Trace File Activity using HFS Journal

I have already explained basics of HFS+/HFSX journal and how to recover files from journal records.

This time I introduce how to track file activities using meta-level information or journal record. ".journal" works as circular storage, and includes several records of one file by ordinary. I'd like to show that we can track file activities using the results of "HFS Journal Parser".

I performed several operations with sample HFS+ file system labeled HFSJ on OS X Terminal, then created raw image and run "HFS Journal Parser" on EnCase.

Let's see what's stored in journal records one at a time.

Create

$ echo aaaaaaaaaa > /Volumes/HFSJ/test0.txt

HFS Journal Parser Results

HFS Journal File Create

test0.txt is assigned to CNID 34 and all of four timestamps have the same value.

Access

$ less /Volumes/HFSJ/test0.txt

HFS Journal Parser Results

HFS Journal File Access

Only Last Accessed is updated. The rest of the information is unchanged.

Rename

$ mv /Volumes/HFSJ/test0.txt /Volumes/HFSJ/test1.txt 

HFS Journal Parser Results

HFS Journal File Rename

Only Name itself is updated. The rest of the information includes Entry Modified are unchanged.

Modify

$ perl -e 'print "\x41"x10000;' >> /Volumes/HFSJ/test1.txt 

HFS Journal Parser Results

HFS Journal File Modify

Changing the contents of a file updated "File Size", "Last Written", "Entry Modified", "Total Blocks" and "Extents". It remains possible that "File Size", "Total Blocks" and "Extents" don't change, at least "Last Written" and "Entry Modified" are updated.

Move

$ mkdir /Volumes/HFSJ/dir2
$ mv /Volumes/HFSJ/test1.txt /Volumes/HFSJ/dir2/

HFS Journal Parser Results

HFS Journal File Move

Only Parent CNID is updated. The rest of the information includes Entry Modified are unchanged.

Delete

$ rm /Volumes/HFSJ/dir2/test1.txt

HFS Journal Parser Results

HFS Journal File Delete

Even when a file is deleted, the corresponding journal record doesn't change. However, blocks which assigned by a file are released and corresponding bits are cleared within Allocation File. "HFS Journal Parser" checks the relevant blocks status and records the result to "Unallocated Ratio" and "Status".

In conclusion, we can track file activity on some level by examining journal information. If you make use of "HFS Journal Parser", the first thing you check target CNID and filter information based on its value. And, check the operation with the following mapping table.

Operation

Changing Point

Create

(First Record)

Access

Last Accessed

Rename

Name

Modify

Last Written, Entry Modified (File Size, Total Blocks, Extents)

Move

Parent CNID

Delete

Unallocated Ratio, Status

Here, above table doesn't have a copy operation in mind because it's a bit more complicated. Copy of file assigns new CNID, Total Blocks and Extents. Additionally it also has possibilities of changing Name or Parent CNID. When you track copy operation, it may be better to filter based on Last Written and File Size.

Add new comment

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.