Monday, March 11, 2013

mac forensics

I was just trying to get some scripts out of my old macbook air install. Back when it broke I took a snapshot of the disk with dd and now had the image lying around.

What I usually do (and tried is something like this:)
  • Have a look with fdisk -l into the image where the partitions are (fdisk -l img)
  • Take the offset of the partition I want, multiply by the block size and use that to mount it, e.g. 
    mount -t hfsplus -o ro,loop,offset=209736192 mbabackup /mnt
Now that didn't work out for two reasons, first it's a gpt table so fdisk is of no help. parted knows about them but I found no way to get the exact number, so in the end I used mmls (sleuthkit). Using the offset i found there I got this error:

mount: wrong fs type, bad option, bad superblock on /dev/loop1,
       missing codepage or helper program, or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so

This apparently is a bug in the hfs(plus) driver, since the exact same approach works with everything else.
In comes kpartx:

kpartx -l img
  shows us the table of partitions (-g for force gpt if in doubt)
kpartx -av img
creates new loop block devices which you can then just mount
mount -o ro -v /dev/mapper/loop1p2 /mnt/
 
That's actually a lot easier than before, great.