Hi everyone,
I’m running into an issue with Autopsy 4.21 on Ubuntu 22.04.
I’m analyzing a .img disk image created from a macOS 10.4 (Tiger) system running in QEMU. When I mount the image manually (using sudo mount -t hfsplus -o uid=myuseruid MacOS10.4.img /mnt), I can see all the expected files in the filesystem.
However, when I add the image as a disk in Autopsy, some of those files do not appear at all in the interface, even though they clearly exist in the image.
The filesystem is HFS+, since it’s macOS 10.4.
I wrote a script to compare the file list from the mounted image and the file list from Autopsy. On this disk, there is a difference of around 20,000 files — they appear when the image is mounted, but are missing in Autopsy.
See the example below:
Script output :
View on the mount point :
Autopsy View :
You can see in the Autopsy view that the directory containing the missing files is shown as empty, and I can’t even see the parent directory as I do with other directories in the Listing section:
Parent folder that should appear in the Listing section:
Are there any known limitations in Autopsy or SleuthKit when dealing with HFS/HFS+ from older macOS versions? Or any settings I should tweak to ensure all files are visible?
Thanks in advance for any help or guidance!
Have you tried different versions of Autopsy or the sleuthkit to see if a version does show the missing files? I would try using sleuthkit first, if you can find a version that works then there might be a regression in the code. If you cannot find a version that works this maybe an edge case. Can the image be shared for further trouble shooting?
Thank you for your answer,
I tried using Autopsy versions 4.22 and 4.21, but not versions 3 or 2. I tested it on both Windows and Linux.
The disk image file is available here (10 GB):
Long story short there was a regression that occured in Sleuthkit 4.12 that is causing the issue. If you use the following sleuthkit command “fls -o 262208 MacOS10.4.img 55493” against the image you will get the following when using sleuthkit 4.12, 4.12.1 and 4.14:
General file system error (hfs_dir_open_meta: nodesize value out of bounds) (hfs_cat_traverse: Callback returned error).
If you use 4.11 or 4.13 you will get the following correct behavior:
r/r 55494: classes.nib
r/r 55495: info.nib
r/r 55496: objects.nib
The following Autopsy versions correspond with the following Sleuthkit versions
4.22.1 - 4.14.0
4.22.0 - 4.13.0
4.21.0 - 4.12.1
4.20.0 - 4.12.0
4.19.X - 4.11.0
In order for you to see the files you would have to either use 4.19.x or 4.22.0. With that being said 4.22.0 does have an issue with generating Excel reports so as long as you do not have to generate them you can use it. Since you are examining a Mac image then 4.19.x should also work fine as there has not been anything special that has been added for MacOS.
If you feel you need Excel reporting and the newer version then run the case in 4.22.0, do all your tagging and get everything ready for reporting than make a portable case and then pull that portable case into 4.22.1. to report in Excel. Just an option.
1 Like
I just tried it on Autopsy 4.22.0, and it works very nicely. Thanks for your help and explanations. Have a great day!
