Difference between pages "BitPIM" and "HFS+"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
m
 
Line 1: Line 1:
BitPim is a free, [http://www.opensource.org/docs/definition.php open source], cross-platform program for viewing and editing data on a [[CDMA]] [[cell phone]]. [mailto:rogerb@rogerbinns.com Roger Binns] was the founder, project manager, and lead developer of the project, first releasing it on March 1st, 2003. Since then leadership has been handed over to another party and over two million users have downloaded it. The program has been developed in [[python]] and originally only supported the LG VX4400 but it now supports a variety of phone manufactures including [[Audiovox]], [[Kyocera]], [[LG]], [[Motorola]], [[Nokia]], [[Palm]], [[Samsung]], [[Sanyo]], and [[Toshiba]].
+
HFS+, or Hierarchical File System Plus, is the file system designed by Apple Computer[http://www.apple.com] to supersede HFS. First introduced with Mac OS 8.1, one of the biggest differences was the lower allocation block size of 4kb, which increased performance and lowered fragmentation [http://developer.apple.com/technotes/tn/tn1121.html#HFSPlus]. It also implemented Unicode (rather than Mac proprietary formats) for naming files.
  
In order to use the program, a data cable and it's drivers, usually available from the supplier/manufacturer, are required. BitPim will try and automatically detect a phone but its recommended that settings are manually configured.
+
There are structurally many differences between HFS and HFS+, which are listed below[http://developer.apple.com/technotes/tn/tn1150.html#HFSPlusBasics]:
 +
<br><br>
 +
<CENTER><TABLE Border=1 cellpadding=2 cellspacing=0 width=75%>
 +
            <TR>
 +
              <TD>
 +
                  <P><B>Feature</B></p>
  
__TOC__
+
              </TD><TD>
 +
                  <P><B>HFS</B></p>
 +
              </TD><TD>
 +
                  <P><B>HFS Plus</B></p>
 +
              </TD><TD>
 +
                  <P><B>Benefit/Comment</B></p>
 +
              </TD></TR>
  
==Features==
+
            <TR>
[[Image:screen-phonebooktab.png|thumb|150px|Phonebook view in BitPim]]
+
              <TD>
* Phonebook
+
                  <P>User visible name</p>
* Calendar
+
              </TD><TD>
* Media
+
                  <P>Mac OS Standard</p>
** Sounds
+
              </TD><TD>
** Ringers
+
                  <P>Mac OS Extended</p>
** Images
+
* Memos
+
* Todo
+
* [[SMS]] (Inbox, Sent, Saved)
+
* Call History (Incoming, Outgoing, Missed, Data)
+
* Playlists
+
* File System
+
  
Features are dependent on the phone model. For a full list of each phones supported features see [http://www.bitpim.org/help/phones-featuressupported.htm BitPim's supported phones list].
+
              </TD><TD>
 +
                  <P></p>
 +
              </TD></TR>
 +
            <TR>
 +
              <TD>
 +
                  <P>Number of allocation blocks</p>
 +
              </TD><TD>
 +
                  <P>16 bits worth</p>
  
The data can be manipulated through the software and changes can be uploaded to the phone. Calendar, Phonebook, Memo, Todo, and Playlist data can all be imported from an external file. For backup purposes all of the data can be exported to external files.  
+
              </TD><TD>
 +
                  <P>32 bits worth</p>
 +
              </TD><TD>
 +
                  <P>Radical decrease in disk space used on large
 +
                  volumes, and a larger number of files per volume.</p>
 +
              </TD></TR>
 +
            <TR>
 +
              <TD>
 +
                  <P>Long file names</p>
  
===Forensics===
+
              </TD><TD>
If doing a forensic investigation the application should always be in read only mode, which claims to block all write commands to the phone. The program will not recover deleted data nor does it always recover all undeleted data. The file system view is a very important feature forensically as it allows a raw view of data from the phone, possibly uncovering data that BitPim missed or found unimportant. An advanced feature that could also be vital to a forensic investigation is [[BitFling]]. This feature allows another computer to remotely access a phones data over the internet. A phone could be confiscated in California, connected to BitPim with [[BitFling]] configured, and be forensically analyzed in New York. Lastly exporting the data is very important so that copies of the data can be made, ensuring no data is lost or manipulated.
+
                  <P>31 characters</p>
 +
              </TD><TD>
 +
                  <P>255 characters</p>
 +
              </TD><TD>
 +
                  <P>Obvious user benefit; also improves
 +
                  cross-platform compatibility</p>
 +
              </TD></TR>
  
==Compatability==
+
            <TR>
* [[Windows]] 98/ME/2000/XP
+
              <TD>
* [[Linux]]
+
                  <P>File name encoding</p>
* [[MacOS]] X 10.3+
+
              </TD><TD>
 +
                  <P>MacRoman</p>
 +
              </TD><TD>
 +
                  <P>Unicode</p>
  
==Links==
+
              </TD><TD>
[http://www.bitpim.org/ BitPim]
+
                  <P>Allows for international-friendly file names,
 +
                  including mixed script names</p>
 +
              </TD></TR>
 +
            <TR>
 +
              <TD>
 +
                  <P>File/folder attributes</p>
 +
              </TD><TD>
 +
                  <P>Support for fixed size attributes (FileInfo and
 +
                  ExtendedFileInfo)</p>
 +
 
