HFS+ Private Direct...
 
Notifications
Clear all

HFS+ Private Directory Data "Dir_****"

Christ143uk
(@christ143uk)
Junior Member

Hi,

I am conducting an investigation on an external HDD which has a HFS partition. Encase 6 does not appear to parse the data and shows everything as unallocated.

Encase 7 shows a number of folders named "Dir_" followed by a string of numbers under "HFS+ Private Directory Structure"

Inside of the Dir_ folders I can find user files.

To me it looks like some sort of third party backup software. Has anyone got any experience with this?

Thanks in advance.

Quote
Topic starter Posted : 10/02/2016 1:13 pm
hommy0
(@hommy0)
Member

If the folder name is ".HFS+ Private Directory Data", and you have sub folders with a "dir_#####" name, it sounds like an external HDD that has been used for Apple's Time Machine.

If this is a disk that has been used for Time Machine there should also be a folder called "Backups.backupdb" which should have a series of time and date stamped folders, which represent the point in time backup.

If this a Time Machine disk, manual examination will be difficult due to it's usage of hard linked files/folders.

ReplyQuote
Posted : 10/02/2016 2:11 pm
Christ143uk
(@christ143uk)
Junior Member

If the folder name is ".HFS+ Private Directory Data", and you have sub folders with a "dir_#####" name, it sounds like an external HDD that has been used for Apple's Time Machine.

If this is a disk that has been used for Time Machine there should also be a folder called "Backups.backupdb" which should have a series of time and date stamped folders, which represent the point in time backup.

If this a Time Machine disk, manual examination will be difficult due to it's usage of hard linked files/folders.

Hi,

Thanks for the response.

That is what I originally thought however I was expecting to find a number of datestamped folders as you mentioned but there are none.

There is a folder named "Backups.backupdb" but this only contains three folders ".spotlight_repair", .spotlight_temp and "macintosh" but no date stamped folders.

However under the "dir_####" I can find lots of user files such as scanned documents and family photos.

ReplyQuote
Topic starter Posted : 10/02/2016 2:37 pm
Scales561
(@scales561)
New Member

@hommy0 I have a Lacie external drive with a Time Machine backup. I see inside the .HFS+ Private Directory Data folder directory sub-folders actual file names showing deleted. For example, LaCieExtHDD.001 - Entire Disk (Apple HFS+, 1.82 TB) Backup\.HFS+ Private Directory Data\dir_17880739\2019-03-14\Employment Contract (deleted fe1154d44f95032fddbc32106780be7f).docx

Have you seen this before and if so, does this indicate this file was deleted on the Date Accessed? my main objective is to determine if the backup drive was accessed within a specific time frame as the custodian has stated it was put into storage and not touched. 

ReplyQuote
Posted : 15/01/2021 3:10 pm
Share: