联系我们

地址:昆明市园通北路127号佰腾数码广场B座9楼916室

联系电话:0871-65139139

联系人:杜鹏斌

手机:159 871 178 34

qq在线资讯

业务介绍

  • 开盘数据恢复 开盘数据恢复 前面说道,硬盘故障分为软件故障和硬件故障... 点击查看详情
  • u盘数据恢复 u盘数据恢复 U盘数据恢复 SD卡数据恢复 CF卡数据恢复... 点击查看详情
  • 移动硬盘数据恢复 移动硬盘数据恢复 移动硬盘顾名思义可以移动的硬盘了,移动硬... 点击查看详情
  • 服务器数据恢复 服务器数据恢复 昆明数据恢复中心为您提供最专业的服务器数... 点击查看详情
  • 硬盘数据恢复 硬盘数据恢复 昆明硬盘数据恢复,硬盘不认盘数据恢复,硬... 点击查看详情

问题申报

申报名称:
问题描述:
姓  名:
联系电话:

您现在的位置是:主页 > 恢复文档 > 正文

苹果电脑硬盘文件系统(HFS,HFS+)分析

Apple Partitions
Systems running the Apple Macintosh operating system are not as common as those running Microsoft Windows, but they have been increasing in popularity with the introduction of Mac OS X, a UNIX-based operating system. The partitions that we will describe here can be found in the latest Apple laptops and desktops running OS X, older systems that are running Macintosh 9, and even the portable iPod devices that play MP3 audio. The partition map also can be used in the disk image files that a Macintosh system uses to transmit files. The disk image file is similar to a zip file in Windows or a tar file in Unix. The files in the disk image are stored in a file system, and the file system may be in a partition.
运行在苹果机器上的系统不像Windows那么常见,但是随着苹果OS X系统(一种基于Unix的操作系统)的引入使得它们逐渐受到人们的欢迎。我们在此将要讨论的分区可以在最新的运行OS X和更旧的系统的苹果手提电脑、台式电脑,甚至便携式MP3播放器iPod上找到。分区图表也可以用在苹果系统用来传送文件的磁盘映像文件上。磁盘映像文件类似于一个Windows系统里的Zip文档或是Unix系统里的Tar文件。磁盘映像文件里的文件存储在一种文件系统,而这个文件系统则在一个分区里。
The design of the partition system in an Apple system is a nice balance between the complexity of DOS-based partitions and the limited number of partitions that we will see in the BSD disk labels. The Apple partition can describe any number of partitions, and the data structures are in consecutive sectors of the disk. This section will give an overview of the Apple partitions, the details of the data structures, and discuss how to view the details.
苹果系统的分区设计是在基于DOS分区的复杂性和我们会在BSD硬盘标签里看到的有限的分区编号之间的一个完美的平衡。苹果分区可以描述任何的分区编号,而且数据结构位于硬盘上连续的扇区。本部分将会大概介绍一下苹果分区,数据结构的细节,以及如何查看这些细节。
General Overview
The Apple partitions are described in the partition map structure, which is located at the beginning of the disk. The firmware contains the code that processes this structure, so the map does not contain boot code like we saw in the DOS partition table. Each entry in the partition map describes the starting sector of the partition, the size, the type, and the volume name. The data structure also contains values about data inside of the partition, such as the location of the data area and the location of any boot code.
分区结构表里描述了苹果分区,位于硬盘的开头部分。固件里包含了处理这个结构的代码,所以这个结构表不包含有像我们在DOS分区里看到的启动代码。分区表里的每条记录描述了该分区的起始扇区,大小,类型及卷名称。数据结构也包含分区里的数据值,比如数据区的位置或其它启动代码的位置。
The first entry in the partition map is typically an entry for itself, and it shows the maximum size that the partition map can be. Apple creates partitions to store hardware drivers, so the main disk for an Apple system has many partitions that contain drivers and other non-file system content. Figure 5.9 shows an example layout of an Apple disk with three file system partitions and the partition for the partition map.
分区结构表里的第一条记录通常是它本身,它显示了分区结构表的最大可能大小。苹果系统会创建分区来存储硬件驱动,所以苹果系统的主盘会有许多分区用来存储驱动程序及其他非系统文件。图5.9显示了一个苹果硬盘带有三个文件系统分区和一个用于分区表的分区的布局。
 
We will later see that BSD systems have a different partition structure called the disk label. Even though Mac OS X is based on a BSD kernel, it uses an Apple partition map and not a disk label.
迟些我们会看到BSD系统有一个不同的分区结构(被称为磁盘标签)。虽然苹果OS X也是基于BSD核心,但它却使用了苹果分区表,而不是磁盘标签。
Data Structures数据结构
Now that we have examined the basic concepts of an Apple partition, we can look at the data structures. As with other data structures in this book, they can be skipped if you are not interested. This section also contains the output of some analysis tools using an example disk image.
现在了解过苹果分区的基本概念后,我们可以看一下数据结构。如果你对此不感兴趣的话可以跳过此部分,因为本章还有其他的数据结构介绍。本部分也包括一些分析工具对磁盘标签的分析结果。
Partition Map Entry
The Apple partition map contains several 512-byte data structures, and each partition uses one data structure. The partition map starts in the second sector of the disk and continues until all partitions have been described. The partition data structures are laid out in consecutive sectors, and each map entry has a value for the total number of partitions. The 512-byte data structure is shown in Table 5.7.
苹果分区表包含了数块512字节的数据结构,每个分区使用一个数据结构。分区表位于磁盘开始的第二个扇区,且一直持续到所有分区都被描述完。分区数据结构分布在连续的扇区,且每条记录都有一个分区总数的值。这块512字节的数据结构扇区如下图:
Table 5.7. Data structure for Apple partition entries.
Byte Range字节范围
Description描述
Essential是否必要
0–1
Signature value (0x504D)签名值
No
2–3
Reserved保留
No
4–7
Total Number of partitions分区总数
Yes
8–11
Starting sector of partition分区起始扇区
Yes
12–15
Size of partition in sectors分区大小
Yes
16–47
Name of partition in ASCII码的分区名
No
48–79
Type of partition in ASCII码的分区类型
No
80–83
Starting sector of data area in partition分区中的数据区的起始扇区
No
84–87
Size of data area in sectors数据区大小
No
88–91
Status of partition (see table 5-8)分区状态
No
92–95
Starting sector of boot code启动代码起始扇区
No
96–99
Size of boot code in sectors启动代码大小
No
100–103
Address of boot loader code启动载入代码地址
No
104–107
Reserved保留
No
108–111
Boot code entry point启动代码记录点
No
112–115
Reserved保留
No
116–119
Boot code checksum启动代码校验和
No
120–135
Processor type处理器类型
No
136–511
Reserved保留
No
The type of partition is given in ASCII and not as an integer as other partition schemes use. The status values for each partition apply to both older A/UX systems and modern Macintosh systems. A/UX is an older operating system from Apple. The status value can have one of the values shown in Table 5.8 [Apple 1999].
分区类型用ASCII码表示,它不同于其他分区参数所用的整数值。每个分区的状态值同时适用于旧的A/UX系统和新的Mac系统。A/UX是苹果一种旧的操作系统,分区状态值的含义如下图。
Table 5.8. Status value for Apple partitions.苹果分区的状态值
Type类型
Description描述
0x00000001
Entry is valid (A/UX only)记录有效
0x00000002
Entry is allocated (A/UX only)记录已分配
0x00000004
Entry in use (A/UX only)记录正在使用
0x00000008
Entry contains boot information (A/UX only)记录包含启动信息
0x00000010
Partition is readable (A/UX only)分区可读
0x00000020
Partition is writable (Macintosh & A/UX)分区可写
0x00000040
Boot code is position independent (A/UX only)启动代码位于独立位置
0x00000100
Partition contains chain-compatible driver (Macintosh only)分区包含兼容链接的驱动
0x00000200
Partition contains a real driver (Macintosh only)分区包含真实的驱动
0x00000400
Partition contains a chain driver (Macintosh only)分区包含链接驱动
0x40000000
Automatically mount at startup (Macintosh only)开机自动挂载
0x80000000
The startup partition (Macintosh only)启动分区
 
The data area fields are used for file systems that have a data area that does not start at the beginning of the disk. The boot code fields are used to locate the boot code when the system is starting.数据区块用于数据区不是处于硬盘开头位置的文件系统。启动代码块用于当系统启动时来定位启动代码。
To identify the partitions in an Apple disk, a tool (or person) reads the data structure from the second sector. It is processed to learn the total number of partitions, and then the other partition information from it is collected. The first entry is usually the entry for the partition map itself. The next sector is then read, and the process continues until all partitions have been read. Here are the contents of the first entry in the partition map:
要识别苹果硬盘中的分区,工具软件(或人)要从第二扇区起读取数据结构。在处理完识别分区总数后,接下来是识别它所收集到的其他分区信息。第一条记录通常是分区表本身。接下来读取下一个扇区,直接所有的扇区都读完。下面是分区表里第一条记录的内容:
# dd if=mac-disk.dd bs=512 skip=1 | xxd
 
0000000: 504d 0000 0000 000a 0000 0001 0000 003f PM.............?
 
