when does macos catalina create
play

When does macOS Catalina create APFS checkpoints and which data - PowerPoint PPT Presentation

Apr 05, 2023 •459 likes •609 views

When does macOS Catalina create APFS checkpoints and which data could be retrieved from them? Research Project 1 Maarten van der Slik Default since High Sierra (10.13), iOS 13, tvOS 10.2, watchOS 3.2 "Copy-on-write" New features

  1. When does macOS Catalina create APFS checkpoints and which data could be retrieved from them? Research Project 1 – Maarten van der Slik

  2. Default since High Sierra (10.13), iOS 13, tvOS 10.2, watchOS 3.2 "Copy-on-write" New features Figure 1 – Overview of APFS components (Apple Inc., 2019) Apple File System 2

  3. • Pointers to checkpoints • Read-only • User ability to create and restore Figure 2 – APFS Structure (Hansen & Toolan, 2017) Snapshots 3

  4. Hansen & Toolan (2017), Decoding the APFS File System Apple Inc (2018), Apple File System Reference Plum & Dewald (2018), APFS internals for forensic analysis Plum & Dewald (2018), Forensic APFS File Recovery Related work 4

  5. macOS Catalina (10.15.2) VM 48 raw disk images 12 experiments Setup 5

  6. File experiments Layout experiments • Seek & write • Create folders Experiments • Rewrite • Clone folders • Append • Move folders • High-level API • Remove folders • Create files • Clone files • Move files • Remove files 6

  7. macOS Catalina (10.15.2) VM 48 raw disk images 12 experiments Magic bytes in files Magic bytes in volume meta-data Method 7

  8. Results after file operations Operation Checkpoints w/ restart Checkpoints w/o restart Versions available w/ restart Versions w/o restart 1 Seek & write 67,163 65,127 1,1 1,1 2 Rewrite 108,67 84,285 24 (1 corrupted),23 65,65 3 Append 91,116 80,30 22,31 21,18 4 Foundation 111,175 218,278 1,1 1,1 8

  9. Results after layout operations Operation Checkpoints w/ restart Checkpoints w/o restart Versions available w/ restart Versions w/o restart 1 mkdir 85,54 35,38 37,22 19,21 2 Folder cp -c 48,70 49,49 31,34 29,33 3 Folder mv 32,63 38,55 8,30 20,17 4 Folder rm 32,56 44,24 13,9 27,19 5 Touch 20 (1 overwritten root 39,37 10,28 19,19 tree),60 6 File cp -c 38,16 37,39 11,10 17,19 7 File cp -c 86,31 38,56 35,12 19,20 8 File cp -c 62,57 42,57 15,11 25,16 9

  10. Metadata Root tree Timeline by iterate checkpoints 10 Figure 3 – Inode Entry Value (Plum & Dewald, 2018)

  11. Metadata 01-02 2020 19:34:59 409959 m..b f 0 0 0-103-128 /root/Test1A/Higher-level/1 01-02 2020 19:35:00 409959 .a.. f 0 0 0-104-128 /root/Test1A/Higher-level/1 409959 .a.. f 0 0 0-105-128 /root/Test1A/Higher-level/1 409959 .a.. f 0 0 0-106-128 /root/Test1A/Higher-level/1 409959 .a.. f 0 0 0-107-128 /root/Test1A/Higher-level/1 Root tree 409959 .a.. f 0 0 0-108-128 /root/Test1A/Higher-level/1 409959 .a.. f 0 0 0-109-128 /root/Test1A/Higher-level/1 Timeline by iterate 409959 .a.. f 0 0 0-110-128 /root/Test1A/Higher-level/1 checkpoints 409959 .a.. f 0 0 0-111-128 /root/Test1A/Higher-level/1 409959 .a.. f 0 0 0-112-128 /root/Test1A/Higher-level/1 409959 .a.. f 0 0 0-113-128 /root/Test1A/Higher-level/1 Afro & The Sleuth Kit 409959 .a.. f 0 0 0-114-128 /root/Test1A/Higher-level/1 Figure 4 – mactime output 11

