HFS Journal Parser

HFS Journal Parser EnScript finds and parses Catalog file record in HFS+/HFSX .journal file.

HFS Journal Parser Dialog

The EnScript has been approved by EnCase App Central as at 2013/06/29, and you can get the following URL.

HFS Journal Parser

Requirements

EnCase 7.x (not compatible with 6.x)

Features

  • Search file records in HFS+/HFSX with Journal (only support Intel Mac)
  • Create the list of found records
  • Recover deleted files whose blocks are not allocated
  • Recover deleted files partially. Replace data of allocated blocks with zero (0x00)
  • Process .journal file from latest to oldest record, then suppress unnecessary recovery and duplicate records

Example

There is ".journal" in HFS+/HFSX enabled journaling. Typically ".journal" is assigned File ID 16 and has at least 8MB size.

HFS Journal Parser .journal

".journal" is a special area to store transactions of HFS+/HFSX file system. Only meta data are stored, the contents of the file are not stored in ".journal". When you run HFS Journal Parser EnScript, it tries to identify catalog file records which are structures of files/folders, then bookmarks summary of results and finding records.

HFS Journal Parser Bookmark1

HFS Journal Parser Bookmark2

Additionally, some files are exported by specifying "Output Folder Path".

HFS Journal Parser Summary

HFS Journal Parser CSV

If recoverable files are found, HFS Journal Parser extracts the contents of the block to which file record refers and creates a file respectively.

HFS Journal Parser Full Recovery

If some of the blocks of recoverable file have already allocated as another file, the EnScript fills up 0x00 with those blocks and creates a file. In the result, partially recovered file may be viewed/accessed by native application.

HFS Journal Parser Part Recovery

HFS Journal Parser Part Recovery Detail

Note

HFS Journal Parser is for OS X HFS+/HFSX. If you handle appropriately, it works with volume encryption like File Vault2/TrueCrypt. However, it doesn't work with iOS HFS+/HFSX because recent iOS employs file encryption. If you try to recover files with iOS image, try emf_undelete in iphone-dataprotection(http://code.google.com/p/iphone-dataprotection/). iphone-dataprotection is an open source project and excellent tool.

Reference

Using the HFSD journal for deleted file recovery
http://www.dfrws.org/2008/proceedings/p76-burghardt.pdf

Technical Note TN1150 - HFS Plus Volume Format
http://developer.apple.com/legacy/library/#technotes/tn/tn1150.html