Test Results for Deleted File Recovery and Active File Listing Tool ...
Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File...
Transcript of Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File...
![Page 1: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/1.jpg)
DIGITAL FORENSIC RESEARCH CONFERENCE
Using the HFS+ Journal For Deleted File Recovery
By
Aaron Burghardt, Adam Feldman
Presented At
The Digital Forensic Research Conference
DFRWS 2008 USA Baltimore, MD (Aug 11th - 13th)
DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized
the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners
together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working
groups, annual conferences and challenges to help drive the direction of research and development.
http:/dfrws.org
![Page 2: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/2.jpg)
Using the HFS+ Journal For Deleted File Recovery
Aaron BurghardtAdam Feldman
1
![Page 3: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/3.jpg)
Introduction
• Client-sponsored assignment
• Tasked to replace existing deleted file recovery tools
• Increase automation and improve accuracy
R.I.P.Mac Norton
UtilitiesApril, 2004
2
![Page 4: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/4.jpg)
• Catalog Node ID (unique, like an inode)
• Create, mod, access times
• Owner and group IDs
• Unix permissions
• Extent Records (i.e., fragment descriptors)
• Stored adjacent to Key in B-tree node
• Key = Parent CNID + file name
Catalog File Records
Cat. File Rec.
CNIDCreate DateMod DateAccess DateOwner IDGroup IDUnix permissionsExtents
Key
3
![Page 5: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/5.jpg)
B-tree Node
• Typically 8 KB
• Records and keys vary in size
• Records/Keys packed top-to-bottom
Record
Key
Record
Key
Record
Key
Header
Offsets
4
![Page 6: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/6.jpg)
B-tree Storage
• Nodes are organized in a tree
• Records always maintained in sorted order
• Creation and deletion of files causes records to rearrange
pointer
pointer
file 1
file 2
file 4
file 7
file 8
file 9
5
![Page 7: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/7.jpg)
B-tree Storage
• Nodes are organized in a tree
• Records always maintained in sorted order
• Creation and deletion of files causes records to rearrange
pointer
pointer
file 1
file 2
file 4
file 7
file 8
file 9
pointer
5
![Page 8: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/8.jpg)
B-tree Storage
• Nodes are organized in a tree
• Records always maintained in sorted order
• Creation and deletion of files causes records to rearrange
pointer
pointer
file 1
file 2
file 4
file 7
file 8
file 9
pointer
6
![Page 9: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/9.jpg)
B-tree Storage
• Nodes are organized in a tree
• Records always maintained in sorted order
• Creation and deletion of files causes records to rearrange
pointer
pointer
file 1
file 2
file 4
file 7
file 8
file 9
file 3
pointer
6
![Page 10: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/10.jpg)
B-tree Storage
• Nodes are organized in a tree
• Records always maintained in sorted order
• Creation and deletion of files causes records to rearrange
pointer
pointer
file 1
file 2 file 4
file 8
file 9
file 3
pointer
6
![Page 11: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/11.jpg)
File System Files
• Volume Bitmap
• Catalog File
• Extents Overflow
• Extended Attributes
pointer
pointer
pointer
file 1
file 2
file 3
file 4
file 8
file 9
7
![Page 12: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/12.jpg)
Catalog File
File System Files
• Volume Bitmap
• Catalog File
• Extents Overflow
• Extended Attributes
7
![Page 13: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/13.jpg)
Volume Bitmap
Extents Overflow
Catalog File
File System Files
• Volume Bitmap
• Catalog File
• Extents Overflow
• Extended AttributesExtended Attributes
7
![Page 14: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/14.jpg)
Role of Journal
Volume Bitmap
Extents Overflow
Catalog File
Extended Attributes
8
![Page 15: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/15.jpg)
Role of Journal
Volume Bitmap
Extents Overflow
Catalog File
Extended Attributes
Journal File
• Introduced in Mac OS X 10.2
• Records pending changes to metadata
• Collects related changes in transactions
• Sector/Block-oriented
• Allocation: 8 MB + 8 MB per 100 GB vol. size
8
![Page 16: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/16.jpg)
Role of Journal
Volume Bitmap
Extents Overflow
Catalog File
Extended Attributes
Journal File
• Introduced in Mac OS X 10.2
• Records pending changes to metadata
• Collects related changes in transactions
• Sector/Block-oriented
• Allocation: 8 MB + 8 MB per 100 GB vol. size
8
![Page 17: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/17.jpg)
Key Points
Volume Bitmap
Extents Overflow
Catalog File
Extended Attributes
Journal File
9
![Page 18: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/18.jpg)
Key Points
Volume Bitmap
Extents Overflow
Catalog File
Extended Attributes
Journal File
• B-tree nodes are recorded as whole unit
• Catalog File, Extents Overflow, Extended Attributes are B-trees: must distinguish
• A Catalog File Record may appear in the journal due to unrelated changes
9
![Page 19: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/19.jpg)
Recovery Approach
1. Begin at logical start of journal file
2. Scan until a B-tree node is found
- No header signature
- Sanity checks used to validate
3. Iterate node records
a. Search the active Catalog File for each Catalog File Record
b. If not found, conclude it is a deleted file
10
![Page 20: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/20.jpg)
Recovery Approach (cont’d)
4. Cache the Catalog File Record in the deleted file cache:
- Replace duplicate (by CNID) record
5. Score the recoverability:
- Check current in-use status of blocks
- Good: all blocks unused
- Partial: first block(s) not in use
- Poor: first block(s) in use
11
![Page 21: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/21.jpg)
Test Configurations
• Goal: establish typical “window of opportunity”
• Two test configurations:
- Mac mini
- MacBook Pro
• Mixture of use cases:
- Boot volumes
- Secondary volumes
- Time Machine
12
![Page 22: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/22.jpg)
Lifetime of Data in Journal
• Boot volume: 5 min to 30 min
• Secondary: can be several hours or more
• Time Machine: idle between backups, approximately 30 sec during a backup
0
10
20
30
40
0-9
9
30
0-3
99
60
0-6
99
90
0-9
99
12
00
-12
99
15
00
-15
99
18
00
-18
99
21
00
-21
99
24
00
-24
99
27
00
-27
99
30
00
-30
99
33
00
-33
99
Time Interval (sec)
Mac mini: Boot
MacBook Pro: Boot
MacBook Pro: Time Machine
Num
. S
am
ple
s
13
![Page 23: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/23.jpg)
Empirical Results
Volume Good Partial Poor Total
MBP: Boot
MBP: Time Mach
Mini: Boot
Mini: FireWire
Mini: FireWire
Mini: Flash
59 0 8 67
3 0 0 3
10 0 4 14
32 0 87 119
14 0 22 36
141 0 21 162
14
![Page 24: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/24.jpg)
Limitations
• Data in journal is short-lived
• Evidence of the file must be in the journal prior to it being deleted
- Deleted status determined by deduction
- Can’t predict if a deleted file is detectable
• Path may not be recoverable
• Only has 8 extent records
• Time of deletion unknown
15
![Page 25: Using the HFS+ Journal For Deleted File Recovery - DFRWS · Using the HFS+ Journal For Deleted File Recovery By Aaron Burghardt, ... File System Files ... • Records pending](https://reader030.fdocuments.in/reader030/viewer/2022020315/5b165c947f8b9a4a6d8b817e/html5/thumbnails/25.jpg)
Summary
• Effective for recently deleted files
• Recovers files and metadata with high accuracy
• Limited by short window of opportunity and the need for record to exist in journal prior to deletion
• Complementary to file carving
16