Difference between pages "HFS+" and "Hash (tool)"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
m (add to cat)
 
Line 1: Line 1:
HFS+, or Hierarchical File System Plus, is the file system designed by Apple Computer[http://www.apple.com] to supersede HFS. First introduced with Mac OS 8.1, one of the biggest differences was the lower allocation block size of 4kb, which increased performance and lowered fragmentation [http://developer.apple.com/technotes/tn/tn1121.html#HFSPlus]. It also implemented Unicode (rather than Mac proprietary formats) for naming files.
+
{{Infobox_Software |
 +
  name = Hash |
 +
  maintainer = [[The Grugq]] |
 +
  os = {{Linux}} |
 +
  genre = {{Analysis}} |
 +
  license =  |
 +
  website = [http://www.tacticalvoip.com/ tacticalvoip.com] |
 +
}}
  
There are structurally many differences between HFS and HFS+, which are listed below[http://developer.apple.com/technotes/tn/tn1150.html#HFSPlusBasics]:
+
===Background===
<br><br>
+
<CENTER><TABLE Border=1 cellpadding=2 cellspacing=0 width=75%>
+
            <TR>
+
              <TD>
+
                  <P><B>Feature</B></p>
+
  
              </TD><TD>
+
Hash ('''Ha'''cker '''She'''ll) is a tool to enable people to evade detection while penetrating a system.
                  <P><B>HFS</B></p>
+
              </TD><TD>
+
                  <P><B>HFS Plus</B></p>
+
              </TD><TD>
+
                  <P><B>Benefit/Comment</B></p>
+
              </TD></TR>
+
  
            <TR>
+
Hash, originally written in 2003, was re-written in June 2007 and released at the Korean security conference, [http://www.powerofcommunity.net Power of Community] that November.
              <TD>
+
                  <P>User visible name</p>
+
              </TD><TD>
+
                  <P>Mac OS Standard</p>
+
              </TD><TD>
+
                  <P>Mac OS Extended</p>
+
  
              </TD><TD>
+
===Features===
                  <P></p>
+
              </TD></TR>
+
            <TR>
+
              <TD>
+
                  <P>Number of allocation blocks</p>
+
              </TD><TD>
+
                  <P>16 bits worth</p>
+
  
              </TD><TD>
+
'''Hacking utilities'''
                  <P>32 bits worth</p>
+
* Inline file transfer
              </TD><TD>
+
* qondom - remote diskless execution
                  <P>Radical decrease in disk space used on large
+
                  volumes, and a larger number of files per volume.</p>
+
              </TD></TR>
+
            <TR>
+
              <TD>
+
                  <P>Long file names</p>
+
  
              </TD><TD>
+
'''Builtins'''
                  <P>31 characters</p>
+
* Triggers
              </TD><TD>
+
* Aliasing
                  <P>255 characters</p>
+
* Basic file system and shell escape commands
              </TD><TD>
+
                  <P>Obvious user benefit; also improves
+
                  cross-platform compatibility</p>
+
              </TD></TR>
+
  
            <TR>
+
===External Links===
              <TD>
+
* [http://powerofcommunity.net/poc2007/grugq.pdf PoC presentation: ''Hacking Sucks!'']
                  <P>File name encoding</p>
+
* [http://www.tacticalvoip.com/tools.html hash-0.2.5.tar.gz]
              </TD><TD>
+
                  <P>MacRoman</p>
+
              </TD><TD>
+
                  <P>Unicode</p>
+
  
              </TD><TD>
+
[[Category:Anti-Forensic Tools]]
                  <P>Allows for international-friendly file names,
+
[[Category:Anti-forensics tools]]
                  including mixed script names</p>
+
              </TD></TR>
+
            <TR>
+
              <TD>
+
                  <P>File/folder attributes</p>
+
              </TD><TD>
+
                  <P>Support for fixed size attributes (FileInfo and
+
                  ExtendedFileInfo)</p>
+
 
+
              </TD><TD>
+
                  <P>Allows for future meta-data extensions</p>
+
              </TD><TD>
+
                  <P>Future systems may use metadata for a richer
+
                  Finder experience</p>
+
              </TD></TR>
+
            <TR>
+
              <TD>
+
                  <P>OS startup support</p>
+
 
+
              </TD><TD>
+
                  <P>System Folder ID</p>
+
              </TD><TD>
+
                  <P>Also supports a dedicated startup file</p>
+
              </TD><TD>
+
                  <P>May help non-Mac OS systems to boot from HFS
+
                  Plus volumes</p>
+
              </TD></TR>
+
 
+
            <TR>
+
              <TD>
+
                  <P>catalog node size</p>
+
              </TD><TD>
+
                  <P>512 bytes</p>
+
              </TD><TD>
+
                  <P>4 KB</p>
+
 
+
              </TD><TD>
+
                  <P>Maintains efficiency in the face of the other
+
                  changes. (This larger catalog node size is due to
+
                  the much longer file names [512 bytes as opposed to
+
                  32 bytes], and larger catalog records (because of
+
                  more/larger fields)).</p>
+
              </TD></TR>
+
            <TR>
+
              <TD>
+
                  <P>Maximum file size</p>
+
              </TD><TD>
+
                  <P>2<SUP>31</SUP> bytes</p>
+
 
+
              </TD><TD>
+
                  <P>2<SUP>63</SUP> bytes</p>
+
              </TD><TD>
+
                  <P>Obvious user benefit, especially for multimedia
+
                  content creators.</p></td>
+
                  </tr>
+
</table></CENTER>
+
<br>
+
An HFS+ volume contains five special files:
+
<ol>
+
<li>
+
Catalog file - Describes the folder and file hierarchy of the volume. It is organized as a "balanced tree" for fast and efficient searches
+
</li>
+
<li>Extents overflow file - Additional extents (contiguous allocation blocks allocated to forks) are stored in a b-tree in this file
+
</li>
+
<li>
+
Allocation file - Specifies whether an allocation block is free (similar to $Bitmap in NTFS). This is stored in a bitmap, specifying a free allocation block with a "clear bit"
+
</li>
+
<li>Attributes file - Contains attribute information regarding files or folders
+
</li>
+
<li>
+
Startup file - Allows computers to boot that do have built in support for HFS+ file systems
+
</li>
+
</ol>
+
<br>
+
HFS+ also implements journaling, which allows fast recovery in the case of a crash or power outage. According to Apple, "The purpose of the journal is to ensure that when a group of related changes are being made, that either all of those changes are actually made, or none of them are made."[http://developer.apple.com/technotes/tn/tn1150.html#Journal]
+
 
+
Apple technical notes are available for the HFS+ file system from their [http://developer.apple.com/cgi-bin/search.pl?q=HFS+&num=10&site=default_collection website].
+
 
+
== External Links ==
+
* [http://web.archive.org/web/20090530120010/http://developer.apple.com/technotes/tn/tn1121.html Internet Archive Copy of: Technical Note TN1121]
+
 
+
[[Category:Disk file systems]]
+

Revision as of 17:55, 4 July 2008

Hash
Maintainer: The Grugq
OS: Linux
Genre: Analysis
License:
Website: tacticalvoip.com

Background

Hash (Hacker Shell) is a tool to enable people to evade detection while penetrating a system.

Hash, originally written in 2003, was re-written in June 2007 and released at the Korean security conference, Power of Community that November.

Features

Hacking utilities

  • Inline file transfer
  • qondom - remote diskless execution

Builtins

  • Triggers
  • Aliasing
  • Basic file system and shell escape commands

External Links