Usage Examples of HFSleuth

Used for discussing the various tools in the book as well as encouraging members to share tools

Usage Examples of HFSleuth

Postby morpheus » Fri Jun 07, 2013 4:22 pm

HFSleuth is one of the more powerful tools you can download here. The tool, meant to accompany Chapter 16 (HFS+), has been completely rewritten, to put it on par with HFSDebug, the now defunct tool from Amit Singh's book. The latter tool has been discontinued and integrated into FileXRay. No such thing will happen to HFSleuth, though.

HFSleuth is especially useful for looking at DMGs, or unmounted filesystems. This is even more important on Linux. The usage on Linux and OSX or iOS is exactly the same (since I compiled the same source code for all versions). You can use "debug" to enable verbose mode output.

Some examples:

Usage on a DMG:

Code: Select all
HFSleuth> fs e.dmg
KOLY header found at 218543:
   UDIF version 4, Header Size: 512
   Flags:1
   Rsrc fork: None
   Data fork: from 0, spanning 211440 bytes
   XML plist: from 211440, spanning 7103 bytes (to 218543)
   Segment #: 0, Count: 0
   Segment UUID: 00000000-00000000-00000000-00000000
   Running Data fork offset 0
   Sectors: 18930
Apple_HFS detected
Found Terminator in last block. Good
decompression done
RC was 0
HFSleuth(AppleEFIDDK v1.0:/)> ls
   folderthread   1AppleEFIDDK v1.0
        20 -rw-r--r--. 0 morpheus  admin           6148 Aug  7 18:48:24 2006 .DS_Store
        16 ----------. 0 root      wheel        8388608 Aug  7 18:48:26 2006 .journal
        17 ----------. 0 root      wheel           4096 Aug  7 18:48:25 2006 .journal_info_block
        21 -rw-r--r--. 0 morpheus  admin          29714 Aug  7 16:32:33 2006 Apple EFI DDK ReadMe.pdf
        22 drwxr-xr-x. 0 morpheus  admin              0 Aug  7 16:32:55 2006 Apple EFI extensions
        31 drwx------. 0 morpheus  admin              0 Aug  4 18:06:51 2006 AppleSamplePCIDriver
        36 drwxr-xr-x. 0 morpheus  admin              0 Aug  7 18:40:35 2006 Documentation
..

Now that we have the disk "pseudo-mounted" we can navigate in it, and pull out files:

Code: Select all
HFSleuth(AppleEFIDDK v1.0:/)> cd Documentation
HFSleuth(AppleEFIDDK v1.0:/Documentation)> ls
   folderthread   2Documentation
        37 -rw-r--r--. 0 morpheus  admin           6148 Aug  7 18:40:40 2006 .DS_Store
        38 -rw-r--r--. 0 morpheus  admin          92435 Aug  4 13:16:29 2006 RemovableMediaProtocol.pdf
        39 -rw-r--r--. 0 morpheus  admin          41739 Aug  3 19:32:33 2006 Target Disk Mode.pdf
HFSleuth(AppleEFIDDK v1.0:/Documentation)> pull Target Disk Mode.pdf
41739 bytes written to /tmp/Target Disk Mode.pdf
HFSleuth(AppleEFIDDK v1.0:/Documentation)> !file "/tmp/Target Disk Mode.pdf"
/tmp/Target Disk Mode.pdf: PDF document, version 1.3


Note the use of "!" to run shell commands.

There is full Unicode support, even for 32-bit:

Code: Select all
HFSleuth(Macintosh HD:/private/tmp)> ls

   4901812 -rw-r--r--. 1 root      wheel              0 Feb 24 09:41:04 2013 נסיון
   4902336 -rw-r--r--. 1 root      wheel              0 Feb 24 09:47:11 2013 中文
   4902347 -rw-r--r--. 1 root      wheel              0 Feb 24 09:47:26 2013 àäæãńñ
   8838423 -rw-r--r--. 1 root      wheel              0 Jun  7 08:51:56 2013 ★
   8838425 -rw-r--r--. 1 root      wheel              0 Jun  7 08:51:56 2013 
   8838426 -rw-r--r--. 1 root      wheel              0 Jun  7 08:52:03 2013 (pink hearts)♥✔


When even the real ls/terminal combination can't handle the pink hearts:
Code: Select all
$ ls -lL /tmp
-rw-r--r--  1 root           wheel          0 Jun  7 08:51 ★
-rw-r--r--  1 root           wheel          0 Jun  7 08:52 
-rw-r--r--  1 root           wheel          0 Jun  7 08:52 ?♥✔


(Apparently, neither can MySQL - so I removed the pink hearts and put (pink hearts) up there - 32-bit unicode apparently isn't supported much - but it is, in HFSleuth!)

You can use the interactive help:
Code: Select all
HFSleuth> ?
dump         Dump B-Tree node from current B-Tree
listfs       List all mounted file systems and their types
alloc        Output the allocation bitmap to an HTML file
fs           Set active file system for operations to specific mount point or device
attributes   Display the Attribute B-Tree details
catalog      Display the Catalog B-Tree details
volinfo      Display the volume header of the selected file system
snapshot     Save a snapshot of the current B-Tree (catalog or attribute)
search       Search for leaf by CNID
debug        Toggle Debug traces on/off
verbose      Toggle verbose mode on/off
xml          Toggle XML Output on/off
pull         copy file to /tmp (requires active file system)
dir          list files (requires active file system) - synonymous with ls
cd           Change directory (requires active file system)
ls           list files (requires active file system) - synonmous with dir
help         Display this help
?            Display this help
!            Shell command
quit         Quit this program


with more features (and examples) coming soon.

Incidentally, operating on a DMG with a "license agreement" (e.g. kernel debug kit) will enable you to bypass the license, for what it's worth.

J
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Return to Tools

Who is online

Users browsing this forum: No registered users and 3 guests