Difference between pages "Memory analysis" and "HFS+"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(External Links)
 
Line 1: Line 1:
'''Memory Analysis''' is the science of using a [[Tools:Memory_Imaging|memory image]] to determine information about running programs, the [[operating system]], and the overall state of a computer. Because the analysis is highly dependent on the operating system, we have broken it into subpages:
+
HFS+, or Hierarchical File System Plus, is the file system designed by Apple Computer[http://www.apple.com] to supersede HFS. First introduced with Mac OS 8.1, one of the biggest differences was the lower allocation block size of 4kb, which increased performance and lowered fragmentation [http://developer.apple.com/technotes/tn/tn1121.html#HFSPlus]. It also implemented Unicode (rather than Mac proprietary formats) for naming files.
  
* [[Windows Memory Analysis]]
+
There are structurally many differences between HFS and HFS+, which are listed below[http://developer.apple.com/technotes/tn/tn1150.html#HFSPlusBasics]:
* [[Linux Memory Analysis]]
+
<br><br>
* [[FreeBSD Memory Analysis]]
+
<CENTER><TABLE Border=1 cellpadding=2 cellspacing=0 width=75%>
 +
            <TR>
 +
              <TD>
 +
                  <P><B>Feature</B></p>
  
== See Also ==
+
              </TD><TD>
 +
                  <P><B>HFS</B></p>
 +
              </TD><TD>
 +
                  <P><B>HFS Plus</B></p>
 +
              </TD><TD>
 +
                  <P><B>Benefit/Comment</B></p>
 +
              </TD></TR>
  
* [[Tools:Memory_Imaging]]
+
            <TR>
 +
              <TD>
 +
                  <P>User visible name</p>
 +
              </TD><TD>
 +
                  <P>Mac OS Standard</p>
 +
              </TD><TD>
 +
                  <P>Mac OS Extended</p>
  
== Weblinks ==
+
              </TD><TD>
 +
                  <P></p>
 +
              </TD></TR>
 +
            <TR>
 +
              <TD>
 +
                  <P>Number of allocation blocks</p>
 +
              </TD><TD>
 +
                  <P>16 bits worth</p>
  
* [http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Burdach/bh-fed-06-burdach-up.pdf Mariusz Burdach: Finding Digital Evidence In Physical Memory] (PDF)
+
              </TD><TD>
* [https://www.usenix.org/events/usenix05/tech/freenix/full_papers/movall/movall.pdf Paul Movall, Ward Nelson, Shaun Wetzstein: Linux Physical Memory Analysis] (PDF)
+
                  <P>32 bits worth</p>
 +
              </TD><TD>
 +
                  <P>Radical decrease in disk space used on large
 +
                  volumes, and a larger number of files per volume.</p>
 +
              </TD></TR>
 +
            <TR>
 +
              <TD>
 +
                  <P>Long file names</p>
 +
 
 +
              </TD><TD>
 +
                  <P>31 characters</p>
 +
              </TD><TD>
 +
                  <P>255 characters</p>
 +
              </TD><TD>
 +
                  <P>Obvious user benefit; also improves
 +
                  cross-platform compatibility</p>
 +
              </TD></TR>
 +
 
 +
            <TR>
 +
              <TD>
 +
                  <P>File name encoding</p>
 +
              </TD><TD>
 +
                  <P>MacRoman</p>
 +
              </TD><TD>
 +
                  <P>Unicode</p>
 +
 
 +
              </TD><TD>
 +
                  <P>Allows for international-friendly file names,
 +
                  including mixed script names</p>
 +
              </TD></TR>
 +
            <TR>
 +
              <TD>
 +
                  <P>File/folder attributes</p>
 +
              </TD><TD>
 +
                  <P>Support for fixed size attributes (FileInfo and
 +
                  ExtendedFileInfo)</p>
 +
 
 +
              </TD><TD>
 +
                  <P>Allows for future meta-data extensions</p>
 +
              </TD><TD>
 +
                  <P>Future systems may use metadata for a richer
 +
                  Finder experience</p>
 +
              </TD></TR>
 +
            <TR>
 +
              <TD>
 +
                  <P>OS startup support</p>
 +
 
 +
              </TD><TD>
 +
                  <P>System Folder ID</p>
 +
              </TD><TD>
 +
                  <P>Also supports a dedicated startup file</p>
 +
              </TD><TD>
 +
                  <P>May help non-Mac OS systems to boot from HFS
 +
                  Plus volumes</p>
 +
              </TD></TR>
 +
 
 +
            <TR>
 +
              <TD>
 +
                  <P>catalog node size</p>
 +
              </TD><TD>
 +
                  <P>512 bytes</p>
 +
              </TD><TD>
 +
                  <P>4 KB</p>
 +
 
