- ICAT VIEWER PARA MAC FOR MAC OS X
- ICAT VIEWER PARA MAC MAC OS X
Thus, for any compressed file, icat of the default DATA attribute (4352-0) will show the uncompressed content of the file. The uncompressed data will be available as a virtual DATA attribute, 4352-0 (appearing as non-resident).
In case 1, TSK will make the compressed data in the resource fork available as non-resident RSRC attribute 4353-1. In cases 2 and 3 (above), TSK will load the uncompressed data of the file into resident DATA attribute 4352-0. In addition, icat will automatically decompress the file data by default. See afsctool.h.)Īs of TSK 4.0.0, istat will show these details about compressed HFS+ files.
ICAT VIEWER PARA MAC MAC OS X
Since Mac OS X 10.9 LZVN is occasionally used on system files by default but SleuthKit does not support them yet. (The on-disk format allows for other compression strategies to be defined and used, but Mac OS X as of 10.7.4 only uses these three.
This compression strategy is used for very small (or empty) files, effectively storing their data directly in the Attributes tree rather than reserving separate blocks on disk for it.
The data is stored, uncompressed, in the extended attribute immediately after the compression header. This compression strategy is used for mid-sized files (those that compress down to ~3800 bytes or less). The data is stored in the extended attribute, compressed with zlib, immediately after the compression header. Apple's HFS+ implementation prevents compressed HFS+ files from having other resource fork data.) This compression strategy is used for large files. (The resource fork will contain exactly one resource, of type cmpf. The data is stored in the resource fork and compressed with zlib. The actual data for compressed files is stored in one of three ways, depending on the size and compressibility of the file: This means that forensic tools not aware of HFS+ file compression (including TSK before 4.0.0) will not see any data associated with a compressed file!Īll compressed files have an extended attribute named which contains a compression header of 16 bytes. Reading and writing compressed files is transparent as far as Apple's file system APIs.Ĭompressed files have an empty data fork. Compression is most often used for files installed as part of Mac OS X user files are typically not compressed (but certainly can be!). In Mac OS X 10.6, Apple introduced file compression (AppleFSCompression, internally) in HFS+. There is one exception: an attribute that marks a file as compressed, as explained in the next section, will have type CMPF (numerically, 4355). Each extended attribute is loaded as a TSK attribute, with type ExATTR (numerically, 4354-*) and the name of the extended attribute as its TSK attribute name. Extended attributes are also used to mark compressed files.Īs of TSK 4.0.0, istat shows all of a file's extended attributes. Access Control Lists (ACLs) are the most common use for attributes in HFS+. HFS+ supports arbitrary named attributes, called extended attributes, on files and directories. To access an individual resource within the resource fork, use icat on inum-4353-1 and examine the data at the offset and size given by istat. For each resource, it shows the resource type (four ASCII characters), the numeric ID, the offset (in bytes) within the file's resource fork, the size (in bytes), and the name of the resource (which is optional). Istat also parses the resource fork's contents (if present) and prints a list of the individual resource entries. (The data fork is attribute 4352-0, DATA, and is normally the default one used by icat.) In TSK, a file's resource fork is made available as a file attribute called RSRC, number 4353-1, that can be passed to icat for examination. As of TSK 4.0.0, a file's resource fork is visible in its istat output and can be retrieved via icat. With the exception of compressed files, resource forks are not often used in modern versions of Mac OS X. The data fork of most files contains what is conventionally considered to be the file's content. It also supports HFS, but only as a wrapper around an HFS+ file system.įiles in HFS+ can have two sets of data, called forks: a data fork and a resource fork. ICAT VIEWER PARA MAC FOR MAC OS X
Apple Developer's Technical Note 1150 which describes the HFS+ formatįor reference, the source code to Apple's own implementation of HFS+ for Mac OS X is available at under xnu/bsd/hfs/ (this link is for OS X 10.7.4).It is commonly used on iOS devices (iPhones, etc.). HFSX is a version of HFS+ that optionally supports case-sensitive path names. On Macs, HFS+ is often referred to as "Mac OS Extended." HFS (without the +) is rarely seen any more, except as a compatibility wrapper around early HFS+ file systems (from before OS X 10.4). HFS+ is the native file system for all versions Mac OS X and was introduced in 1998 to replace HFS.
0 kommentar(er)
