International Journal of Internet, Broadcasting and Communication

The Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회)
권호 표지
DOI QR코드

DOI QR Code

Development of a Forensic Analyzing Tool based on Cluster Information of HFS+ filesystem

  • Cho, Gyu-Sang (Dept. of Computer Software, Dongyang University)
  • Received : 2021.08.02
  • Accepted : 2021.08.09
  • Published : 2021.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

File system forensics typically focus on the contents or timestamps of a file, and it is common to work around file/directory centers. But to recover a deleted file on the disk or use a carving technique to find and connect partial missing content, the evidence must be analyzed using cluster-centered analysis. Forensics tools such as EnCase, TSK, and X-ways, provide a basic ability to get information about disk clusters, but these are not the core functions of the tools. Alternatively, Sysinternals' DiskView tool provides a more intuitive visualization function, which makes it easier to obtain information around disk clusters. In addition, most current tools are for Windows. There are very few forensic analysis tools for MacOS, and furthermore, cluster analysis tools are very rare. In this paper, we developed a tool named FACT (Forensic Analyzer based Cluster Information Tool) for analyzing the state of clusters in a HFS+ file system, for digital forensics. The FACT consists of three features, a Cluster based analysis, B-tree based analysis, and Directory based analysis. The Cluster based analysis is the main feature, and was basically developed for cluster analysis. The FACT tool's cluster visualization feature plays a central role. The FACT tool was programmed in two programming languages, C/C++ and Python. The core part for analyzing the HFS+ filesystem was programmed in C/C++ and the visualization part is implemented using the Python Tkinter library. The features in this study will evolve into key forensics tools for use in MacOS, and by providing additional GUI capabilities can be very important for cluster-centric forensics analysis.

Keywords

Acknowledgement

This work was supported by the National Research Foundation of Korea(NRF) grant funded by the Korea government(MSIT) (NRF-2019R1F1A1058902)

References

  1. Data Cluster, Wikipedia, https://en.wikipedia.org/wiki/Data_cluster.
  2. DiskView v2.41, Microsoft Docs, https://docs.microsoft.com/en-us/sysinternals/downloads/ diskview.
  3. Christopher J. Hargreaves, "Visualisation of allocated and unallocated data blocks in digital forensics," 8th International Annual Workshop on Digital Forensics & Incident Analysis (WDFIA 2013), pp. 133-143. Lisbon, Portugal, May 2013.
  4. Martin Karresand, Stefan Axelsson, and Geir Olav Dyrkolbotn, "Using NTFS Cluster Allocation Behavior to Find the Location of User Data)," Digital Investigation, Vol. 29, Supplement, pp. S51-S60, July 2019. DOI:https://doi.org/10.1016/j.diin.2019.04.018
  5. Aaron Burghardt and Adam J. Feldman, "Using the HFS+ journal for deleted file recovery," Digital Investigation, Vol. 5, pp. S76-S82, 2008. DOI:10.1016/j.diin.2008.05.013
  6. S. G. Bang, S. J. Jeon, D. H. Kim and S. J. Lee "A Study to Improve Ration of Deleted File Using the Parsing Algorithm of the HFS+ Journal File, "KIPS Transaction on Computer and Communication Systems," Vol.5, No.12 pp.463-470, 2016. DOI:https://doi.org/10.3745/KTCCS.2016.5.12.463
  7. Gyu-Sang Cho, "An Arbitrary Disk Cluster Manipulating Method for Allocating Disk Fragmentation of Filesystem," Journal of KSDIM, Vol. 16, No. 2, pp.11-25, 2020. DOI:http://dx.doi.org/10.17662/ksdim.2020.16.2.011
  8. HFS Plus, Wikipedia, https://en.wikipedia.org/wiki/HFS_Plus.
  9. Technical Note TN1150, HFS Plus Volume Format, https://developer.apple.com/legacy/library/technotes/tn/tn1150.html.
  10. Cory Altheide and Harlan Carvey, Digital Forensics with Open Source Tools, pp. 123-141, 2011
  11. Amit Singh, Mac OS X Internals: A Systems Approach, Addison-Wesley Professional, 2006.
  12. The Eclectic Light Companny, Inside the file system: 2 HFS+ volumes, https://eclecticlight.co/2020/10/07/insidethe-file-system-2-hfs-volumes/