B-‐Tree Nodes HFS+ File System Format Reference Sheet By: Sarah Edwards Twi2er: @iamevltwin Email: [email protected] • • • Catalog File Four types of B-‐Tree Nodes Only one Header Node per B-‐Tree Each B-‐Tree Specifies its size in the Node Size field of the Header Record Size (in bytes) LocaMon Data 0 2 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 64 68 72 80 2 2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 8 4 Signature Version A2ributes Last Mounted Version Journal Info Block Create Date Modify Date Backup Date Checked Date File Count Folder Count Block Size Total Blocks Free Blocks Next AllocaMon rsrc Clump Size Data Clump Size Next Catalog ID Write Count Encoding Bitmap Finder Info Array [0] 84 88 92 96 100 104 108 112 192 272 352 432 4 4 4 4 4 4 4 80 80 80 80 80 Finder Info Array [1] Finder Info Array [2] Finder Info Array [3] Finder Info Array [4] Finder Info Array [5] Finder Info Array [6] Finder Info Array [7] AllocaMon File Size & LocaMon Extents File Size & LocaMon Catalog File Size & LocaMon A2ributes File Size & LocaMon Startup File Size & LocaMon Reserva7on Root Parent Root Folder Extents Overflow File Catalog File Bad Block File AllocaMon File Startup File A2ributes File Repair Catalog File Bogus Extent File First User Catalog Node Size Alternate VH Node Descriptor Record 1 Record 2 … Free Space Offset to Free Space … Offset to Record 2 Offset to Record 1 Special File Size & LocaMon / File Extents [80 bytes] Offset 0 8 12 16 20 24 28 32 36 40 44 48 52 56 60 64 68 72 76 Size (in bytes) Data 8 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 Logical Size Clump Size Total Blocks Extent 1 – Start Block Extent 1 – Block Count Extent 2 – Start Block Extent 2 – Block Count Extent 3 – Start Block Extent 3 – Block Count Extent 4 – Start Block Extent 4 – Block Count Extent 5 – Start Block Extent 5 – Block Count Extent 6 – Start Block Extent 6 – Block Count Extent 7 – Start Block Extent 7 – Block Count Extent 8 – Start Block Extent 8 – Block Count HFS+ Special File Extrac7on from Image File using The Sleuth Kit icat -f hfs –o <partitionoffset> *.dd <inode> > special_file Apple Tech Note 1150 – Available at dubeiko.com/development/FileSystems/HFSPLUS/tn1150.html The Sleuth Kit Source – Available at github.com/sleuthkit/sleuthkit/blob/master/tsk/fs/tsk_hfs.h Mac OS X Internals: A Systems Approach by Amit Singh – Chapter 12 Mac OS X and iOS Internals: To the Apple’s Core by Jonathan Levin – Chapter 16 Apple Open Source -‐ h2p://www.opensource.apple.com/source/xnu/xnu-‐2050.18.24/bsd/hfs/hfs_format.h Node Descriptor Header Record User Data Record Map Record Free Space Offset to Free Space Offset to Map Record Offset to User Data Record Offset to Header Record Header Node Leaf Node Leaf Node Index Node Index Node Leaf Node Leaf Node Index Node … Node Descriptor [14 bytes] Offset Size (in bytes) 4 4 1 Field 0 4 8 9 10 12 1 2 2 Height Number of Records Reserved Forward Link Backward Link Kind: 0xFF – Leaf Node (-‐1) 0x00 – Index Node (0) 0x01 – Header Node (1) 0x02 – Map Node (2) Header Record [46 bytes] Header Node Header Record User Data Record Map Record Map Node Map Records* *See Alloca*on Table Format HFS+ File System Format References & Resources: • • • • • Special File Node Layout 1024 bytes from beginning of the volume 512 bytes 1024 bytes from the end of the volume Catalog Node ID Reserva7ons CNID 1 2 3 4 5 6 7 8 14 15 16 Size 2 4 Field Key Length Parent CNID (or CNID of file/folder for thread records) Node Name (File or Folder Name) 2 Byte Length + Variable Unicode Name (<=255) Variable HFSUniStr255 Volume Header Offset Catalog File Key Index Node Pointer Records Size (in bytes) 2 Variable 4 Field Key Length Key (For Catalog File: Parent CNID + HFSUniStr255) Node Number Leaf Node Data Records