0000016: 4170 706c 6500 0000 0000 0000 0000 0000 Apple...........
 
0000032: 0000 0000 0000 0000 0000 0000 0000 0000 ................
 
0000048: 4170 706c 655f 7061 7274 6974 696f 6e5f Apple_partition_
 
0000064: 6d61 7000 0000 0000 0000 0000 0000 0000 map.............
 
0000080: 0000 0000 0000 003f 0000 0000 0000 0000 .......?........
 
0000096: 0000 0000 0000 0000 0000 0000 0000 0000 ................
 
[REMOVED]
Apple computers use Motorola PowerPC processors and, therefore, store data in big-endian ordering. As a result, we will not need to reverse the order of numbers like we did with DOS partitions. We see the signature value of 0x504d in bytes 0 to 1 and the number of partitions in bytes 4 to 7, which is 10 (0x0000000a). Bytes 8 to 11 show us that the first sector of the disk is the starting sector for this partition and that its size is 63 sectors (0x3f). The name of the partition is "Apple," and the type of partition is "Apple_partition_map." Bytes 88 to 91 show that no flags for this partition are set. Other entries in the partition map that are not for the partition map itself have status values set.
苹果电脑使用的是摩托罗拉PowerPC处理器,它以高位在后的顺序存储数据,所以我们不需要像操作DOS分区一样把数字顺序倒过来。我们可以看到0-1字节处签名值为0x504d,4-7字节处的分区总数为10,8-11字节处表示硬盘的第一扇区是该分区的起始扇区,它的大小为63扇区(0x3f),分区名称为“Apple”,分区类型为“Apple partition map”,88-91字节处显示该分区无设置标志。除了该分区表本身记录之处的记录则有状态值。
Example Image Tool Output
You can view an Apple partition map with mmls in The Sleuth Kit. The fdisk command in Linux will not show the contents of a partition map. Here are the results from running mmls on a 20GB iBook laptop:
你可以用Sleuth Kit里的mmls命令来查看苹果分区。Linux下的fdisk命令无法显示分区表的内容。下面是在一台20GB的iBook上运行mmls的结果:
 
# mmls -t mac mac-disk.dd
 
MAC Partition Map
 
Units are in 512-byte sectors
 
 
 
 
 
    Slot Start      End        Length     Description
 
00: ----- 0000000000 0000000000 0000000001 Unallocated
 
01: 00    0000000001 0000000063 0000000063 Apple_partition_map
 
02: ----- 0000000001 0000000010 0000000010 Table
 
03: ----- 0000000011 0000000063 0000000053 Unallocated
 
04: 01    0000000064 0000000117 0000000054 Apple_Driver43
 
05: 02    0000000118 0000000191 0000000074 Apple_Driver43
 
06: 03    0000000192 0000000245 0000000054 Apple_Driver_ATA
 
07: 04    0000000246 0000000319 0000000074 Apple_Driver_ATA
 
08: 05    0000000320 0000000519 0000000200 Apple_FWDriver
 
09: 06    0000000520 0000001031 0000000512 Apple_Driver_IOKit
 
10: 07    0000001032 0000001543 0000000512 Apple_Patches
 
11: 08    0000001544 0039070059 0039068516 Apple_HFS
 
12: 09    0039070060 0039070079 0000000020 Apple_Free
 
 
In this output, the entries are sorted by starting sector, and the second column shows in which entry in the partition map the partition was described. In this case, the entries were already in sorted order. We can see in entry 12 that Apple reports the sectors that are not currently allocated. Entries 0, 2, and 3 were added by mmls to show what space the partition map is using and which sectors are free. The drivers listed here are used by the system when it is booting.
上面的显示结果中,这些记录按起始扇区来排列,第二栏则显示了分区被描述在分区表的哪条记录里。在这种情况下,这些记录已经被排列好。我们可以看到第12条记录报告了当前没有分配的扇区。Mmls还添加了记录0、2、3来显示分区表正在使用哪些空间以及哪些扇区空闲。此处列出的驱动程序为系统启动时所用到的。
An alternative tool that can be used on a raw disk image is the pdisk tool with the -dump flag on OS X:
还有另外一个可以用在原文件映像的工具则是pdisk工具加上-dump参数(在OS X系统下)
# pdisk mac-disk.dd -dump
 
mac-disk.dd map block size=512
 
 
 
