Deleted File Recovery using HFS Journal

As previously described, ".journal" file keeps track of transactions of HFS+/HFSX file system. This time, I would like to show how recover deleted files using .journal information.

HFS+/HFSX file system has special files, which are $Bitmap, $Catalog, $Extents Overflow and $Attributes. Each has a respective role.

  • $Bitmap - to keep track of whether each allocation block in a volume is currently allocated
  • $Catalog - to maintain information about the hierarchy of files and folders on a volume
  • $Extents Overflow - to maintain more than eight extents in the contents of a file
  • $Attribute - to store extended attribute of a file

Here we focus on $Catalog. It is organized as a B-tree structure to allow quick searches through a flood of folder hierarchy. A B-tree structure is described by Apple's Site, consist of nodes, each of which contains records, which consist of a key and data. There are four kinds of nodes.

  • Header
  • Map
  • Index
  • Leaf

Of these types of node, we have an interest in the leaf node because it holds actual data records.

So let's get back to the previous sample and explore leaf node of $Catalog. We have already known the structure of transaction block. We continue to parse in accordance with the structure, we arrive at a leaf node of $Catalog.

HFS Journal Deleted File Recovery 01

A node begins with a Node Descriptor. Its structure is as follows.

Node Descriptor

Byte Range

Description

Value

0-3

Next Node

0 (0x00000000)

4-7

Previous Node

0 (0x00000000)

8

Node Type

leaf (0xff) (0xff:leaf, 0x00:index, 0x01:header, 0x02:map)

9

Current Height of Tree

1 (0x01)

10-11

Number of Records

28 (0x001C)

12-13

Reserved

0 (0x0000)

(* The value inside of $Catalog is interpreted as big-endian)

This is a leaf node and holds 28 records. Each offset of each record are located at the end of a node. The node size of $Catalog is declared on Header Record in Header Node (spare someone the details). Typically the node size is 4096 or 8192 bytes. Then we can identify each record of the node.

A leaf node of $Catalog contains four different types of data records.

  • Folder record
  • File record
  • Folder thread record
  • File thread record

One of the most remarkable type of node is file record because it contains valuable information about a single file. So we focus on one file record. A record consists of key and data. A key structure is as follows.

HFS Journal Deleted File Recovery 02

$Catalog File Key

Byte Range

Description

Value

0-1

Key Length

58 (0x003A)

2-5

Parent CNID

2 (0x00000002)

6-

File Name

journal_sample_deleted.txt (Unicode)

In addition, a data structure is as follows.

HFS Journal Deleted File Recovery 03

$Catalog File Data

Byte Range

Description

Value

0-1

Record Type

File record (0x0002) (1: Folder, 2: File, 3: Folder thread, 4: File thread)

2-3

Flags

0x0082

4-7

Reserved

0x00000000

8-11

CNID

28 (0x0000001C)

12-15

Created Time

2013/08/13 13:27:46 UTC (0xCE2FE4D2)

16-19

Last Written Time

2013/08/13 13:27:46 UTC (0xCE2FE4D2)

20-23

Entry Modified

2013/08/13 13:27:46 UTC (0xCE2FE4D2)

24-27

Last Access Time

2013/08/13 13:27:46 UTC (0xCE2FE4D2)

28-31

Last Backup Time

N/A (0x00000000)

32-47

Permissions

UID 99 (0x00000063), GID 99(0x00000063), RWX 0644(0x81) ... snip

48-63

User Info

0x0000000000000000... snip

64-79

Finder Info

0x00000000520A34520000... snip

80-83

Encoding

MacRoman (0x00000000)

84-87

Reserved

0x00000000

88-167

Extent Descriptor for Data Fork

Logical Size: 14 (0x0000...000E), Physical Size: 0 (0x00000000), Total Blocks: 1 (0x00000001), StartBlock: 1531 (0x000005FB), BlockCount: 1 (0x01)

168-247

Extent Descriptor for Resource Fork

N/A (0x00000000 ... snip)

According to above record, CNID of journal_sample_deleted.txt is 28, and contents is located at block 1531, 14 bytes. Let's take a look at the corresponding file on EnCase.

HFS Journal Deleted File Recovery 04

However it can see neither a file named journal_sample_deleted.txt nor CNID 28. Then what data is located at Block 1531?

HFS Journal Deleted File Recovery 05

This is a contents of journal_sample_deleted.txt. Journal information enables a relationship between metadata such as file name, size, CNID, time stamp, etc.. And its contents. Unlike the method of file carving, it is possible to trace block fragmentation because file record of the structure holds 8 extents descriptor.

コメント

コメントを追加

プレーンテキスト

  • HTMLタグは利用できません。
  • 行と段落は自動的に折り返されます。
  • ウェブページのアドレスとメールアドレスは自動的にリンクに変換されます。