Working with a Mac OS X HFS volume

>> I have tried this: sed -i 's/define TSK_USE_HFS 0/define TSK_USE_HFS
>> 1/'tsk3/fs/tsk_fs_i.h
>
> The problem is you didn't put a space between your last apostrophe (')
> and the start of the file name (tsk3/...).  Sed then does not see the
> end of the command and starts interpreting 'tsk' as more commands.
>
>> Is there something I need to do before this command? Is the command
>> correct? Do I need to do something after the command (recompile)?
>
> Yes, once you do that successfully (it just twiddles the 'TSK_USE_HFS
> 0' to 'TSK_USE_HFS 1') you will most certainly need to re-compile.
> Preferably do this between './configure' and 'make'.
>
>> I know that these tools require a good understanding of UNIX commands
>> but I just want to use Autopsy to generate a timeline for deleted
>> files. Does anyone know af a step by step set of instructions for  
>> this
>> process?
>
> Unless you use the bleeding-edge SVN version
> (http://svn.sleuthkit.org/repos/autopsy) of autopsy, you won't get HFS
> support.  Brian added it on 10/1, and the latest beta of autopsy
> (2.20b3) was released on 9/26.
>
> Under the covers, autopsy just runs 'fls -m' (or 'ils -m') against the
> image, then parses the output.  The documentation covers this, but
> since you seem to refuse to read it:
>
> # fls -m / -f hfs -i raw -a -r the_name_of_your_partition_image_here |
> mactime -ymh > timeline.txt
>
> Of course, that's somewhat incomplete too, because you likely haven't
> split off the individual partitions, so you'll need to add a '-o
> something' option to the fls command to tell it where the partition
> you're processing lives.
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's  
> challenge
> Build the coolest Linux based applications with Moblin SDK & win  
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in  
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

> On Sat, Oct 4, 2008 at 15:53, Mr. David J. Hughes <dasgeek@...>  
> wrote:
>> Thank you for your response. I have read the documentation, but I  
>> am way
>> outside of my area of knowledge.
>
> As gently as kindly as possible, then: if this is for [even potential]
> legal action, you need help and not from just random volunteers on a
> mailing list.  Computer forensics is a deep-knowledge field that
> cannot be just picked up in a week.  Forensics using Sleuthkit is even
> more so because it requires a more-than-passing familiarity with the
> UNIX CLI environment.  I am not a lawyer, and this neither constitutes
> legal advice nor my estimation of Sleuthkit as a forensic tool, but
> many of us retain attorneys (or work directly for them) for very good
> reasons.
>
> That said, on with the work at hand:
>
>> Second, I have made progress with using the latest beta. I am able to
>> recognize the image I have made with the dd command. My problem is  
>> that I
>> have not been able to get the fls command to work.
>>
> <snip>
>> DJH-Nomadidata-2:sleuthkit-3.0.0b4 dasgeek$ fls -f hfs -m / -r
>> /Volumes/alphafiles/AndrewHD.dd > data/body
>> -bash: data/body: No such file or directory
>
> This is most likely because the directory 'data' did not exist.
>
>> DJH-Nomadidata-2:sleuthkit-3.0.0b4 dasgeek$ fsstat
>> /Volumes/alphafiles/AndrewHD.dd
>> FILE SYSTEM INFORMATION
>
> This, too, is unfortunate - you don't seem to have gotten the
> _complete_ image, including the GPT.  Good for now so we don't have to
> walk through calculating offsets ("splitting partitions"), but poor
> for evidentiary purposes.
>
>> On Brian's suggestion, I also ran the fls -v -f hfs -m / -r
>> /Volumes/alphafiles/AndrewHD.dd
>>
>> It ran output to the screen but did not stop until the Terminal  
>> crashed.
>
> This is because the command you ran produces a line of output fully
> describing the location and status for every single file and directory
> on the filesystem - rather voluminous at best, and monstrous on some
> systems.  The reason Terminal crashed was likely because you have it
> set to buffer 'infinite' lines (Terminal -> Window Settings ->
> Buffer), and the amount of data it buffered exceeded the amount of
> memory it could address, resulting in a crash.
>
> You need to redirect the output of the command to a file; the above
> command where you got the result "data/body: No such file or
> directory" had the idea right.  Do 'fls -v -f hfs -m / -r
> /Volumes/alphafiles/AndrewHD.dd > my_index.txt' in a directory where
> you have at least several hundred megabytes' worth of free space.  The
> '>' character redirects output in the shell, whereas the '|' in my
> earlier command "pipes" data between commands, eliminating the interim
> file.  Both are reasonable approaches, but Brian's suggestion of
> putting it into a file is wiser, as it speeds later analysis by only
> generating the index once.
>
>> one partition. I am also going to try the latest Autopsy. Brian had  
>> not
>> mentioned that the HFS code was there.
>
> The latest autopsy won't cut it - if you're downloading any version
> generated before 2008/10/01, it won't have what you're looking for.
> As of 00:10 UTC, I don't see the version that checks for HFS support
> available for download, even as beta.
>
> You're on the right path and I [we?] am more than willing to help you
> as I can, but please step back and consider where you're taking this -
> if for personal learning or simply trying to recover lost work, then
> forge on but please learn some basic shell usage first.  However, the
> indications I'm getting from you (termination, deleted contacts, in a
> hurry) seem to indicate a potential intent for legal action, in which
> case my first paragraph stands - find a local professional and get
> this job done, then come back and learn.
>
>
> RB
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's  
> challenge
> Build the coolest Linux based applications with Moblin SDK & win  
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in  
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

>> Is there a better way to capture the entire image. I used the  
>> Terminal dd
>> command to copy the drive image. Does that not copy the whole drive  
>> bit for
>> bit?
>
> It does, but the precise command you called is what is in question -
> if you did something to the effect of:
>
> dd if=/dev/disk0 of=/Volumes/store/my_image.dd
>
> You should be okay, but I'm still confused as to why 'fsstat' treats
> your image as a filesystem image and not a raw one.  If you did:
>
> dd if=/dev/disk0s2 of=/Volumes/store/my_image.dd
>
> You're missing both the partition table and the 200MB (on my MacBook)
> EFI partition.  Note that on the second one, I added 's2' to the disk
> designation, specifying the second effective partition (even though
> OSX only sees one) and wholly skipping the GPT and EFI information.
>
>
> RB
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's  
> challenge
> Build the coolest Linux based applications with Moblin SDK & win  
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in  
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>

>
>> On Brian's suggestion, I also ran the fls -v -f hfs -m / -r
>> /Volumes/alphafiles/AndrewHD.dd
>>
>> It ran output to the screen but did not stop until the Terminal  
>> crashed.
>
> This is because the command you ran produces a line of output fully
> describing the location and status for every single file and directory
> on the filesystem - rather voluminous at best, and monstrous on some
> systems.  The reason Terminal crashed was likely because you have it
> set to buffer 'infinite' lines (Terminal -> Window Settings ->
> Buffer), and the amount of data it buffered exceeded the amount of
> memory it could address, resulting in a crash.
>
> You need to redirect the output of the command to a file; the above
> command where you got the result "data/body: No such file or
> directory" had the idea right.  Do 'fls -v -f hfs -m / -r
> /Volumes/alphafiles/AndrewHD.dd > my_index.txt' in a directory where
> you have at least several hundred megabytes' worth of free space.  The
> '>' character redirects output in the shell, whereas the '|' in my
> earlier command "pipes" data between commands, eliminating the interim
> file.  Both are reasonable approaches, but Brian's suggestion of
> putting it into a file is wiser, as it speeds later analysis by only
> generating the index once.