I have already explained basics of HFS+/HFSX journal and how to recover files from journal records.
This time I introduce how to track file activities using meta-level information or journal record. ".journal" works as circular storage, and includes several records of one file by ordinary. I'd like to show that we can track file activities using the results of "HFS Journal Parser".
As previously described, ".journal" file keeps track of transactions of HFS+/HFSX file system. This time, I would like to show how recover deleted files using .journal information.
HFS+/HFSX file system has special files, which are $Bitmap, $Catalog, $Extents Overflow and $Attributes. Each has a respective role.
Journal mechanism of HFS+/HFSX is described by Apple's site. Here, I provide a specific example using sample data to understand journal behavior.
I use a small HFS+ image named "sample_journal". The size of the image is 32MB and .journal is 512KB.