   #:   type name类型名称             length长度   base大小 ( size )
 
   1: Apple_partition_map Apple                  63 @ 1
 
   2:       Apple_Driver43*Macintosh             54 @ 64
 
   3:       Apple_Driver43*Macintosh             74 @ 118
 
   4:     Apple_Driver_ATA*Macintosh             54 @ 192
 
   5:     Apple_Driver_ATA*Macintosh             74 @ 246
 
   6:       Apple_FWDriver Macintosh            200 @ 320
 
   7:   Apple_Driver_IOKit Macintosh            512 @ 520
 
   8:        Apple_Patches Patch Partition      512 @ 1032
 
   9:            Apple_HFS untitled        39068516 @ 1544 ( 18.6G)
 
 10:          Apple_Free                        0+@ 39070060
 
 
 
Device block size=512, Number of Blocks=10053
 
DeviceType=0x0, DeviceId=0x0
 
Drivers-
 
1: @ 64 for 23, type=0x1
 
2: @ 118 for 36, type=0xffff
 
3: @ 192 for 21, type=0x701
 
4: @ 246 for 34, type=0xf8ff
 
 
As was mentioned in the Introduction, Apple disk image files (which are different from forensic disk image files) also can contain a partition map. A disk image file is an archive file that can save several individual files. It is similar to a zip file in Windows or a tar file in Unix. The disk image file can contain a single partition with a file system, or it can contain only a file system and no partitions. The layout of a test disk image file (files with an extension of .dmg) has the following layout:
正如在前面介绍中所提到的,苹果磁盘镜像文件(不同于一般的磁盘镜像文件)也包含了一个分区表。一个磁盘镜像文件就是一个可以保存数个单文件的文档文件。它有点类似于Windows下的zip文件和Unix下的tar文件。磁盘镜像文件可以包含一个带文件系统的单分区,或者只包含文件系统而无分区。测试一个磁盘镜像文件(文件扩展名为dmg)的结果如下:
# mmls -t mac test.dmg
 
MAC Partition Map
 
Units are in 512-byte sectors
 
    Slot Start      End        Length     Description
 
00: ----- 0000000000 0000000000 0000000001 Unallocated
 
01: 00    0000000001 0000000063 0000000063 Apple_partition_map
 
02: ----- 0000000001 0000000003 0000000003 Table
 
03: ----- 0000000004 0000000063 0000000060 Unallocated
 
04: 01    0000000064 0000020467 0000020404 Apple_HFS
 
05: 02    0000020468 0000020479 0000000012 Apple_Free
 
 
Analysis Considerations分析过程
The only unique characteristic of Apple partitions is that there are several unused fields in the data structure that could be used to hide small amounts of data. Also data could be hidden in the sectors between the last partition data structure and the end of the space allocated to the partition map. As with any partitioning scheme, anything could be in the partitions that have an official looking name or that claim to have a given type.
苹果分区的唯一特点就是在数据结构中有一些未使用的区块用来隐藏小部分数据,同时数据也可以隐藏在最后的分区数据结构和分区表所分配的空间末尾之间的扇区中。在任何的分区方案中,只要有名称或类型的分区就可以存放任何数据。
Summary
The Apple partition map is a fairly simple structure and is easy to understand. The data structures are all located in one place, and the maximum number of partitions is based on how the disk was originally partitioned. The mmls tool allows us to easily identify where the partitions are located if we are using a non-Apple system, and the pdisk tool can be used on an OS X system.
苹果分区的结构非常的简单,且很容易理解。数据结构都位于一个位置,最大分区数取决于最初磁盘是如何分区的。Mmls工具可让我们很容易的看到一个非苹果系统的分区位置在哪里,pdisk则可以用到OS X系统上。

分享到: