I have already explained basics of HFS+/HFSX journal and how to recover files from journal records.
This time I introduce how to track file activities using meta-level information or journal record. ".journal" works as circular storage, and includes several records of one file by ordinary. I'd like to show that we can track file activities using the results of "HFS Journal Parser".
I performed several operations with sample HFS+ file system labeled HFSJ on OS X Terminal, then created raw image and run "HFS Journal Parser" on EnCase.
Let's see what's stored in journal records one at a time.
Create
$ echo aaaaaaaaaa > /Volumes/HFSJ/test0.txt
HFS Journal Parser Results
test0.txt is assigned to CNID 34 and all of four timestamps have the same value.
Access
$ less /Volumes/HFSJ/test0.txt
HFS Journal Parser Results
Only Last Accessed is updated. The rest of the information is unchanged.
Rename
$ mv /Volumes/HFSJ/test0.txt /Volumes/HFSJ/test1.txt
HFS Journal Parser Results
Only Name itself is updated. The rest of the information includes Entry Modified are unchanged.
Modify
$ perl -e 'print "\x41"x10000;' >> /Volumes/HFSJ/test1.txt
HFS Journal Parser Results
Changing the contents of a file updated "File Size", "Last Written", "Entry Modified", "Total Blocks" and "Extents". It remains possible that "File Size", "Total Blocks" and "Extents" don't change, at least "Last Written" and "Entry Modified" are updated.
Move
$ mkdir /Volumes/HFSJ/dir2
$ mv /Volumes/HFSJ/test1.txt /Volumes/HFSJ/dir2/
HFS Journal Parser Results
Only Parent CNID is updated. The rest of the information includes Entry Modified are unchanged.
Delete
$ rm /Volumes/HFSJ/dir2/test1.txt
HFS Journal Parser Results
Even when a file is deleted, the corresponding journal record doesn't change. However, blocks which assigned by a file are released and corresponding bits are cleared within Allocation File. "HFS Journal Parser" checks the relevant blocks status and records the result to "Unallocated Ratio" and "Status".
In conclusion, we can track file activity on some level by examining journal information. If you make use of "HFS Journal Parser", the first thing you check target CNID and filter information based on its value. And, check the operation with the following mapping table.
|
Operation |
Changing Point |
|
Create |
(First Record) |
|
Access |
Last Accessed |
|
Rename |
Name |
|
Modify |
Last Written, Entry Modified (File Size, Total Blocks, Extents) |
|
Move |
Parent CNID |
|
Delete |
Unallocated Ratio, Status |
Here, above table doesn't have a copy operation in mind because it's a bit more complicated. Copy of file assigns new CNID, Total Blocks and Extents. Additionally it also has possibilities of changing Name or Parent CNID. When you track copy operation, it may be better to filter based on Last Written and File Size.