Overview

This image (EncaseiLook, compressed dd) is to evaluate if an imaging tool can recognize the file systems that can be created on a Mac running OS X. The original drive was set up  five partitions:
The MD5 for the image is: 98116DC10E4B090B62321F1E4464973A and the SHA1 is: cb86d7677eda9baa2e2d99f09810c46ea635e3ce

The test image was created so that the hard drive appears to have been a Western Digital: Model (WDC WD200EB-00CSF0) serial # (WD-WTAAV4044563) with 201600 sectors rather than the usual much larger size for this model drive. This was accomplished by creating a host protected area at sector 201600 and then attaching the drive to the host computer with an IDE to USB bridge to hide the HPA from the imaging software. Then the CFTT diskwipe program  was used to write the C/H/S and LBA address to each sector and fill the remainder of each sector with 0xB9. This base configuration was then attached to a Mac and the following files were copied to the hard drive:

MacOSS:
total 0
drwxr-xr-x  8 jimlyle  unknown  272  9 Jan 10:31 OSS/

MacOSS/OSS: (Sunflower pictures)
total 10753
-rw-rw-rw-  1 jimlyle  unknown  1050976  5 Jul  2004 100_0182.JPG
-rw-rw-rw-  1 jimlyle  unknown  2470722  7 Jan 09:20 100_0183.BMP
-rw-rw-rw-  1 jimlyle  unknown   132948  7 Jan 09:20 100_0183.GIF
-rw-rw-rw-  1 jimlyle  unknown  1010474  7 Jan 09:20 100_0183.PCX
-rw-rw-rw-  1 jimlyle  unknown   839346  7 Jan 09:20 100_0183.PNG

MacOSX: (Bamboo pictures)
total 21080
-rwxrwxrwx  1 jimlyle  unknown  6492948  7 Jan 08:56 000_0015 LZW+Diff.tif*
-rwxrwxrwx  1 jimlyle  unknown  2408722  7 Jan 08:57 000_0022.GIF*
-rwxrwxrwx  1 jimlyle  unknown  1879407 12 Jun  2004 100_0019.JPG*
-rw-r--r--  1 jimlyle  unknown      754  1 Nov 21:22 <unicode>.txt

MacOSXD:
total 0
drwxr-xr-x  10 jimlyle  unknown  340  9 Jan 10:31 OSXD/

MacOSXD/OSXD: (Building pictures)
total 14208
-rwxrwxrwx  1 jimlyle  unknown   921654  7 Jan 09:03 02010025.BMP*
-rwxrwxrwx  1 jimlyle  unknown   144711  7 Jan 09:02 02010025.GIF*
-rwxrwxrwx  1 jimlyle  unknown   806664  7 Jan 09:03 02010025.PCX*
-rwxrwxrwx  1 jimlyle  unknown   922432  7 Jan 09:03 02010025.TIF*
-rwxrwxrwx  1 jimlyle  unknown  1131350 14 Oct 06:21 100_0337.JPG*
-rwxrwxrwx  1 jimlyle  unknown  3326202  7 Jan 09:08 little church (neg).png*
-rw-r--r--  1 jimlyle  unknown      754  1 Nov 21:22 <unicode>.txt

MacOSXJ: (Flower pictures)
total 6648
-rwxrwxrwx  1 jimlyle  unknown  578956 31 May  2004 000_0007.JPG*
-rwxrwxrwx  1 jimlyle  unknown  678549 31 May  2004 000_0017.JPG*
-rwxrwxrwx  1 jimlyle  unknown  666762 31 May  2004 000_0019.JPG*
-rwxrwxrwx  1 jimlyle  unknown  711412 31 May  2004 000_0020.JPG*
-rwxrwxrwx  1 jimlyle  unknown  754069 31 May  2004 000_0021.JPG*
-rw-r--r--  1 jimlyle  unknown     754  1 Nov 21:22 <unicode>.txt

NOTE: the contents of the UFS partition were omitted from this list

The steps to create the image were as follows:

  1. Restore the base image created for the Russian Tea Room image. This gives a starting point of a wiped drive, each sector is filled with the sector address and hex B9.
  2. Attach the drive to the Mac.
  3. Run diskutility to create the five partitions (MacOSXJ, MacOSX, free, MacOSXD, free, MacOSS, and UFS)  with some free space around the MacOSXD partition.
  4. Copy the files listed above to the partitions.
  5. Execute ls -lR and capture the output.
  6. Eject the drive and remove from the Mac
  7. Attach the drive to an Intel computer, boot the IXimager and acquire the drive (logfile).
  8. Reboot into Windows 2000 and acquire the drive with EnCase 4 (report).
  9. Attach the drive a computer running Linux, acquire with dd and compress with bzip2