Mac Backup Notes

Due to the way the partition table is set up HFS and HFS+ partitions are not always recognized. However it is possible to manually extract them. Instructions found here:

https://viaforensics.com/computer-forensics/howto-mount-hfs-image-partition-linux.html

First make a disk image using dd3cd dd3cd if=/dev/sdc1 of=[ticket_nuber].dd Substitute the correct path and ticket number as appropriate.

Next we need to find the start of the partition using mmls form sleuthkit (it has an standard apt package)

mmls i[ticketnumber].dd

This will give output that looks something like this:

mmls 28852.dd MAC Partition Map Offset Sector: 0 Units are in 512-byte sectors Slot   Start        End          Length       Description 00: -   0000000000   0000000000   0000000001   Unallocated 01: 00      0000000001   0000000063   0000000063   Apple_partition_map 02: Meta    0000000001   0000000010   0000000010   Table 03: 01      0000000064   0000000117   0000000054   Apple_Driver43 04: 02      0000000118   0000000191   0000000074   Apple_Driver43 05: 03      0000000192   0000000245   0000000054   Apple_Driver_ATA 06: 04      0000000246   0000000319   0000000074   Apple_Driver_ATA 07: 05      0000000320   0000000519   0000000200   Apple_FWDriver 08: 06      0000000520   0000001031   0000000512   Apple_Driver_IOKit 09: 07      0000001032   0000001543   0000000512   Apple_Patches 10: 08      0000001544   0004233589   0004232046   Apple_HFS 11: 09      0004233590   0004233599   0000000010   Apple_Free

In this example the partition is called Apple_HFS.

The value we are interested in is the third column that tells us the Start of the partition in sectors. 0000001544 i.e. 1544 sectors. The disk has 512 byte sectors (this is standard) so multipy the number of sectors by 512 to get the start of the partition in bytes, known as the offset. In this case offset=790528

Now we can mount the disk image/partition via loopback:

sudo mount -t hfsplus -o ro,loop,offset=790528 28852.dd mnt/

(I created a mnt directory in my home directory for convenience)

and then backup as normal.