• Do you know what we mean by HFS+ File System?

It is always good to understand an entire system before starting to perform any sort of forensics oThe story Story is not different for iOS devices which have their unique properties and capabilities.Since a plenty of dissimilarities exist between the local storage of an iOS device and its counterparts of a Microsoft Windows system or a UNIX platform, it is very crucial for an examiner to be aware of such differences by the time he starts the process of forensics.

Being knowledgeable of such points will be very important to select the proper set of tools to depend on when it comes to dealing with an iOS device forensics case. In addition, unexpected results of such tools could be dealt with when understanding such dissimilarities. Or an output which does not come out could also be dealt with thereafter.

The Hierarchical File System (HFS) was first designed by Apple corporation back then in the early 90s. It was originally intended to serve as file system which is dynamic and having its block scheme of 512 bytes. Two sorts of such blocks in HFS system were formed then: logical blocks and allocation blocks.

What are the differences between logical and allocation blocks? Basically, the numbering of a logical block remains static, starting from the first block which is available up till the last one that is available. However, allocated blocks have the ability to form groups out of them together. And hence, such groups could be great to achieve the efficiency in usage of such blocks of storage. The HFS+ file system consists of diverse components forming the structure of such file systems such as a volume header, startup file, allocation file, attributes file, extents overflow file and a catalog file.

  • What about the HFS+ volume header?

The size of the header is actually 1024 bytes or 1Kbs in other words. The last 1024 bytes inside an HFS volume contains a backup of the volume header. Although such backup is not used very often, it is important in several cases really. Such cases occur when the actual header gets crashed or missed for some reason.

The information inside such a header is simply data about the structure of the volume of HFS. Two sectors which are 0 and 1 indicate the blocks of the boot. After such bits come to the header of the volume bytes. What are the types of information that are stored inside the header particularly? Basically information like the allocation blocks’ size, the timestamp which refers to the creation date of the volume, and other volume structures’ locations. Such file systems are exemplified by the Catalog File or Extent Overflow File.

  • What about HFS+ Allocation File?

The allocation file is aimed to indicate the allocation blocks which are not in use and show those which are not free as well. A bitmap is utilized for the sake of displaying free and used allocation blocks; to elaborate on this point, if there is a free allocation block, it will be indicated by a Zero, which is a clear bit. Also, the size of an allocation block may get altered in time and its location could be out of a volume in the meanwhile.

  • What about the HFS+ Extents Overflow File?

If an allocation block is used by a certain volume, then HFS+ Extents Overflow File will keep track of such block. A balanced tree format is utilized to store the information of such Extent Overflow File. But what kind of information is stored in particular? Simply the data stored has all files’ extents and the allocated blocks of them in a suitable order.

  • What about HFS+ Catalog File?

The hierarchy of both folders and files is shown inside such Catalog File. Metadata about the files and folders which are contained there inside a volume are all available inside the Catalog file, displaying all the data about modified, access, and created times.

A balanced tree catalog is utilized inside HFS system. Nodes are depended on when it comes to doing a reference onto folders and files. The hierarchy of all the nodes of header, index, leaf, and map are all maintained inside the catalog file. Groups of nodes are created linearly for the sake of making the process much faster and more efficient. An ID number for every newly created file; such an ID increases in number by one whenever a new file becomes added.

  • What about partitions?

In fact, there are two partitions on an iOS device: the firmware partition and the data partition. While the first one is basically aimed to contain the software for running the iOS device, the second is meant to include all the files and data which are used and desired by the iOS device user.

Let’s talk more about the firmware partition. This partition always has the rules of read-only as it does not allow writing except when an update is being installed at the moment. iTunes is actually the one responsible for the sake of getting the partition overwritten with a brand new partition when performing an upgrade to the system.

The size of the firmware partition is in most cases something in between 0.9 and 2.7 GBs. The exact size is determined by the size of the NAND driver in fact. Whereas no user data is allowed to access such crucial partition, some important files are maintained inside this partition. Such files are like system files, upgrade files and basic applications.

The data partition is really another partition which is aimed to be in favor of the device’s user. All the data is maintained inside such partition. Accordingly, when performing an investigation process, such partition is really important to collect evidence out from such data available. Both the portfolio of a user’s data and the iTunes application can be simply found all there inside this partition.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/