
- To begin with, the
--disallow_mountingoption provides a convenient solution to an often cited problem: that of preventing volumes on external devices to be automatically mounted when devices are connected to the computer. The
--disallow_mountingoption lets you temporarily disable such automatic mounting without having to remove or rename any configuration files and without having to stop any system daemons such as
--journal_namesoption dissects the volume’s journal and harvests file system object names. When displaying the harvested names, it annotates the output with the type of file system activity that’s likely to have occurred involving each name—for example, if an object with that name was deleted, moved, renamed, and so on. When run with the
--journal_names“diffs” the journal and volume copies of the blocks recorded in the journal and indicates which parts of the metadata, if any, have changed.
--trawloption scans the volume looking for blocks that match “magic” patterns (signatures). This option uses the same magic mechanism that underlies the
filecommand on Mac OS X. The set of signatures is easily extensible by the user.
--scavengeoption scans the volume looking for deleted files and folders. The result of the scavenge operation is a list of potentially recoverable files. It shows you a list of such files along with their metadata details, including which of the deleted blocks are likely to have been overwritten. It also allows you to “undelete” such scavenged files, if possible. The Scavenger File System provides a virtual file system view of the results of scavenging a volume, so you can actually inspect scavengable data using tools of your choice!
- The Free Space File System provides a convenient way to identify and search through the free extents of a volume. The analog for used extents is the Used Space File System.
- The Arbitrary File System provides a novel and powerful way of accessing arbitrary byte ranges on a given storage device.
- fileXray filters can be used to search a volume for objects with specific attributes. In particular, the
bmactimefamily of filters can be used to search for objects one or more of whose timestamps fall within a given range. The result of the
bmactimefilter can provide a “timeline” view of past file system activity.
--checksumoption can be used to compute hashes of one or more on-disk components of file system objects.
- fileXray provides several ways to read content—both metadata and data—from an HFS+ volume regardless of whether the volume is online or offline.