  12. • Leaves many older iterations of the container • Access mode • Not copy on write Conclusion 12

  13. • Leaves many older iterations of the container • Access mode • Not copy on write • Few samples • Low-level searches • Small disks Discussion 13

  14. • Leaves many older iterations of the container • Access mode • Not copy on write • Few samples • Low-level searches • Small disks Questions? 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DESIGN AND PROTOTYPING WORKSHOP 11/13/19 ATTENTION!!! macOS Catalina Users Indigo Studio is

DESIGN AND PROTOTYPING WORKSHOP 11/13/19 ATTENTION!!! macOS Catalina Users Indigo Studio is

The ITI Program @ SC&I Presents DESIGN AND PROTOTYPING WORKSHOP 11/13/19 ATTENTION!!! macOS Catalina Users Indigo Studio is not supported on Catalina. Sign-in for a loaner laptop. Please Pick up handouts Find a seat

325 views • 19 slides
MacOS & iOS Maintenance MacOS Maintenance iOS Maintenance (the iPad will be used as our

MacOS & iOS Maintenance MacOS Maintenance iOS Maintenance (the iPad will be used as our

MacOS & iOS Maintenance MacOS Maintenance iOS Maintenance (the iPad will be used as our example for all your iDevices including iPhones, iPod touches, and iPods) TOP TEN Your iPad is fragile Battery life is exhaustible TIPS

330 views • 15 slides
Mac OS 10.15 Catalina Introduction: Catalina 10.15 is the latest Macintosh operating system

Mac OS 10.15 Catalina Introduction: Catalina 10.15 is the latest Macintosh operating system

Mac OS 10.15 Catalina Introduction: Catalina 10.15 is the latest Macintosh operating system from Apple. Previous Systems: OSX 10.5 Leopard OSX 10.6 Snow Leopard OSX 10.7 Lion OSX 10.8 Mountain Lion OS X 10.9

248 views • 22 slides
Getting Started with .NET Core 2.0 on macOS (and Windows, too) Jeremy Clark

Getting Started with .NET Core 2.0 on macOS (and Windows, too) Jeremy Clark

Getting Started with .NET Core 2.0 on macOS (and Windows, too) Jeremy Clark www.jeremybytes.com @jeremybytes What is .NET Core? Cross-Platform .NET Runs on macOS, Linux, and Windows Can be compiled to machine code based on

1.17k views • 15 slides
Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead

Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead

Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead @ VMRay M. Sc. IT-Security Released first preview version of macOS sandbox in March @c1truz_ 2 Structure of this Talk => => Why?

706 views • 36 slides
CATALINA ISLAND MARINE INSTITUTE 7 th Grade STEM Trip A U G U S T 3 0 T H S E P T E M B E R 4

CATALINA ISLAND MARINE INSTITUTE 7 th Grade STEM Trip A U G U S T 3 0 T H S E P T E M B E R 4

CATALINA ISLAND MARINE INSTITUTE 7 th Grade STEM Trip A U G U S T 3 0 T H S E P T E M B E R 4 T H , 2 0 2 0 The following presentation has information to help you prepare for the 7 th grade trip to Catalina Island. In order to gain all

436 views • 11 slides
MANAGING MACOS AND IOS DEVICES WITH JAMF AND APPLE DEP UBCO IT, MEDIA & CLASSROOM SERVICES

MANAGING MACOS AND IOS DEVICES WITH JAMF AND APPLE DEP UBCO IT, MEDIA & CLASSROOM SERVICES

MANAGING MACOS AND IOS DEVICES WITH JAMF AND APPLE DEP UBCO IT, MEDIA & CLASSROOM SERVICES P A U L L E V I N S E N , R Y A N P A N N E L L , & A A R O N H E C K Demonstration PROVISIONING IOS AND MACOS USING APPLE DEP SOLUTION

