fileXray vs hfsdebug

I’ve been asked how fileXray is better than hfsdebug. Here goes:

  • The primary answer is that it is not meaningful to compare them. Dramatically speaking, hfsdebug is the tip to the iceberg that is fileXray. It would be contrived to say that a bicycle is similar to a fighter jet because they both have wheels and can both be used to get from point A to point B. Similarly, it would not be useful to do a point-by-point differentiation between fileXray and hfsdebug even though they both “do things with HFS+ volumes.” hfsdebug’s functionality is a small, strict subset of fileXray’s functionality. Still, to list a few things for the sake of this post, fileXray has things like the following that hfsdebug does not:
    • Comprehensive forensics features
    • Ability to detect and parse GPT, APM, and MBR partition types
    • Large number (28 at the time of this writing) of built-in filters meant for power users, security folks, and forensics professionals
    • Built-in virtual file systems for performing advanced analyses
    • Checksumming of various types of volume data
    • Disk usage analytics
    • Volume content retrieval
    • Decompression of HFS+ compressed content
    • Support for fork-based extended attributes
    • Support for external journals
    • Ability to harvest recently used file system object names from the journal
    • Ability to trawl for volume content via arbitrarily extensible signature matching
    • Ability to scavenge for deleted content
    • Real-time file activity monitoring
    • Ability to reverse map bytes to files
  • In terms of code-base sizes, hfsdebug is about 12,000 lines of source code, whereas fileXray is about 105,000 lines. (For those prone to misreading numbers, fileXray has a code-base that is nearly 9 times larger.)
  • In case of the few things that both hfsdebug and fileXray can do, fileXray can be up to 20 times faster than hfsdebug. In other words, what could take up to several minutes with hfsdebug may be done by fileXray in just a few seconds.
  • fileXray comes as a Universal Binary consisting of 64-bit Intel, 32-bit Intel, and 32-bit PowerPC versions, whereas hfsdebug is 32-bit PowerPC only and must be run under Rosetta on Intel Macs.
  • fileXray works on Mac OS X versions 10.5 (Leopard) and newer, including 10.7 (Lion). hfsdebug works on Mac OS X versions 10.4 (Tiger) through 10.6 (Snow Leopard), assuming you have Rosetta installed. Not all features of hfsdebug work on all supported versions of Mac OS X, however.
  • Some features of fileXray are simply too powerful and too cool to not be reiterated. For example, you must check out the Scavenger File System and the Arbitrary File System. The former lets you mount scavengable (deleted but recoverable) content as a volume, allowing you to access such content through applications of your choice! The latter lets you access arbitrary byte ranges on a volume through a convenient interface.
  • fileXray is a current product, whereas hfsdebug has now been retired because of flaws that cause it to display incorrect results under certain circumstances.

To sum up, fileXray is not a better hfsdebug, but a different beast altogether.

Comments are closed.


All contents of this site, unless otherwise noted, are ©1994-2014 Amit Singh. All Rights Reserved.