Saturday, January 8, 2011

HFS - Hierarchical File System

According to the Wikipedia pages this file system was developed by Apple inc. We can find the original structure definitions in the XNU package where I derived my structures from - similar definitions can be found in XPWN project as well but I took first one more authentic (since it came from first hand).
In the followings I intend to go through the file system structures and I will try to provide a picture about the interpretation what I went through on multiple example files.

Monday, December 6, 2010

Driver Descriptor and Partition Map

Not very long after I started writing the draft of this article I uncovered an other structure for describing the same thing. After short hesitation I decided I will not give a new title. I will leave it as it is now.
According to my original source Driver Descriptor and Partition Map described the logical structure of the disk image. Later I tested my product and I found a new schema in one of my sample files. If found the answer after short investigation; the file contained EFI Partition structure with GUID Partition table.

Wednesday, December 1, 2010

UDIF Resource File

UDIF Resource File is a descriptor structure about data blocks stored in the raw file. The blocks can be compressed different ways or just stored as-is. All the information about the data chunk location and length, storage method are kept in this structure on the end of the file.
Do not forget this content is embedded in FileVault if that layer was presented. Of course I saw cases when neither FileVault neither UDIF Resource File were not presented at all which meant I just started reading the given file without any preprocessing.

Monday, November 29, 2010


FileVault can be found in Apple Mac OS X that appeared starting from 10.3 version. It is the protection layer of disk image files (DMG) where AES encryption used. If you want to know more about the product you can find some description on wiki. My attention focused on it because iOS software updates come with this protection and I wanted to look into them without using different tricky solutions or extracting the content with other tools (vfdecrypt). I wanted handling on my own.

Let's start it...

Alright! It seems like I will collect the results of my projects. I will organize my thoughts and share with the world in this blog. Sharing is better than just keeping something for myself if I went deep in a topic and sorted out a puzzle.
What is the topic? - you may ask that. Byteforge; it is IT, programming and maybe you will need to focus if you want to understand me but my goal is to make it clear instead of just make the reader more confused. It is programming, soring out undocumented situations, going into file format investigations.
The key fields where I focus are cpp, assembly (x86 and ARM) coding and Windows, MacOS, iOS platforms. Actually I did not see any activities to achieve some kind of cross functionality on these platforms so maybe I vision these kind of projects. I would like to create some kind of unified handling of MacOS structures on Windows. I just started the pre-researches already to see how deep the rabbit hole goes...
If I made you curious please stay tuned!