±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35965
New Yesterday: 0 Visitors: 111

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Exporting Mac data to NFTS drive

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

CdtDelta
Senior Member
 

Exporting Mac data to NFTS drive

Post Posted: Sep 15, 09 18:11

Hey all,
I'm just trying to think this situation through, and wondering if it's going to be really much of an issue....here's the scenario:

I have an image from a MacBook Air, which I'm viewing in EnCase and I need to export out the "user" files (office docs, html, etc) to hand over to an eDiscovery firm. Our usual process is to export the files on to an NTFS formatted drive.

What I'm trying to lay out is in that process, since I'm going from one file system to another, what (if any) sort of data (be it meta or just MAC) will I lose? I'm looking in Carrier's book as well as online, but I wanted to throw the question out to the group in case there's any "red flags" that people have run into.

Thanks,
Tom
_________________
CHFI, CCNA, EnCE
Digital Forensic Analyst 
 
  

ecophobia
Senior Member
 

Re: Exporting Mac data to NFTS drive

Post Posted: Sep 15, 09 18:38

If that s for the eDiscovery firm, they should know how to open a logical evidence file (LEF). I would just create LEF and attach EnCase report re: physical location, size, created, accessed etc.  
 
  

rwuiuc
Member
 

Re: Exporting Mac data to NFTS drive

Post Posted: Sep 15, 09 18:46

transferring the files to an NTFS partition will be fine, but metadata will not remain intact.

I would (as suggested):
1. Create a LEF and hash all the files
2. Export the relevant files to the production drive
3. Export the table view for the relevant files to include all relevant data ( name, MAC times, hash values, full file path, whatever else is needed)

That will cover the original metadata. Give them a focused evidence file they could work from, and copies of the original data.  
 
  

mscotgrove
Senior Member
 

Re: Exporting Mac data to NFTS drive

Post Posted: Sep 15, 09 19:42

Many Mac files have resource forks which may contain useful information. You need to copy these resource forks along with the files. A fairly standard way is to use is Apple Double format.

The following are some notes I wrote elsewhere. This is how a Mac uses FAT32 disks

************************

A Mac stores data in two sections, a data fork and a resource fork. For most files the resource fork is empty, but for certain files, both forks exist. On the Mac, both forks are stored in the same file, and so only one name is used. The method used to store these files on a PC is to use the AppleDouble format which is compatible with OS X. This creates a separate file for each data fork, and each resource fork. The resource fork file also contains metadata giving details of the application that should be used to open the file. If the main file is testfile.doc, the the associated resource fork will be a hidden file ._testfile.doc  
 
  

indur
Senior Member
 

Re: Exporting Mac data to NFTS drive

Post Posted: Sep 15, 09 20:54

The ._ file is not exactly the resource fork, but an AppleDouble-format file that contains the resource fork, Finder metadata, and other named forks and extended attributes.

The document types you indicate (in fact, most modern document types) store all of the real data in the data fork and only store metadata elsewhere.

Spotlight may also contain useful metadata about the files.  
 

Page 1 of 1