 +
              </TD><TD>
 +
                  <P>Maintains efficiency in the face of the other
 +
                  changes. (This larger catalog node size is due to
 +
                  the much longer file names [512 bytes as opposed to
 +
                  32 bytes], and larger catalog records (because of
 +
                  more/larger fields)).</p>
 +
              </TD></TR>
 +
            <TR>
 +
              <TD>
 +
                  <P>Maximum file size</p>
 +
              </TD><TD>
 +
                  <P>2<SUP>31</SUP> bytes</p>
 +
 
 +
              </TD><TD>
 +
                  <P>2<SUP>63</SUP> bytes</p>
 +
              </TD><TD>
 +
                  <P>Obvious user benefit, especially for multimedia
 +
                  content creators.</p></td>
 +
                  </tr>
 +
</table></CENTER>
 +
<br>
 +
An HFS+ volume contains five special files:
 +
<ol>
 +
<li>
 +
Catalog file - Describes the folder and file hierarchy of the volume. It is organized as a "balanced tree" for fast and efficient searches
 +
</li>
 +
<li>Extents overflow file - Additional extents (contiguous allocation blocks allocated to forks) are stored in a b-tree in this file
 +
</li>
 +
<li>
 +
Allocation file - Specifies whether an allocation block is free (similar to $Bitmap in NTFS). This is stored in a bitmap, specifying a free allocation block with a "clear bit"
 +
</li>
 +
<li>Attributes file - Contains attribute information regarding files or folders
 +
</li>
 +
<li>
 +
Startup file - Allows computers to boot that do have built in support for HFS+ file systems
 +
</li>
 +
</ol>
 +
<br>
 +
HFS+ also implements journaling, which allows fast recovery in the case of a crash or power outage. According to Apple, "The purpose of the journal is to ensure that when a group of related changes are being made, that either all of those changes are actually made, or none of them are made."[http://developer.apple.com/technotes/tn/tn1150.html#Journal]
 +
 
 +
Apple technical notes are available for the HFS+ file system from their [http://developer.apple.com/cgi-bin/search.pl?q=HFS+&num=10&site=default_collection website].
 +
 
 +
== External Links ==
 +
* [http://web.archive.org/web/20090530120010/http://developer.apple.com/technotes/tn/tn1121.html Internet Archive Copy of: Technical Note TN1121]
 +
 
 +
[[Category:Disk file systems]]

Revision as of 00:20, 21 July 2012

HFS+, or Hierarchical File System Plus, is the file system designed by Apple Computer[1] to supersede HFS. First introduced with Mac OS 8.1, one of the biggest differences was the lower allocation block size of 4kb, which increased performance and lowered fragmentation [2]. It also implemented Unicode (rather than Mac proprietary formats) for naming files.

There are structurally many differences between HFS and HFS+, which are listed below[3]:

Feature

HFS

HFS Plus

Benefit/Comment

User visible name

Mac OS Standard

Mac OS Extended

Number of allocation blocks

16 bits worth

32 bits worth

Radical decrease in disk space used on large volumes, and a larger number of files per volume.

Long file names

31 characters

255 characters

Obvious user benefit; also improves cross-platform compatibility

File name encoding

MacRoman

Unicode

Allows for international-friendly file names, including mixed script names

File/folder attributes

Support for fixed size attributes (FileInfo and ExtendedFileInfo)

Allows for future meta-data extensions

Future systems may use metadata for a richer Finder experience

OS startup support

System Folder ID

Also supports a dedicated startup file

May help non-Mac OS systems to boot from HFS Plus volumes

catalog node size

512 bytes

4 KB

Maintains efficiency in the face of the other changes. (This larger catalog node size is due to the much longer file names [512 bytes as opposed to 32 bytes], and larger catalog records (because of more/larger fields)).

Maximum file size

231 bytes

263 bytes

Obvious user benefit, especially for multimedia content creators.


An HFS+ volume contains five special files:

  1. Catalog file - Describes the folder and file hierarchy of the volume. It is organized as a "balanced tree" for fast and efficient searches
  2. Extents overflow file - Additional extents (contiguous allocation blocks allocated to forks) are stored in a b-tree in this file
  3. Allocation file - Specifies whether an allocation block is free (similar to $Bitmap in NTFS). This is stored in a bitmap, specifying a free allocation block with a "clear bit"
  4. Attributes file - Contains attribute information regarding files or folders
  5. Startup file - Allows computers to boot that do have built in support for HFS+ file systems


HFS+ also implements journaling, which allows fast recovery in the case of a crash or power outage. According to Apple, "The purpose of the journal is to ensure that when a group of related changes are being made, that either all of those changes are actually made, or none of them are made."[4]

Apple technical notes are available for the HFS+ file system from their website.

External Links