Mac Backup Notes

From FreekiWiki
Revision as of 12:00, 21 February 2014 by AshleySueMas (talk | contribs) (→‎troubleshooting)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Due to the way the partition table is set up HFS and HFS+ partitions are not always recognized. However it is possible to manually extract them. Instructions found here:

https://viaforensics.com/computer-forensics/howto-mount-hfs-image-partition-linux.html

First make a disk image using dd3cd (more reliabe than dd) 

sudo dc3dd if=/dev/sdc1 of=[ticket_nuber].dd

or ddrescue (slower, more reliable still, can cope with disk errors*) 

sudo ddrescue /dev/sdc1 [ticket_nuber].dd [ticket_nuber].log

Substitute the correct path and ticket number as appropriate.

Next we need to find the start of the partition using mmls from sleuthkit (it has an standard apt package) 

mmls [ticketnumber].dd

in this case 

mmls 28852.dd 
MAC Partition Map
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  -----   0000000000   0000000000   0000000001   Unallocated
01:  00      0000000001   0000000063   0000000063   Apple_partition_map
02:  Meta    0000000001   0000000010   0000000010   Table
03:  01      0000000064   0000000117   0000000054   Apple_Driver43
04:  02      0000000118   0000000191   0000000074   Apple_Driver43
05:  03      0000000192   0000000245   0000000054   Apple_Driver_ATA
06:  04      0000000246   0000000319   0000000074   Apple_Driver_ATA
07:  05      0000000320   0000000519   0000000200   Apple_FWDriver
08:  06      0000000520   0000001031   0000000512   Apple_Driver_IOKit
09:  07      0000001032   0000001543   0000000512   Apple_Patches
10:  08      0000001544   0004233589   0004232046   Apple_HFS
11:  09      0004233590   0004233599   0000000010   Apple_Free


In this example the partition is called Apple_HFS.


The value we are interested in is the third column that tells us the Start of the partition in sectors. 0000001544 i.e. 1544 sectors. The disk has 512 byte sectors (this is standard) so multipy the number of sectors by 512 to get the start of the partition in bytes, known as the offset. In this case offset=790528

Now we can mount the disk image/partition via loopback: 

sudo mount -t hfsplus -o ro,loop,offset=790528 28852.dd mnt/

(I created a mnt directory in my home directory for convenience)

and then backup as normal.

troubleshooting

on newer macs with a GPT file system first this may fail with error

This will give output that looks something like this: 

Cannot determine partition type (GPT or DOS at 0)

in this case run the command as 

mmls -t gpt [ticketnumber].dd

(see mmls -t list for full list of supported types)

  • it can sometimes take days if a disk is really bad but it will get the data off.
Retrieved from "http://wiki.freegeek.org/index.php?title=Mac_Backup_Notes&oldid=69808"