when does macos catalina create
play

When does macOS Catalina create APFS checkpoints and which data - PowerPoint PPT Presentation

Apr 05, 2023 •459 likes •609 views

When does macOS Catalina create APFS checkpoints and which data could be retrieved from them? Research Project 1 Maarten van der Slik Default since High Sierra (10.13), iOS 13, tvOS 10.2, watchOS 3.2 "Copy-on-write" New features

  1. When does macOS Catalina create APFS checkpoints and which data could be retrieved from them? Research Project 1 – Maarten van der Slik

  2. Default since High Sierra (10.13), iOS 13, tvOS 10.2, watchOS 3.2 "Copy-on-write" New features Figure 1 – Overview of APFS components (Apple Inc., 2019) Apple File System 2

  3. • Pointers to checkpoints • Read-only • User ability to create and restore Figure 2 – APFS Structure (Hansen & Toolan, 2017) Snapshots 3

  4. Hansen & Toolan (2017), Decoding the APFS File System Apple Inc (2018), Apple File System Reference Plum & Dewald (2018), APFS internals for forensic analysis Plum & Dewald (2018), Forensic APFS File Recovery Related work 4

  5. macOS Catalina (10.15.2) VM 48 raw disk images 12 experiments Setup 5

  6. File experiments Layout experiments • Seek & write • Create folders Experiments • Rewrite • Clone folders • Append • Move folders • High-level API • Remove folders • Create files • Clone files • Move files • Remove files 6

  7. macOS Catalina (10.15.2) VM 48 raw disk images 12 experiments Magic bytes in files Magic bytes in volume meta-data Method 7

  8. Results after file operations Operation Checkpoints w/ restart Checkpoints w/o restart Versions available w/ restart Versions w/o restart 1 Seek & write 67,163 65,127 1,1 1,1 2 Rewrite 108,67 84,285 24 (1 corrupted),23 65,65 3 Append 91,116 80,30 22,31 21,18 4 Foundation 111,175 218,278 1,1 1,1 8

  9. Results after layout operations Operation Checkpoints w/ restart Checkpoints w/o restart Versions available w/ restart Versions w/o restart 1 mkdir 85,54 35,38 37,22 19,21 2 Folder cp -c 48,70 49,49 31,34 29,33 3 Folder mv 32,63 38,55 8,30 20,17 4 Folder rm 32,56 44,24 13,9 27,19 5 Touch 20 (1 overwritten root 39,37 10,28 19,19 tree),60 6 File cp -c 38,16 37,39 11,10 17,19 7 File cp -c 86,31 38,56 35,12 19,20 8 File cp -c 62,57 42,57 15,11 25,16 9

  10. Metadata Root tree Timeline by iterate checkpoints 10 Figure 3 – Inode Entry Value (Plum & Dewald, 2018)

  11. Metadata 01-02 2020 19:34:59 409959 m..b f 0 0 0-103-128 /root/Test1A/Higher-level/1 01-02 2020 19:35:00 409959 .a.. f 0 0 0-104-128 /root/Test1A/Higher-level/1 409959 .a.. f 0 0 0-105-128 /root/Test1A/Higher-level/1 409959 .a.. f 0 0 0-106-128 /root/Test1A/Higher-level/1 409959 .a.. f 0 0 0-107-128 /root/Test1A/Higher-level/1 Root tree 409959 .a.. f 0 0 0-108-128 /root/Test1A/Higher-level/1 409959 .a.. f 0 0 0-109-128 /root/Test1A/Higher-level/1 Timeline by iterate 409959 .a.. f 0 0 0-110-128 /root/Test1A/Higher-level/1 checkpoints 409959 .a.. f 0 0 0-111-128 /root/Test1A/Higher-level/1 409959 .a.. f 0 0 0-112-128 /root/Test1A/Higher-level/1 409959 .a.. f 0 0 0-113-128 /root/Test1A/Higher-level/1 Afro & The Sleuth Kit 409959 .a.. f 0 0 0-114-128 /root/Test1A/Higher-level/1 Figure 4 – mactime output 11

  12. • Leaves many older iterations of the container • Access mode • Not copy on write Conclusion 12

  13. • Leaves many older iterations of the container • Access mode • Not copy on write • Few samples • Low-level searches • Small disks Discussion 13

  14. • Leaves many older iterations of the container • Access mode • Not copy on write • Few samples • Low-level searches • Small disks Questions? 14

Recommend

DESIGN AND PROTOTYPING WORKSHOP 11/13/19 ATTENTION!!! macOS Catalina Users Indigo Studio is

DESIGN AND PROTOTYPING WORKSHOP 11/13/19 ATTENTION!!! macOS Catalina Users Indigo Studio is

The ITI Program @ SC&I Presents DESIGN AND PROTOTYPING WORKSHOP 11/13/19 ATTENTION!!! macOS Catalina Users Indigo Studio is not supported on Catalina. Sign-in for a loaner laptop. Please Pick up handouts Find a seat

325 views • 19 slides
MacOS & iOS Maintenance MacOS Maintenance iOS Maintenance (the iPad will be used as our

MacOS & iOS Maintenance MacOS Maintenance iOS Maintenance (the iPad will be used as our

MacOS & iOS Maintenance MacOS Maintenance iOS Maintenance (the iPad will be used as our example for all your iDevices including iPhones, iPod touches, and iPods) TOP TEN Your iPad is fragile Battery life is exhaustible TIPS

330 views • 15 slides
Mac OS 10.15 Catalina Introduction: Catalina 10.15 is the latest Macintosh operating system

Mac OS 10.15 Catalina Introduction: Catalina 10.15 is the latest Macintosh operating system

Mac OS 10.15 Catalina Introduction: Catalina 10.15 is the latest Macintosh operating system from Apple. Previous Systems: OSX 10.5 Leopard OSX 10.6 Snow Leopard OSX 10.7 Lion OSX 10.8 Mountain Lion OS X 10.9

248 views • 22 slides
Getting Started with .NET Core 2.0 on macOS (and Windows, too) Jeremy Clark

Getting Started with .NET Core 2.0 on macOS (and Windows, too) Jeremy Clark

Getting Started with .NET Core 2.0 on macOS (and Windows, too) Jeremy Clark www.jeremybytes.com @jeremybytes What is .NET Core? Cross-Platform .NET Runs on macOS, Linux, and Windows Can be compiled to machine code based on

1.17k views • 15 slides
Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead

Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead

Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead @ VMRay M. Sc. IT-Security Released first preview version of macOS sandbox in March @c1truz_ 2 Structure of this Talk => => Why?

706 views • 36 slides
CATALINA ISLAND MARINE INSTITUTE 7 th Grade STEM Trip A U G U S T 3 0 T H S E P T E M B E R 4

CATALINA ISLAND MARINE INSTITUTE 7 th Grade STEM Trip A U G U S T 3 0 T H S E P T E M B E R 4

CATALINA ISLAND MARINE INSTITUTE 7 th Grade STEM Trip A U G U S T 3 0 T H S E P T E M B E R 4 T H , 2 0 2 0 The following presentation has information to help you prepare for the 7 th grade trip to Catalina Island. In order to gain all

436 views • 11 slides
MANAGING MACOS AND IOS DEVICES WITH JAMF AND APPLE DEP UBCO IT, MEDIA & CLASSROOM SERVICES

MANAGING MACOS AND IOS DEVICES WITH JAMF AND APPLE DEP UBCO IT, MEDIA & CLASSROOM SERVICES

MANAGING MACOS AND IOS DEVICES WITH JAMF AND APPLE DEP UBCO IT, MEDIA & CLASSROOM SERVICES P A U L L E V I N S E N , R Y A N P A N N E L L , & A A R O N H E C K Demonstration PROVISIONING IOS AND MACOS USING APPLE DEP SOLUTION

103 views • 7 slides
macOS Sierra What's new About this Mac - Storage tab, besides the available connected drives

macOS Sierra What's new About this Mac - Storage tab, besides the available connected drives

macOS Sierra What's new About this Mac - Storage tab, besides the available connected drives (including optical drives), and you can hover over each colored segment to get a MB size, there is the Manage... button which brings up new options

378 views • 4 slides
Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin,

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin,

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin, Jungwon Lim, Insu Yun, and Taesoo Kim Georgia Institute of Technology #BHUSA @BLACKHATEVENTS One of the best information Who are we? security labs in

870 views • 58 slides
What can a patients DNA tell health care providers Dr. Catalina Lopez-Correa CSO & VP

What can a patients DNA tell health care providers Dr. Catalina Lopez-Correa CSO & VP

What can a patients DNA tell health care providers Dr. Catalina Lopez-Correa CSO & VP Sector Development at Genome British Columbia Presidents Speakers Series Alberta Health Services (AHS) November 21st, 2016 Why Genomics? What

383 views • 37 slides
Case #4 - Catalina Cardiofaciocutaneous Syndrome Advocating for Her Well-Being Presentation By

Case #4 - Catalina Cardiofaciocutaneous Syndrome Advocating for Her Well-Being Presentation By

Case #4 - Catalina Cardiofaciocutaneous Syndrome Advocating for Her Well-Being Presentation By Gail Kim, Janice Stovall, Jennifer van Gelder, Jordan Snajczuk & Natalie Dykzeul Background Information - Case Information A six year old

296 views • 14 slides
Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Cambridge Innovation Centre Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas Gutmann, Steven J. Mudoch, WAY19 | @kryptoandi PLEASE RAISE YOUR HAND Have you ever received a security code via SMS

289 views • 24 slides
SUMMER PROGRAMS SUMMIT 2020 WELCOME Catalina Ormsby Associate Director U-M Center for

SUMMER PROGRAMS SUMMIT 2020 WELCOME Catalina Ormsby Associate Director U-M Center for

SUMMER PROGRAMS SUMMIT 2020 WELCOME Catalina Ormsby Associate Director U-M Center for Educational Outreach Land Acknowledgement The University of Michigan is located on the traditional territory of the Anishinaabe people. In 1817, the

600 views • 29 slides
BUDGET EXPENDITURES Why does CDFW spend more than it takes in? ABOUT CATALINA OFFSHORE PRODUCTS

BUDGET EXPENDITURES Why does CDFW spend more than it takes in? ABOUT CATALINA OFFSHORE PRODUCTS

CALIFORNIA FISH AND WILDLIFE BUDGET EXPENDITURES Why does CDFW spend more than it takes in? ABOUT CATALINA OFFSHORE PRODUCTS Began as a sea urchin wholesaler. Later expanded to Today we also Founded 40 years include fin fish and operate a

456 views • 16 slides
Introduction Topic: Fractures School: Catalina Foothills High School, Period Six

Introduction Topic: Fractures School: Catalina Foothills High School, Period Six

Introduction Topic: Fractures School: Catalina Foothills High School, Period Six Speakers: Maddie Owens and Jamie Barton Questions Big Picture Question: Are there regions on Mars where fractures occur more frequently? Research

786 views • 11 slides
Mini-stage in MP, 4-5 August 2014 Catalina Curceanu LNF-INFN Two scientific revolutions in

Mini-stage in MP, 4-5 August 2014 Catalina Curceanu LNF-INFN Two scientific revolutions in

Introduction to the Modern Physics ad to the LNF-INFN activities Mini-stage in MP, 4-5 August 2014 Catalina Curceanu LNF-INFN Two scientific revolutions in the 20th century: Theory of Relativity Quantum Mechanics Speaks about

1.56k views • 114 slides
OSX.EvilQuest ("EffectiveIdiot") WHOIS @patrickwardle O UTLINE infection vector

OSX.EvilQuest ("EffectiveIdiot") WHOIS @patrickwardle O UTLINE infection vector

A True Virus on macOS OSX.EvilQuest ("EffectiveIdiot") WHOIS @patrickwardle O UTLINE infection vector triage persistence capabilities D ISCOVERY credit: Dinesh Devadoss " #macOS #ransomware impersonating as Google Software

724 views • 35 slides
A GUIDE TO CATALINA ISLAND'S MARINE PROTECTED AREAS Oceans in Crisis Our marine ecosystems

A GUIDE TO CATALINA ISLAND'S MARINE PROTECTED AREAS Oceans in Crisis Our marine ecosystems

A GUIDE TO CATALINA ISLAND'S MARINE PROTECTED AREAS Oceans in Crisis Our marine ecosystems have undergone traumatic stress due to Overfishing/hunting Photo: Kyle McBurnie Habitat loss Fish stocks have declined significantly Pollution and

455 views • 9 slides
macOS 10.14 Mojave An overview of the new goodness Mojave Fun(?) Facts Announced at WWDC 2018

macOS 10.14 Mojave An overview of the new goodness Mojave Fun(?) Facts Announced at WWDC 2018

macOS 10.14 Mojave An overview of the new goodness Mojave Fun(?) Facts Announced at WWDC 2018 on Monday, June 4 Released to the public (GA) on Monday, September 24 You need free space on your boot drive to install it 12.5 GB to

226 views • 22 slides
Secretary MARK A. VILLAR Department of Public Works and Highways Presented by: MARIA CATALINA E.

Secretary MARK A. VILLAR Department of Public Works and Highways Presented by: MARIA CATALINA E.

Secretary MARK A. VILLAR Department of Public Works and Highways Presented by: MARIA CATALINA E. CABRAL, PhD Undersecretary for Planning and PPP The Life We Want The Philippines is a prosperous middle class society where no one is poor.

224 views • 20 slides
Early Fertili lity and Labor Market Segmentation: Evid idence fr from Madagascar Catalina

Early Fertili lity and Labor Market Segmentation: Evid idence fr from Madagascar Catalina

Early Fertili lity and Labor Market Segmentation: Evid idence fr from Madagascar Catalina Herrera Northeastern University David Sahn Cornell University Kira Villa University of New Mexico Human Capital Growth Conference WIDER

327 views • 31 slides
Design Thinking and SANTA CATALINA SCHOOL THE BASICS OF DESIGN THINKING

Design Thinking and SANTA CATALINA SCHOOL THE BASICS OF DESIGN THINKING

Design Thinking and SANTA CATALINA SCHOOL THE BASICS OF DESIGN THINKING Its a process. : From Stanfords d.school EMPATHY - gathering informaGon by

729 views • 16 slides
iOS/macOS 0-day^w48-hours from sandbox to kernel Prsent 31/05/2018 Pour BeeRumP Par Eloi

iOS/macOS 0-day^w48-hours from sandbox to kernel Prsent 31/05/2018 Pour BeeRumP Par Eloi

iOS/macOS 0-day^w48-hours from sandbox to kernel Prsent 31/05/2018 Pour BeeRumP Par Eloi Vanderbeken Who? Eloi Vanderbeken @elvanderb Synacktiv Coordinateur du ple reverse de Synacktiv dveloppement bas niveau

593 views • 20 slides
Catalina: A Case of Residents Shaping Policy for Island Port OCall CRUISE SHIP AT AVALON

Catalina: A Case of Residents Shaping Policy for Island Port OCall CRUISE SHIP AT AVALON

Catalina: A Case of Residents Shaping Policy for Island Port OCall CRUISE SHIP AT AVALON HARBOR Year 2016 Arrivals to the Island Ferry 68.5 % Cruise Tender 24.3 % Private boat 5.3 % Private Plane 1.0% Helicopter 0.9 % Process to

303 views • 19 slides

More recommend