Archive for the 'fileXray' Category

fileXray and Newer HFS+ Features

Thursday, September 29th, 2011

In case you were wondering, fileXray (make sure you have a recent version) does support newer HFS+ features such as: The “date-added” information stored in Finder Info, which is not the same as the older “creation-time” field in the stat structure. fileXray will determine if a file or folder has this information set, and if [...]

fileXray vs hfsdebug

Sunday, April 17th, 2011

I’ve been asked how fileXray is better than hfsdebug. Here goes: The primary answer is that it is not meaningful to compare them. Dramatically speaking, hfsdebug is the tip to the iceberg that is fileXray. It would be contrived to say that a bicycle is similar to a fighter jet because they both have wheels [...]

Using fileXray to Enumerate Orphaned Files

Friday, February 18th, 2011

fileXray’s goal is to help you determine “anything” and “everything” about an HFS+ volume. Someone recently asked if it is possible to locate all orphaned files on a volume. Indeed, it is possible. HSF+ allows you to unlink a file or a folder while it is busy. Normally, these are permanently removed at unmount time. [...]

Advanced HFS+ Forensics and Content Recovery

Monday, November 22nd, 2010

Besides its other capabilities, fileXray has an extensive feature set geared for HFS+ file system forensics. This is a quick overview of the relevant features—details can be found in the fileXray User Guide and Reference ebook. To begin with, the –disallow_mounting option provides a convenient solution to an often cited problem: that of preventing volumes [...]

fileXray Example: The Mach-O Filter

Monday, November 15th, 2010

fileXray contains over two dozen built-in “filters” that allow you to locate file system objects on an HFS+ volume using a variety of criteria. A filter is a piece of code that gets executed by fileXray for each file system object as fileXray rapidly runs through the entire file system hierarchy of an HFS+ volume. [...]

fileXray Example: FreespaceFS

Thursday, November 11th, 2010

In a previous blog post we saw how the trawling mechanism in fileXray provides a way of looking for patterns on an HFS+ volume. There are times when you really must be able to just manually “go through” the free (unallocated) space in a volume. Perhaps you are an end user who wants to look [...]

fileXray Example: Disallowing Automatic Mounting

Wednesday, November 10th, 2010

By default, the Disk Arbitration mechanism in Mac OS X probes newly discovered storage devices for mountable volumes. Mounting an HFS+ volume in read-write mode, which is the default, will modify the volume in question because both low-level and high-level file system activity can occur at mount time. For example, timestamps and counters can get [...]

fileXray Example: ArbitraryFS

Monday, November 8th, 2010

One of fileXray’s features is that it uses virtual file systems to provide access to certain types of volume information. The Trawling for Data blog post contained a mention of ArbitraryFS, which is one of the several such file systems built into fileXray. Let us look at ArbitraryFS in a little more detail. ArbitraryFS contains [...]

fileXray Example: Trawling for Data

Friday, November 5th, 2010

fileXray provides several ways of looking for elusive or missing data on an HFS+ volume. One of these ways is fileXray’s trawling mechanism, wherein it will scan a volume looking for blocks that match “magic” patterns (signatures) contained in a given query file. You don’t usually need to come up with the patterns—fileXray understands the [...]

fileXray Example: Who Owns This Byte?

Thursday, November 4th, 2010

Suppose you want to know which file or folder (if any) “owns” a given byte on an HFS+ volume. If no regular file or folder owns the byte, is the byte part of a free block, or is it allocated to some internal file system data structure, such as the HFS+ Catalog B-Tree, etc.? There [...]

All contents of this site, unless otherwise noted, are ©1994-2014 Amit Singh. All Rights Reserved.