Size (in bytes) 2 4 Variable Field Key Length Parent CNID Data Size [2 bytes] + Data (Empty String 0x0000 in thread records) (+padding byte if key length is odd) Offset 0 2 6 10 14 18 20 22 26 30 32 36 Size (in bytes) 2 4 4 4 4 2 2 4 4 2 4 1 37 1 38 42 4 4 Field Tree Depth Root Node Leaf Records First Leaf Node Last Leaf Node Node Size Max Key Length Total Nodes Free Nodes Reserved Clump Size B-‐tree Type: 0x00 – HFS B-‐Tree (0) 0x80 – User B-‐Tree (128) 0xFF – Reserved (255) Key Compare Type: 0xCF or 0xC7 -‐ Case-‐insensiMve 0xBC -‐ Case-‐sensiMve 0x00 -‐ Unknown A2ributes: Reserved [16] (64 bytes) HFS+ Data is Big Endian GPT is Li2le Endian Catalog File/Folder Record [88 or 248 bytes] Catalog Thread Record Size (in bytes) 2 Size 2 Bytes Field Record Type (0x0001) – Folder Record (0x0002) – File Record 2 Flags 4 Valence (File Records -‐ Reserved) 4 File or Folder ID (CNID) 4 Create Date 4 Content ModificaMon Date 4 A2ribute ModificaMon Date 4 Access Date 4 Backup Date HFSPlusBSDInfo [16 Bytes] Permissions FolderInfo or FileInfo [16 Bytes] User InformaMon ExtendedFolder or FileInfo [16 Bytes] Finder InformaMon 4 Text Encoding 4 Reserved AddiMonal Fields for File Record – See “File Extents” Table HFSPlusForkData [80 Bytes] Data Fork HFSPlusForkData [80 Bytes] Resource Fork 2 Bytes 4 Bytes HFSUniStr255 Size (in bytes) 4 4 1 1 2 4 Field Record Type (0x0003) – Folder Thread Record (0x0004) – File Thread Record Reserved Parent ID (CNID) Node Name (File or Folder Name) 2 Byte Length + Variable <=255 Unicode Name HFSPlusBSDInfo Owner ID Group ID Admin Flags Owner Flags File Mode iNode Number or Link Count or Raw Device AOributes File A2ributes Key A2ributes Record Size (in bytes) 2 2 4 4 2 Variable Field Size (in bytes) Key Length Pad File ID (CNID) Start Block A2ribute Name Length A2ribute Name 4 8 4 Variable Field Record Type (0x00000010) Inline Data A2ribute Reserved A2ribute Size A2ribute Data Extents Overflow File Extents Overflow Key [12 bytes] Size (in bytes) 2 1 1 4 4 Extents Overflow Record Size (in bytes) Field Key Length Fork Type 0x00 -‐ Data 0xFF -‐ Resource Pad File ID (CNID) Start Block 4 4 Field (For Each Eight Extents) Start Block Block Count Alloca7on File (with Examples) 1 bit per allocaMon block (512 bytes), 8 blocks per byte (4,096) Most Significant Bit – Status of block with lowest number Least Significant Bit – Status of block with highest number Hex 0x00 0xFF 0x1F 0x80 0x07 0xF0 Binary 00000000 11111111 00011111 10000000 00000111 11110000 Alloca7on No Blocks Allocated All Blocks Allocated Lowest three blocks are unallocated Lowest block is allocated Highest three blocks are allocated Highest four blocks are unallocated Updated 7/2016 SANS FOR518 Reference Sheet By: Sarah Edwards | Twi2er: @iamevltwin | Email: [email protected] Directory Commands cd .. Change Directory…up one directory (../.. – two directories up) cd /var/log Change Directory…to /var/log cd ~ Change Directory…to your home directory cd / Change Directory…to the root directory ls List Directory (Short LisMng) ls -l List Directory (Long LisMng) ls -a List Directory items…including hidden items (files beginning with “.”) ls -lh List Directory items…with human readable sizes ls -R List Directory items…recursively open . Open Current Directory pwd Print Working Directory mkdir Create a Directory rmdir Remove a Directory rmdir –R Remove a Directory (and its contents) . Current Directory .. Parent Directory File Commands pico <filename> xxd <filename> open <filename> open –a <programname> <filename> cat <filename> <command> | more <command> | less rm <filename> cp <filename> <newfilename> mv <filename> <newfilename> <command> > <filename> <command> >> <filename> touch <filename> head <filename> tail <filename> strings <filename> exiftool <filename> plutil –p <propertylist> file <filename> grep –i <searchterm> <filename> python <file>.py Miscellaneous Commands sudo <command> sudo -s su whoami history man <command> Terminal Shortcuts Ctrl + A Ctrl + E Tab Ctrl + C Command + K or Ctrl + L Command + T Command + W Command +/-‐ Open a file in a simple text editor (q – to quit editor) Open a file in a hex editor Opens a file in the default program Opens a file in a specified program Concatenate a file to the terminal screen Pipe command output to more to show contents screen by screen Pipe command output to less to show contents screen by screen (and be able to go back and forth) Remove File Copy File Move File Redirect command output to a file Append command output to a file Create an empty file Show first 10 lines of a file Show last 10 lines of a file (-f to watch appended input) Show the strings of a file Show the exif/metadata of the file Print the contents of a property list Show a file signature type Search for term within a file (case-‐ insensiMve) Execute a Python program Execute program as another user (default is root user) Open a privileged shell SubsMtute User to root Display EffecMve User ID Command History Command Manual (q – to exit manual) Jump to beginning of line Jump to end of of line Tab CompleMon Kill Current Command Clear Screen (or clear command) New Terminal Tab Close Terminal Tab Increase or Decrease Terminal Font Size Generic Tool Compila7on and Installa7on tar –xvf <archive>.tar.gz ./configure make sudo make install Live Response date Local System Time (-‐u for UTC) hostname System Hostname uname –a OS & Architecture InformaMon sw_vers OS X Version & Build netstat –anf inet or netstat -an AcMve Network ConnecMons lsof -i AcMve Network ConnecMons (by process) netstat -rn RouMng Table arp -an ARP Table ifconfig Network Interface ConfiguraMon lsof List Open Files who –a, w List Logged On Users last List user logins ps aux List Processes system_profiler -xml System Profiler (XML, Full Detail Level) -detaillevel full > file.spx Disk & Par77ons /dev/ Device Directory diskutil list List Connected Disks diskutil info <disk> Disk InformaMon (use Disks /dev/disk#, disk#, or parMMons /dev/disk#s#) pdisk –l /dev/disk3 List parMMons using Apple ParMMon Map Format gpt –r show [-l] List parMMons using GUID ParMMon Table Format (-‐l to show label rather than GUID) mmls <diskimage> Display parMMons using The Sleuth Kit hdiutil imageinfo *.dmg Disk Image InformaMon including ParMMon Data hdiiutil fsid *.dmg Volume Header InformaMon of Disk Image User Domain dscl . -read /Users/ <useraccount> strings *.keychain security list-keychains security dump-keychains <keychain> Extended AOributes xattr –xl <file> xattr -p <attribute name> <file> | >output_file.plist istat /dev/disk# <CNID> Eject Disk Log Analysis bzcat system.log.1.bz2 system.log.0.bz2 >> system_all.log $ cat system.log >> system_all.log syslog –f <file> syslog –d <directory> syslog –T utc –F raw –d /var/log/asl mkdir /Volumes/dademurphy_image/ mkdir /Volumes/dademurphy_mounted/ sudo xmount --in ewf --out dmg ~/FOR518/dademurphy.E01 /Volumes/dademurphy_image/ hdiutil attach –nomount /Volumes/dademurphy_image/dademurphy.dmg mount_hfs –j –o rdonly,noexec,noowners /dev/disk# /Volumes/dademurphy_mounted/ mkdir /Volumes/dademurphy_image/ mkdir /Volumes/dademurphy_mounted/ ewfmount ~/FOR518/dademurphy.E01 /Volumes/dademurphy_image/ ln –s /Volumes/dademurphy_image/ewf1 ~/FOR518/dadeimage.dmg hdiutil attach -nomount ~/FOR518/dadeimage.dmg mount_hfs -j -o rdonly,noexec,noowners /dev/disk# /Volumes/dademurphy_mounted/ diskutil list diskutil eject /dev/disk# mount umount /Volumes/dademurphy_image/ Timestamp Formats HFS+/MacOS UNIX Epoch Mac Epoch/Mac Absolute/Cocoa/WebKit Property List Dates in Xcode Hostname 