Difference between revisions of "Mac Backup Notes"
| Line 3: | Line 3: | ||
https://viaforensics.com/computer-forensics/howto-mount-hfs-image-partition-linux.html | https://viaforensics.com/computer-forensics/howto-mount-hfs-image-partition-linux.html | ||
| − | First make a disk image using dd3cd | + | First make a disk image using dd3cd (more reliabe than dd) |
sudo dc3dd if=/dev/sdc1 of=[ticket_nuber].dd | sudo dc3dd if=/dev/sdc1 of=[ticket_nuber].dd | ||
| + | |||
| + | or ddrescue (slower, more reliable still) | ||
| + | |||
| + | sudo ddrescue /dev/sdc1 [ticket_nuber].dd [ticket_nuber].log | ||
| + | |||
Substitute the correct path and ticket number as appropriate. | Substitute the correct path and ticket number as appropriate. | ||
Revision as of 15:01, 16 November 2012
Due to the way the partition table is set up HFS and HFS+ partitions are not always recognized. However it is possible to manually extract them. Instructions found here:
https://viaforensics.com/computer-forensics/howto-mount-hfs-image-partition-linux.html
First make a disk image using dd3cd (more reliabe than dd)
sudo dc3dd if=/dev/sdc1 of=[ticket_nuber].dd
or ddrescue (slower, more reliable still)
sudo ddrescue /dev/sdc1 [ticket_nuber].dd [ticket_nuber].log
Substitute the correct path and ticket number as appropriate.
Next we need to find the start of the partition using mmls from sleuthkit (it has an standard apt package)
mmls [ticketnumber].dd
in this case
mmls 28852.dd
MAC Partition Map
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: ----- 0000000000 0000000000 0000000001 Unallocated
01: 00 0000000001 0000000063 0000000063 Apple_partition_map
02: Meta 0000000001 0000000010 0000000010 Table
03: 01 0000000064 0000000117 0000000054 Apple_Driver43
04: 02 0000000118 0000000191 0000000074 Apple_Driver43
05: 03 0000000192 0000000245 0000000054 Apple_Driver_ATA
06: 04 0000000246 0000000319 0000000074 Apple_Driver_ATA
07: 05 0000000320 0000000519 0000000200 Apple_FWDriver
08: 06 0000000520 0000001031 0000000512 Apple_Driver_IOKit
09: 07 0000001032 0000001543 0000000512 Apple_Patches
10: 08 0000001544 0004233589 0004232046 Apple_HFS
11: 09 0004233590 0004233599 0000000010 Apple_Free
In this example the partition is called Apple_HFS.
The value we are interested in is the third column that tells us the Start of the partition in sectors. 0000001544 i.e. 1544 sectors. The disk has 512 byte sectors (this is standard) so multipy the number of sectors by 512 to get the start of the partition in bytes, known as the offset. In this case offset=790528
Now we can mount the disk image/partition via loopback:
sudo mount -t hfsplus -o ro,loop,offset=790528 28852.dd mnt/
(I created a mnt directory in my home directory for convenience)
and then backup as normal.
troubleshooting
on newer macs with a GPT file system first this may fail with error
This will give output that looks something like this:
Cannot determine partition type (GPT or DOS at 0)
in this case run the command as
mmls -t gpt [ticketnumber].dd
(see mmls -t list for full list of supported types)