Exporting Mac data ...
 
Notifications
Clear all

Exporting Mac data to NFTS drive

5 Posts
5 Users
0 Likes
531 Views
CdtDelta
(@cdtdelta)
Posts: 134
Estimable Member
Topic starter
 

Hey all,
I'm just trying to think this situation through, and wondering if it's going to be really much of an issue….here's the scenario

I have an image from a MacBook Air, which I'm viewing in EnCase and I need to export out the "user" files (office docs, html, etc) to hand over to an eDiscovery firm. Our usual process is to export the files on to an NTFS formatted drive.

What I'm trying to lay out is in that process, since I'm going from one file system to another, what (if any) sort of data (be it meta or just MAC) will I lose? I'm looking in Carrier's book as well as online, but I wanted to throw the question out to the group in case there's any "red flags" that people have run into.

Thanks,
Tom

 
Posted : 15/09/2009 6:11 pm
ecophobia
(@ecophobia)
Posts: 127
Estimable Member
 

If that s for the eDiscovery firm, they should know how to open a logical evidence file (LEF). I would just create LEF and attach EnCase report re physical location, size, created, accessed etc.

 
Posted : 15/09/2009 6:38 pm
rwuiuc
(@rwuiuc)
Posts: 24
Eminent Member
 

transferring the files to an NTFS partition will be fine, but metadata will not remain intact.

I would (as suggested)
1. Create a LEF and hash all the files
2. Export the relevant files to the production drive
3. Export the table view for the relevant files to include all relevant data ( name, MAC times, hash values, full file path, whatever else is needed)

That will cover the original metadata. Give them a focused evidence file they could work from, and copies of the original data.

 
Posted : 15/09/2009 6:46 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

Many Mac files have resource forks which may contain useful information. You need to copy these resource forks along with the files. A fairly standard way is to use is Apple Double format.

The following are some notes I wrote elsewhere. This is how a Mac uses FAT32 disks

************************

A Mac stores data in two sections, a data fork and a resource fork. For most files the resource fork is empty, but for certain files, both forks exist. On the Mac, both forks are stored in the same file, and so only one name is used. The method used to store these files on a PC is to use the AppleDouble format which is compatible with OS X. This creates a separate file for each data fork, and each resource fork. The resource fork file also contains metadata giving details of the application that should be used to open the file. If the main file is testfile.doc, the the associated resource fork will be a hidden file ._testfile.doc

 
Posted : 15/09/2009 7:42 pm
(@indur)
Posts: 67
Trusted Member
 

The ._ file is not exactly the resource fork, but an AppleDouble-format file that contains the resource fork, Finder metadata, and other named forks and extended attributes.

The document types you indicate (in fact, most modern document types) store all of the real data in the data fork and only store metadata elsewhere.

Spotlight may also contain useful metadata about the files.

 
Posted : 15/09/2009 8:54 pm
Share: