Mac OS X Forensics
Never give up, the answer is right in front of you...
-
Our Sponsors
-
Custom Search
HFS+ Sector
Data
Here, we are going to look at some of the most frequently asked questions on interpreting the HFS+ volume header.
To do this, I have used WinHex to look at the physical disk of an Intel based Macintosh that has MacOS X 10.5 and Windows XP (Boot Camp) installed. This Mac shows in WinHex, 3 significant partitions: EFI, HFS+, NTFS
Let’s look into the HFS+: (we will look at important pieces of data, read the Tech Note 1150 for everything)
The first highlighted data is the “H+” itself. What is this? There is only one definitive source to answer this question, Apple’s Tech Note 1150. According to this Tech Note, this data is defined as the volume signature. In fact, we can use this to our advantage when looking for possible HFS+ partitons on a drive. A keyword of “H+” is a possibility.
Next, we have “HFSJ”. This is defined as the Last Mounted Version. HFSJ specifically means that the last time this file system was mounted, it was mounted with journaling.
Next, we have the date this volume was actually created! The date is an Apple time or HFS time, so we must set WinHex to interpret the data as such.
This partition was created (Initialized) on 09/18/2007! Is this the day I formatted it though? How many people format their hard drive when they get it from Apple? It’s likely the time Apple imaged the drive with their curent build of software.
Next, we have the modified date. This date is changed when the volume gets changed. A great sign of last usage by a user.
Again, using the HFS date, we see that my HFS+ partition was last modified 07/04/08 (or the same day I shut down MacOS X, booted to WinXP, and then booted back to MacOS X)
The last date we will look at is defined as the checked date. It shows when the file system was last checked by a disk utility for flaws.
The HFS date here shows my volume was last checked 09/19/2007. This is the one date I still need to research more. I run Disk Utility to Verify Permissions and Verify Disk often. I do not run fsck from Single User Mode. I do leave my machine on 100% of the time so all CRON jobs will run, yet this date reflects nothing has been done since the initial setup essentially. More to come on this date as it develops.
One last tip for anyone looking to reproduce my results, remember in WinHex to highlight the data sweeping from the right to the left on Intel Macs. The date and time will come out wrong if you sweep left to right.
Here, we are going to look at some of the most frequently asked questions on interpreting the HFS+ volume header.
Sponsored Advertisement
To do this, I have used WinHex to look at the physical disk of an Intel based Macintosh that has MacOS X 10.5 and Windows XP (Boot Camp) installed. This Mac shows in WinHex, 3 significant partitions: EFI, HFS+, NTFS
Let’s look into the HFS+: (we will look at important pieces of data, read the Tech Note 1150 for everything)
The first highlighted data is the “H+” itself. What is this? There is only one definitive source to answer this question, Apple’s Tech Note 1150. According to this Tech Note, this data is defined as the volume signature. In fact, we can use this to our advantage when looking for possible HFS+ partitons on a drive. A keyword of “H+” is a possibility.
Next, we have “HFSJ”. This is defined as the Last Mounted Version. HFSJ specifically means that the last time this file system was mounted, it was mounted with journaling.
Next, we have the date this volume was actually created! The date is an Apple time or HFS time, so we must set WinHex to interpret the data as such.
This partition was created (Initialized) on 09/18/2007! Is this the day I formatted it though? How many people format their hard drive when they get it from Apple? It’s likely the time Apple imaged the drive with their curent build of software.
Next, we have the modified date. This date is changed when the volume gets changed. A great sign of last usage by a user.
Again, using the HFS date, we see that my HFS+ partition was last modified 07/04/08 (or the same day I shut down MacOS X, booted to WinXP, and then booted back to MacOS X)
The last date we will look at is defined as the checked date. It shows when the file system was last checked by a disk utility for flaws.
The HFS date here shows my volume was last checked 09/19/2007. This is the one date I still need to research more. I run Disk Utility to Verify Permissions and Verify Disk often. I do not run fsck from Single User Mode. I do leave my machine on 100% of the time so all CRON jobs will run, yet this date reflects nothing has been done since the initial setup essentially. More to come on this date as it develops.
One last tip for anyone looking to reproduce my results, remember in WinHex to highlight the data sweeping from the right to the left on Intel Macs. The date and time will come out wrong if you sweep left to right.