32-‐bit -‐ Number of seconds from 1/1/1904 00:00:00 UTC 32-‐bit -‐ Number of seconds from 1/1/1970 00:00:00 UTC 32-‐bit -‐ Number of seconds from 1/1/2001 00:00:00 UTC Local Host System Time Directory Command Username Show the strings of a Keychain file List Keychains on a system for a logged in user Dump contents of a Keychain xxd -r -p $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ Method 2 -‐ mountewf Command-‐line version of Directory UMlity, read user informaMon icat /dev/disk# <CNID>-<TSK Attribute Number> praudit –xn /var/audit/* Image Mount & Eject Method 1 -‐ xmount Show Extended A2ributes of a file Extract embedded binary property list from extended a2ribute. Use The Sleuth Kit to view file informaMon including extended a2ributes. View a specific extended a2ribute using The Sleuth Kit Number of 512-‐byte Blocks Used Create a “all-‐in-‐one” system.log file. nibble:/ sledwards$ ls -la total 1014190 wheel drwxr-xr-x@ 41 root drwxr-xr-x@ 41 root wheel d--x--x--x+ 8 root wheel d-wx-wx-wt 2 root wheel -rw-r--r--+ 1 sledwards admin 1 root wheel srwxrwxrwx wheel lrwxr-xr-x@ 1 root wheel -rwxr-xr-x@ 1 root 1462 1462 272 68 312 0 11 8393032 Feb Feb Nov Nov Mar Feb Sep Sep 16 16 5 4 9 15 23 29 21:14 21:14 01:11 21:05 2013 21:29 08:47 22:39 . .. .DocumentRevisions-V100 .Trashes .apdisk .dbfseventsd etc -> private/etc mach_kernel View ASL File View a directory of ASL Files Output ASL files the /var/log/asl directory and output in raw format with UTC Mmestamps. View audit logs in XML format without user/group resoluMon. Time Machine tmutil uniquesize <machinedirectory_path>/* Show the unique sizes of each snapshot tmutil calculatedrift Show the size changes (added/removed/changed) <machinedirectory_path> between each snapshot. tmutil compare <snapshotdirectory1> Compare the file changes (added/removed/ <snapshotdirectory2> changed) between two snapshots.. Encrypted Containers hdiutil attach –readonly –nomount –stdinpass Mount a FileVault volume using a filevault2image.dmg password $ security unlock-keychain Access and mount a FileVault volume FileVaultMaster.keychain using a master password $ diskutil corestorage unlockvolume <UUID> recoverykeychain FileVaultMaster.keychain diskutil corestorage unlockvolume <UUID> Mount a FileVault volume using the passphrase <recovery key> Recovery Key hdiutil attach -readonly -nomount -stdinpass Mount an Encrypted DMG File sekretstuff_USB.dmg Spotlight mdls <file> List the Spotlight metadata for a file mdfind Find files based on a specific metadata query mdimport -X Print a list of a2ributes that can be queried. Disk Arbitra7on sudo launchctl load /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist ps auxw | grep diskarbitrationd Enable Disable Determine Status GPT Header Offset Size (bytes) Field 0 8 Signature (EFI PART) 8 4 Revision (1.0) 12 4 Size of Header (bytes) 16 4 Header CRC32 20 4 Reserved 24 8 LBA of GPT Header 32 8 LBA of Backup GPT Header 40 8 48 GPT Reference GPT Table Entry Offset Size (bytes) Field 0 16 ParMMon Type GUID 16 16 Unique ParMMon GUID 32 8 StarMng LBA (Li2le Endian) 40 8 Ending LBA (Li2le Endian) First Usable LBA 48 8 A2ributes 8 Last Usable LBA 56 72 ParMMon Name 56 16 Disk GUID 128 Rest Reserved 72 8 80 4 84 4 StarMng LBA of GUID ParMMon Table (Li2le Endian) Number of ParMMon Entries Available (Li2le Endian) Size of ParMMon Entry 88 4 ParMMon Entry Array CRC32 92 Rest Reserved Type EFI System ParMMon HFS+ ParMMon Apple Boot ParMMon Apple Core Storage (FileVault) Basic Data ParMMon (Boot Camp) Common GPT Par77on GUIDs C12A7328-‐F81F-‐11D2-‐BA4B-‐00A0C93EC93B 48465300-‐0000-‐11AA-‐AA11-‐00306543ECAC 426F6F74-‐0000-‐11AA-‐AA11-‐00306543ECAC 53746F72-‐6167-‐11AA-‐AA11-‐00306543ECAC EBD0A0A2-‐B9E5-‐4433-‐87C0-‐68B6B72699C7
© Copyright 2024 Paperzz
