info@cirt.gov.bd
+88-02-550071 83-86
Facebook Page LinkedIn Page Twitter Page

Copying v Dragging a file to an OS X Disk Image [source: ThinkDFIR]

by
06 Sep 2018
in Digital Forensic, News Clipping
No Comments
2239

Had a need to do some quick testing on different operations on OS X 10.10.5 (Yosemite) and thought I’d share.

Created a new disk image, and then copied an existing file into it. Then created a new file, and dragged that into the disk image. Here is what we may found!

Action Plan

  • Copy Existing File

I had a file which had some text in it, it was called “hello.txt”. I hadn’t changed it in a few days, but I did open it just before I ran the “stat” command to see what was inside. This is reflected in the “Access” timestamp.

  • Drag Existing File

Next I created a new file, world.txt, and here’s the metadata for that one. (Opened Textedit, mashed some text and save).

Addendum

Funny thing happened, I copied the image to another Mac (running 10.13.6). The ‘Date Added’ is present for all three items, which is not the same behaviour that was seen on the previous OS; at least from a presentation standpoint. This does mean that my theory that the two operations were treated differently may be false, but at the very least I can show that the ‘Date Added’ shows when the file appeared on the volume.

For more, click here.

Share

Recommended Posts