103 views • 7 slides
macOS Sierra What's new About this Mac - Storage tab, besides the available connected drives

macOS Sierra What's new About this Mac - Storage tab, besides the available connected drives

macOS Sierra What's new About this Mac - Storage tab, besides the available connected drives (including optical drives), and you can hover over each colored segment to get a MB size, there is the Manage... button which brings up new options

378 views • 4 slides
Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin,

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin,

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin, Jungwon Lim, Insu Yun, and Taesoo Kim Georgia Institute of Technology #BHUSA @BLACKHATEVENTS One of the best information Who are we? security labs in

870 views • 58 slides
What can a patients DNA tell health care providers Dr. Catalina Lopez-Correa CSO & VP

What can a patients DNA tell health care providers Dr. Catalina Lopez-Correa CSO & VP

What can a patients DNA tell health care providers Dr. Catalina Lopez-Correa CSO & VP Sector Development at Genome British Columbia Presidents Speakers Series Alberta Health Services (AHS) November 21st, 2016 Why Genomics? What

383 views • 37 slides
Case #4 - Catalina Cardiofaciocutaneous Syndrome Advocating for Her Well-Being Presentation By

Case #4 - Catalina Cardiofaciocutaneous Syndrome Advocating for Her Well-Being Presentation By

Case #4 - Catalina Cardiofaciocutaneous Syndrome Advocating for Her Well-Being Presentation By Gail Kim, Janice Stovall, Jennifer van Gelder, Jordan Snajczuk & Natalie Dykzeul Background Information - Case Information A six year old

296 views • 14 slides
Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Cambridge Innovation Centre Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas Gutmann, Steven J. Mudoch, WAY19 | @kryptoandi PLEASE RAISE YOUR HAND Have you ever received a security code via SMS

289 views • 24 slides
SUMMER PROGRAMS SUMMIT 2020 WELCOME Catalina Ormsby Associate Director U-M Center for

SUMMER PROGRAMS SUMMIT 2020 WELCOME Catalina Ormsby Associate Director U-M Center for

SUMMER PROGRAMS SUMMIT 2020 WELCOME Catalina Ormsby Associate Director U-M Center for Educational Outreach Land Acknowledgement The University of Michigan is located on the traditional territory of the Anishinaabe people. In 1817, the

600 views • 29 slides
BUDGET EXPENDITURES Why does CDFW spend more than it takes in? ABOUT CATALINA OFFSHORE PRODUCTS

BUDGET EXPENDITURES Why does CDFW spend more than it takes in? ABOUT CATALINA OFFSHORE PRODUCTS

CALIFORNIA FISH AND WILDLIFE BUDGET EXPENDITURES Why does CDFW spend more than it takes in? ABOUT CATALINA OFFSHORE PRODUCTS Began as a sea urchin wholesaler. Later expanded to Today we also Founded 40 years include fin fish and operate a

456 views • 16 slides
Introduction Topic: Fractures School: Catalina Foothills High School, Period Six

Introduction Topic: Fractures School: Catalina Foothills High School, Period Six

Introduction Topic: Fractures School: Catalina Foothills High School, Period Six Speakers: Maddie Owens and Jamie Barton Questions Big Picture Question: Are there regions on Mars where fractures occur more frequently? Research

786 views • 11 slides
Mini-stage in MP, 4-5 August 2014 Catalina Curceanu LNF-INFN Two scientific revolutions in

Mini-stage in MP, 4-5 August 2014 Catalina Curceanu LNF-INFN Two scientific revolutions in

Introduction to the Modern Physics ad to the LNF-INFN activities Mini-stage in MP, 4-5 August 2014 Catalina Curceanu LNF-INFN Two scientific revolutions in the 20th century: Theory of Relativity Quantum Mechanics Speaks about

1.56k views • 114 slides
(TIP) Airport Commission 1 December 18, 2019 Terminal Integration Project Concept 2 TERMINAL

(TIP) Airport Commission 1 December 18, 2019 Terminal Integration Project Concept 2 TERMINAL

Burlington International Airport Terminal Integration Project (TIP) Airport Commission 1 December 18, 2019 Terminal Integration Project Concept 2 TERMINAL INTEGRATION PROJECT (TIP) Consolidated SSCP Basis of Design Burlington International

628 views • 28 slides
AN ANNUAL WORK PLAN 2017 AIDD Technical Assistance Institute 1 WELCOME & LEARNING OBJECTIVES

AN ANNUAL WORK PLAN 2017 AIDD Technical Assistance Institute 1 WELCOME & LEARNING OBJECTIVES

MAKING THE MOST OUT OF AN ANNUAL WORK PLAN 2017 AIDD Technical Assistance Institute 1 WELCOME & LEARNING OBJECTIVES Participants will increase their knowledge about developing and updating annual work plans. Participants will link

603 views • 38 slides
Syosset Central School District K-12 World Language Program New Initiatives & Curriculum

Syosset Central School District K-12 World Language Program New Initiatives & Curriculum

Syosset Central School District K-12 World Language Program New Initiatives & Curriculum Updates Dr. David Balsamo World Language Coordinator, K-12 District Goals & World Language Board of Education Goals World Language

280 views • 13 slides
City of Kansas City AI RPORT COMMI TTEE BRI EFI NG New Terminal Evaluation for Kansas City I

City of Kansas City AI RPORT COMMI TTEE BRI EFI NG New Terminal Evaluation for Kansas City I

City of Kansas City AI RPORT COMMI TTEE BRI EFI NG New Terminal Evaluation for Kansas City I nternational Airport March 15, 2016 1 Agenda Process Overview Establishing Requirements & Identifying Issues Forecast

1.05k views • 94 slides
Pregel: A System for Large-Scale Graph Processing Grzegorz Malewicz, Matthew H. Austern, Aart J.

Pregel: A System for Large-Scale Graph Processing Grzegorz Malewicz, Matthew H. Austern, Aart J.

Pregel: A System for Large-Scale Graph Processing Grzegorz Malewicz, Matthew H. Austern, Aart J. C. Bik, James C. Dehnert, Ilan Horn, Naty Leiser, and Grzegorz Czajkowski Google, Inc. R244 Presentation By: Vikash Singh October 24, 2018

269 views • 24 slides
Navigation Tools and Activities LEADERS KNOW THE WAY 5/22/2017 Navigation Tools and

Navigation Tools and Activities LEADERS KNOW THE WAY 5/22/2017 Navigation Tools and

California Cadet Corps Curriculum on Map Reading Navigation Tools and Activities LEADERS KNOW THE WAY 5/22/2017 Navigation Tools and Activities Agenda B1. Using a Compass B2. Alternative Direction Finding Methods B3. Pace

1.52k views • 123 slides
YOUR visit to Cheekwood! Che heekwood ekwood is is a 55-acr acre e Bo Botanical anical

YOUR visit to Cheekwood! Che heekwood ekwood is is a 55-acr acre e Bo Botanical anical

YOUR visit to Cheekwood! Che heekwood ekwood is is a 55-acr acre e Bo Botanical anical Garden den and d Mu Museu seum m of of Art loca ocated ted in in Nash shvill ville. e. A brief ief hi histor tory y of of Che heekwoo

399 views • 14 slides
Presentation of Employee Service Pins 10 -Year Pin Presented to Cale Smith Senior Officer,

Presentation of Employee Service Pins 10 -Year Pin Presented to Cale Smith Senior Officer,

Item No. 1 Presentation of Employee Service Pins 10 -Year Pin Presented to Cale Smith Senior Officer, Police Department 25 -Year Pin Presented to Ray Hinojosa Corporal, Police Department 25 -Year Pin Presented to David Allen G.I.S.

276 views • 24 slides

More recommend