 +
              </TD><TD>
 +
                  <P>Allows for future meta-data extensions</p>
 +
              </TD><TD>
 +
                  <P>Future systems may use metadata for a richer
 +
                  Finder experience</p>
 +
              </TD></TR>
 +
            <TR>
 +
              <TD>
 +
                  <P>OS startup support</p>
 +
 
 +
              </TD><TD>
 +
                  <P>System Folder ID</p>
 +
              </TD><TD>
 +
                  <P>Also supports a dedicated startup file</p>
 +
              </TD><TD>
 +
                  <P>May help non-Mac OS systems to boot from HFS
 +
                  Plus volumes</p>
 +
              </TD></TR>
 +
 
 +
            <TR>
 +
              <TD>
 +
                  <P>catalog node size</p>
 +
              </TD><TD>
 +
                  <P>512 bytes</p>
 +
              </TD><TD>
 +
                  <P>4 KB</p>
 +
 
 +
              </TD><TD>
 +
                  <P>Maintains efficiency in the face of the other
 +
                  changes. (This larger catalog node size is due to
 +
                  the much longer file names [512 bytes as opposed to
 +
                  32 bytes], and larger catalog records (because of
 +
                  more/larger fields)).</p>
 +
              </TD></TR>
 +
            <TR>
 +
              <TD>
 +
                  <P>Maximum file size</p>
 +
              </TD><TD>
 +
                  <P>2<SUP>31</SUP> bytes</p>
 +
 
 +
              </TD><TD>
 +
                  <P>2<SUP>63</SUP> bytes</p>
 +
              </TD><TD>
 +
                  <P>Obvious user benefit, especially for multimedia
 +
                  content creators.</p></td>
 +
                  </tr>
 +
</table></CENTER>
 +
<br>
 +
An HFS+ volume contains five special files:
 +
<ol>
 +
<li>
 +
Catalog file - Describes the folder and file hierarchy of the volume. It is organized as a "balanced tree" for fast and efficient searches
 +
</li>
 +
<li>Extents overflow file - Additional extents (contiguous allocation blocks allocated to forks) are stored in a b-tree in this file
 +
</li>
 +
<li>
 +
Allocation file - Specifies whether an allocation block is free (similar to $Bitmap in NTFS). This is stored in a bitmap, specifying a free allocation block with a "clear bit"
 +
</li>
 +
<li>Attributes file - Contains attribute information regarding files or folders
 +
</li>
 +
<li>
 +
Startup file - Allows computers to boot that do have built in support for HFS+ file systems
 +
</li>
 +
</ol>
 +
<br>
 +
HFS+ also implements journaling, which allows fast recovery in the case of a crash or power outage. According to Apple, "The purpose of the journal is to ensure that when a group of related changes are being made, that either all of those changes are actually made, or none of them are made."[http://developer.apple.com/technotes/tn/tn1150.html#Journal]
 +
 
 +
Apple technical notes are available for the HFS+ file system

Revision as of 19:13, 28 November 2006

HFS+, or Hierarchical File System Plus, is the file system designed by Apple Computer[1] to supersede HFS. First introduced with Mac OS 8.1, one of the biggest differences was the lower allocation block size of 4kb, which increased performance and lowered fragmentation [2]. It also implemented Unicode (rather than Mac proprietary formats) for naming files.

There are structurally many differences between HFS and HFS+, which are listed below[3]:

Feature

HFS

HFS Plus

Benefit/Comment

User visible name

Mac OS Standard

Mac OS Extended

Number of allocation blocks

16 bits worth

32 bits worth

Radical decrease in disk space used on large volumes, and a larger number of files per volume.

Long file names

31 characters

255 characters

Obvious user benefit; also improves cross-platform compatibility

File name encoding

MacRoman

Unicode

Allows for international-friendly file names, including mixed script names

File/folder attributes

Support for fixed size attributes (FileInfo and ExtendedFileInfo)

Allows for future meta-data extensions

Future systems may use metadata for a richer Finder experience

OS startup support

System Folder ID

Also supports a dedicated startup file

May help non-Mac OS systems to boot from HFS Plus volumes

catalog node size

512 bytes

4 KB

Maintains efficiency in the face of the other changes. (This larger catalog node size is due to the much longer file names [512 bytes as opposed to 32 bytes], and larger catalog records (because of more/larger fields)).

Maximum file size

231 bytes

263 bytes

Obvious user benefit, especially for multimedia content creators.


An HFS+ volume contains five special files:

  1. Catalog file - Describes the folder and file hierarchy of the volume. It is organized as a "balanced tree" for fast and efficient searches
  2. Extents overflow file - Additional extents (contiguous allocation blocks allocated to forks) are stored in a b-tree in this file
  3. Allocation file - Specifies whether an allocation block is free (similar to $Bitmap in NTFS). This is stored in a bitmap, specifying a free allocation block with a "clear bit"
  4. Attributes file - Contains attribute information regarding files or folders
  5. Startup file - Allows computers to boot that do have built in support for HFS+ file systems


HFS+ also implements journaling, which allows fast recovery in the case of a crash or power outage. According to Apple, "The purpose of the journal is to ensure that when a group of related changes are being made, that either all of those changes are actually made, or none of them are made."[4]

Apple technical notes are available for the HFS+ file system

Retrieved from "http://www.forensicswiki.org/w/index.php?title=BitPIM&oldid=5745"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox