Data Carving on Mac

AC,

What version of OS for the Mac you're dealing with?

K

It's an HFS-formatted ZIP disk. The main partition shows Apple_HFS(in the Hex Editor).

A

The catalog file is the HFS equivilant to the $MFT in NTFS. It will contain four types of records. The File Record will be of interest to you as it will have offsets for the file extents. I don't have specific file offsets for the data, but you should be able to locate something.

The file structure for the file you are looking for will be the same whether it is on HFS or NTFS. If that type of file has a footer then there you go. The problem will be in finding the complete file if it is fragmented.

Thanks Greg. What I ended up doing was getting the file headers(www.filext.com) and searching for them. That became the beginning of my block. Then I looked for the next leaf-node(file) in the FS. That became the end of my block. I then exported the block out as a file. This seems to work pretty well most of the time. Does that make sense? Do you know if this is the same process in FAt and NTFS? If so, how do you identify the end of a file in FAT and NTFS? Is there a HEX sequence?

Thanks,

A

I understand what you are doing. It should work very well for any file that is not fragmented. Thus your technique will favor smaller files. Some file types have footers and some do not. If the file you are looking for does not have a catalog entry then this is the only way.

Since you are dealing with a zip disk I should think it would be less fragmented, particularly if everything was written to it at one time.

Found this today, seems to be quite good except its running on Apple. Perhaps you wouloe like to try their file salvage.

http//www.subrosasoft.com/OSXSoftware/