Mac HFS+ Drive Forensic Recovery: From Imaging to File Organization
This project documents the process of recovering images and videos from a Mac-formatted (HFS+) drive, using open-source forensic tools inside a Docker container. The workflow covers imaging the drive, handling macOS quirks, extracting file listings, and finally organizing recovered files for easy review.
1. The Challenge: Imaging a Mac HFS+ Drive
FTK Imager, a popular forensic imaging tool, is not natively available for macOS and cannot reliably access HFS+ drives on Mac. Mac security features (like SIP) and lack of raw device access further limit its usefulness. I opted for the built-in Unix tool dd (or dcfldd) to create a bit-for-bit forensic image of the drive.
Use the caffeinate command to prevent sleep during long imaging operations:
caffeinate dd if=/dev/source_disk of=/path/to/backup.img bs=4M status=progress
Or simply keep the Mac awake during any terminal session:
caffeinate -dimsu
If running Docker, use caffeinate on the host to prevent sleep while the container is running:
caffeinate docker run -it -v /path/to/local/data:/work my_recovery_image
2. Forensic Imaging: dd and dcfldd
Forensic imaging was performed with dd, but dcfldd is a recommended alternative. dcfldd offers built-in hashing (MD5, SHA1, SHA256), progress indicators, and output splitting for robust, verifiable imaging.
dcfldd if=/dev/source_disk of=/path/to/backup.img hash=md5,sha256 hashlog=hashes.txt
3. Setting Up the Recovery Environment with Docker
To avoid dependency issues and ensure a consistent toolset, I created a Docker container based on Ubuntu 22.04. The Dockerfile installs all necessary recovery tools, including PhotoRec (from TestDisk), Sleuthkit, ExifTool, and more.
FROM ubuntu:22.04
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y \
fuse3 \
hfsprogs \
sleuthkit \
testdisk \
exiftool \
python3 \
python3-pip \
unzip \
git \
&& apt-get clean
WORKDIR /work
CMD ["/bin/bash"]
4. File Recovery and Listing
Inside the Docker container, I used PhotoRec to scan the image and recover files. PhotoRec is a powerful open-source tool for recovering lost files from hard disks, CD-ROMs, and memory cards. To launch it interactively:
photorec
To ensure output directories exist:
mkdir -p /output/photorec && touch /output/photorec/log.log
Additionally, I used Sleuthkit tools to retrieve file listings and extract files from the disk image:
fls -r -m / /path/to/backup.img > file-listing.txt
icat /path/to/backup.img <inode_number> > recovered_file
Note: icat was useful for targeted recovery, but did not recover nearly as many files as PhotoRec. PhotoRec’s signature-based recovery was more effective for bulk recovery, especially when directory metadata was missing or damaged.
5. Organizing the Results
- Listing and Consolidating Image Files Over 50KB: Searched the recovered output for all image files (JPG, PNG, etc.) larger than 50KB, created a list, and copied them into a single directory.
- Listing and Consolidating Video Files: Searched for all common video file formats (MP4, MOV, AVI, etc.), created a list, and copied all video files into a dedicated
videosdirectory.
These steps ensured all significant media files were easily accessible and organized for further analysis or archiving.
Project Status: Complete
All possible files have been recovered, organized, and are available for review. This workflow can serve as a template for future forensic recovery projects on Mac HFS+ drives.
Notes: This project took over 44 hours to complete, not all focused attention, but total time. 3 hours for first attempt with client, 1 hr with client, 2 hours in client office. No progress, computer does not work, and is painfully slow. Needed to Image the drive. 6 hours for first dd, corrupted. 6 hours for caffeinated dd. 2 hours to build a custom forensic Docker container, with work and output drive mounts. 1 hour for icat and Sleuthkit. 7 hours for Foremost. Not enough files. Try Foremost again, 6 hours, not enough files. Do research, use Photorec, 3 hours and fails. Use caffeinated docker with Photorec, 6 hours, this works. 3 hours for emails, USB export, and project wrap up. Perfect project might be ~20 hours, faster if using a custom built forensics device with the fastest SSD/NVRAM and 100% accuracy and zero mistakes. These devices are mostly for law enforcement and cost 12K to 60K. A Tower with a separate 2TB NVMe for the image could speed this up dramatically. I used a MacBook Pro 2021 and an external USB 3.0 HD.
If you have questions or want to discuss this workflow, feel free to make a comment or connect with me.
