Have a Macbook G4 imaged using FTK Imager. Have access to FTK and EnCase to do analysis. When indexed in FTK, data is no good. When reviewed in EnCase 6.14.1, data is viewable for the most part, but too much data is shown as corrupt when 'Copied' out to external folder, like .doc and .wmv files etc.
Need to extract data to prove internet activity, email activity, chat activity and anything else to support allegation of infidelity.
Complete Newb to Mac OS's, any help should be addressed in that manner.
Thanks!
FTK (the shipping versions that I am aware of as of June) cannot parse HFS volumes and treat the volume as unallocated space so you won't get anything useable with FTK. Encase does a really good job on HFS so you should use that.
I suspect you may be copying the resource forks for Mac specific data. Make sure you copy out the data forks only. The resource forks are Mac specific so you won't get anything copied that will be useable.
One thing you need to watch out for as well is that sometimes Encase may point to a disk location that is in use by a different file. This is because of a glitch in how it interprets the HFS leaf node information for deleted files. Make sure that the file you are interested in has the expected content.
Greetings,
A couple of years ago, FTK 1.x's Asia version handled HFS+ correctly. Did they somehow lose that functionality?
You could turn the image into a .dmg, lock it, and mount it on another Mac and use command line tools to analyze and extract.
-David
Yeah, FTK 1.81 was garbage, thought to try 2.2 but can't download until AD Cust Support sends me new link, something about an upgrade bug working with 2.1.
I imaged the complete HDD with FTK Imager in E01 format and EnCase 6.14.1 sees 4 hard drives. The 3rd hard drive is where all of the data is contained. But, like I said previously, the .doc, .wmv and other files dont appear to contain data, even though they are of substantial size.
Not sure what you are saying when you talk about resource forks, think you are saying that Mac OS files may have several aspects that need to come together to make the file complete?
Trying to find a tool to edit .plist files to extract chat, internet and other data, but cannot seem to locate one.
I dont have access to a Mac, just the HDD. According to AccessData Support, 2.2 will handle Mac OS nicely, however, they have a bug stopping the 2.2 from being downloaded.
Thanks for the reply!
Greetings,
OS X used to split files into three parts including an info fork and a resource fork. OS X doesn't do that now, but it will present directories as single items via the Finder. I don't know how either FTK or EnCase handles these.
There used to be an Asia version of FTK 1.x and a non-Asia version. The Asia version could handle HFS+ volumes while the non-Asia version could not. I do not know the current state of play.
I've got a copy of FTK 2.2.1 installer. PM me with your email address and I'll send it to you.
The Wikipedia entry for plists has links to two Windows plist editors and one of those links also mentions Notepad++ which I believe will work. Any XML editor should open a plist, though the formatting might not be ideal.
Please excuse my lack of specifics here - I only work on Macs with a Mac due to the problem you're encountering - poor Windows support for OS X analysis.
-David
In HFS+ there are two standard forks per file, data and resource. Some file data is stored in the Catalog entry, but that's just metadata. Resource forks are still present in OS X, but are rarely used (until system files on Snow Leopard). Files can also have custom named forks and extended attributes.
The current version of Sleuthkit actually handles HFS+ pretty well. For a lot of analysis, having a Macintosh to mount the disk image on and examine natively is very helpful.
There are two types of plists – binary and XML. The only binary plist reader I am familiar with is Apple's Property List Editor. The XML plists are human-readable.