Trouble with Mac fi...
 
Notifications
Clear all

Trouble with Mac files (WDBNMSWD, XLC3XCEL, TextMSWD...)

9 Posts
6 Users
0 Reactions
1,025 Views
nesrin
(@nesrin)
Active Member
Joined: 15 years ago
Posts: 14
Topic starter  

Hello everyone.

I am working on digital forensic mostly windows based. A few days ago I started working on mac. And I have some questions

1)I have some files without extension. I looked at inside some files with hex editor and saw WDBNMSWD, XLC3XCEL, TextMSWD etc. I think these are mac files and they are old because on my mac pro computer(intel), installed office 2008, can not view.
Can anyone help me how can I view them or convert to windows office files or meaningful format. I have been searching on internet and could not find any solution, yet. ?

2)I am testing a forensic product called Macquisition 2.4 (firewire and usb connection) to take image of a mac computer. this bootable program produces .000, .001, .002….files. But I don't know how can I see inside these image files like folder structure. FTK imager does not work. is there any mount program for mac PCs OR mac recovery program using these image files ?

thanks to all responses. roll


   
Quote
(@jmartinez4)
New Member
Joined: 20 years ago
Posts: 3
 

Have you tried using Mac Forensics Lab?


   
ReplyQuote
(@bohdi)
Active Member
Joined: 16 years ago
Posts: 11
 

Hi. I have used the MacQuisition CF 2.4 on multiple occasions, and when it comes to the usage of the .dmg and .dmgpart files, I have corresponded with AccessData - who claims that there is support in FTK imager/FTK for those files.

But, I could not get them mounted. Please report your issues to support at AccessData so that the issue might get fixed.

I am using the old Raptor boot disk to convert the images to E0x files, and thus work with them afterwards. That is in FTK. EnCase can mount them as a raw image, you just need to get them sorted in the correct order.

To verify the raw image - if you have found no better way - you can either do that from terminal or by using unixutils in windows. #cat path/to/file/image_0001.dmg path/to/file/image_*.dmgpart | md5(sum) > md5sumverification.txt

Good luck! And, keep us posted D


   
ReplyQuote
nesrin
(@nesrin)
Active Member
Joined: 15 years ago
Posts: 14
Topic starter  

Thanks jmartinez4 and bohdi.
I will try your suggestions immediately and turn back to you. D


   
ReplyQuote
nesrin
(@nesrin)
Active Member
Joined: 15 years ago
Posts: 14
Topic starter  

Hello again and sorry for late response.

I took image of my Mac Pro with Macquisition again.FTK Imager works. I can see the inside of the image files. I think my first try of imaging was not completed correctly. I don't understand but something went wrong. Now I've converted dd image files to .E0x with FTK Imager and I will work with Encase. There is no problem for now. I hope I get used to work with Mac world wink

I have found something which can be helpful to mount images of Mac systems on Windows operating systems - ASR Data Smart Mount

Also Raptor works well taking image and converting. Thanks for alternative solutions.
My next job wil be Mac Forensics Lab for analyzing.

But my file problem still exist(files having WDBNMSWD, XLC3XCEL, TextMSWD header values).Have you got any solution?

Thanks.


   
ReplyQuote
(@bithead)
Noble Member
Joined: 20 years ago
Posts: 1206
 

Most Mac files, especially from older Mac systems do not have extensions. Extensions were an afterthought so the files were more compatible with the Windows world. For example older Photoshop or Illustrator files did not have an extension on the Mac, but did have a couple of supplemental files that were needed to open the file. These files contained profile info about the file. When the file was brought to the Windows side, there were always errors with missing fonts, color profiles being wrong, etc. If you did not specifically export the file for Windows it had the raster, but little else.

What I am getting at is that you may find that you need to use an older Mac with the original programs to view the files in question.


   
ReplyQuote
(@marat)
Eminent Member
Joined: 19 years ago
Posts: 31
 

Its resource fork and finder info
example
execute command "xattr -l *"
for file "changes" without extension.
and look

CHANGES com.apple.FinderInfo
00000000 54 45 58 54 74 74 78 74 05 00 00 3F 00 7F 00 00 |TEXTttxt…?….|

CHANGES com.apple.ResourceFork
00000100 00 00 08 F8 69 63 6E 73 00 00 08 F8 69 63 73 23 |….icns….ics#|
00000110 00 00 00 48 7F FC 70 04 3F F4 3F F4 3F F4 3F F4 |…H..p.?.?.?.?.|
00000120 3F F4 3F F4 3F F4 3F F4 3F F4 3F F4 3F F4 3F F4 |?.?.?.?.?.?.?.?.|
00000130 70 04 7F FC 7F FC 7F FC 3F FC 3F FC 3F FC 3F FC |p…….?.?.?.?.|
00000140 3F FC 3F FC 3F FC 3F FC 3F FC 3F FC 3F FC 3F FC |?.?.?.?.?.?.?.?.|
00000150 7F FC 7F FC 69 63 73 34 00 00 00 88 0F FF FF FF |….ics4……..|
…..

resouce fork contain file *.icns

Resource Fork and other like ntfs ads.


   
ReplyQuote
(@indur)
Trusted Member
Joined: 17 years ago
Posts: 67
 

The eight-character codes you're seeing are the Macintosh file type and creator codes. "WDBN" is a Word document, "Text" is a text document, and "MSWD" indicates that both were created with Microsoft Word. (I haven't verified, but I'd have to guess that the XLC3/XCEL is an Excel document.)

The text document should be readable. If it's not, then things aren't as simple. Old Macintosh files have file metadata (like the type and creator codes), a resource fork, and a data fork. Only the data fork contains information that a Windows copy of Word would understand. There are some different formats for putting all of this information into a single "file" (like AppleSingle encoding). If you actually have an encoding like that, you'll need to undo it before reading the files.


   
ReplyQuote
nesrin
(@nesrin)
Active Member
Joined: 15 years ago
Posts: 14
Topic starter  

I have looked at my old mac files but only a few text and excel files could be read. I tried Macdisk program to use its SignEdit part. Unfortunately SignEdit sees all files as a text based file or doesn't recognize.

As a result I can not decode AppleSingle encoded mac files. I have no older MAC machine to try. I think that's all…

…… (

Thanks to everyone and your help.


   
ReplyQuote
Share: