On September 2, 2010, in E01, Forensics, HFSX, by MegaDeus

Lets say you come across a hard drive that is HFSX formatted. Your using Encase to view the drive but you cant. That’s because EnCase doesn’t support HSFX for some reason (only HFS and HFS plus). Well, all you have to do is convert the acquired image to a hfs+.  Shouldn’t be that hard!! It may not be forensically sound, but at least you have something to look at!

Make sure the forensic image is a DD image.  If its a e01, you will need to convert it to DD.

Open the DD image using a hex editing software. (i use winhex)

Search for HFS.  Make sure HX is in the same line as HFS.

Change HX to H+

Change the 4th byte from 05 to 04

Save your work!! open it up using your favorite forensic tool and bam!

If you need to, you can reacquire it to a e01 image and your all set!

arch for HFS. Make sure HX is in the same line as HFS.


Leave a Reply

Your email address will not be published. Required fields are marked *

× 4 = sixteen