Mac OSX Flashcards
Where is Mac OSX based on?
It is based on BSD.
And Linux commands are similar to OSX commands.
Name 2 File Systems for OSX.
- HFS+ (Hierachical File System) “+” means Journaled
- APFS (Apple File System)
What is Journaling ?
Tracking of all file’s creations, deletions and modifications.
It keeps the FS safe because incomplete activities can be reversed.
What FS is default for iOS devices?
APFS
What is a different between HFS+ and NTFS ?
HFS+ stores its data as Big Endian and NTFS as Little Endian.
What is the HFS+ Catalog ?
All files and folders are registered in the Catalog.
(It is similar with the MFT)
What does the command “ls -l@” and “ls -al” do?
- ls -l@ = list extended attributes
- ls -la = list all files with detailed information, e.g. user rights.
Where are settings besaved on OSX ?
Settings are saved in files like:
- plist’s
- sqlite databases
- text files
Name 2 method’s of doing acquisition on OSX ?
- Hard drive removal
Works for old models, difficult for recently models because of tear down and reassemble. - Target disk Mode (TDM)
What is Target Disk Mode (TDM) ?
Starting the Mac in such a manner that the hard drive is treated like an external storage disk. Which can then be connect to a acquisition computer.
What is the command to list all drives on OSX ?
The command is “sudo diskutil list” and “sudo diskutil info”.
What is the ‘r’ stand for in dd if=/dev/rdisk3
It means raw, get the raw disk.
How can you create a disk image over the network?
On suspect computer:
dd if=/dev/rdisk1 bs=16M | bzip2 -c | nc 192.168.1.10 4444
On the investigator computer:
nc -l 4444 | bzip2 -d | dd bs=16M of=/diskimage.dd
What kind of back-up storage device is a Time Machine?
Its a incremental back-up device.
That means it start with a full back-up of all the files on a computer as start point. All future file and folder changes will be saved.
What is the command to list all available back-ups from a Time Machine ?
This can be done with the tool “tmutil”.
The command for this is “tmutil listbackups”.
