Understanding DMG files part 1 of 3
What the heck are these files with a .dmg extension? Well, they are NOT a proprietary format created by BlackBag, they’re a proprietary disk image format created by Apple. A dmg file is an Apple Disk Image commonly used with the Mac OS X operating system. Apple Disk Image files are published with a MIME-type of application/x-apple-diskimage. Apple Disk Images can be created using utilities bundled with Mac OS X, specifically, Disk Copy in Mac OS X v10.2 and earlier, and Disk Utility in Mac OS X v10.3 and later. The dmg format allows many options, including secure password protection and file compression. It is most commonly used to distribute software over the internet. Our interest, however, is in the forensic aspects of dmg files… so lets dig in:
First, a dmg file can be opened and viewed as a folder on Mac OS X. The simple act of double clicking on the dmg file will “mount” the dmg file as a volume and present the contents in the Finder. Many forensic investigators like to mount the dmg files to preview/browse the contents. Mounting also allows for copying data out easily. If you are going to mount a dmg file, then you need to lock it so that nothing can be changed (more on this in part 3). Be aware that there are also many different types of dmg files you should be aware of:
A read-only image is self explanatory, in that it will prevent the contents of the disk image from being changed when opened (“mounted”). However, there is a dirty little secret about this format. When a read-only dmg is created, it will not write out the free space of the original file/device to the dmg file. The volume header will not be altered, so the volume header will think the dmg is a certain size when in fact, it will be much smaller (due to not having the free space). You can still mount it just fine within Mac OS X, but in essence, there is some compression going on with read-only dmg files.
A compressed dmg is similar to a read-only dmg, although the data is also compressed to some degree. There is no protection within this dmg type and contents can be changed.
Read/write is a normal dmg file which will be the same size as the file/image it was made from. This dmg type will contain not only all the files, but the free space as well. This dmg type is the equivalent of a raw dd image. In fact, you can rename the extension from .dmg to .dd and vice versa without any issues (assuming you do it correctly) – more on this later.
The DVD/CD master will create a static file image which is burnable to a DVD or CD media; however, the resulting burned CD has only 1 filesystem – HFS+ (Mac OS Extended), which is not very useful in other operating systems.
HYBRID IMAGE (HFS+/ISO/UDF)
The hybrid image will have all four file systems (-hfs, -iso, -joliet, -udf) as a single hybrid image. The data area of the image is shared between all file systems, and only directory information and volume meta-data are unique to each file system. In other words, this is truly a cross-platform image.
SPARSE DISK IMAGE
A sparse disk image is an automatically-expanding disk image. For example, let’s say you set the size of the disk image at 10GB. If you put in 1GB of data, the disk image will only be 1GB in size, but is capable of storing an additional 9GB of data. It is important to understand that a sparse disk image will grow, but will not shrink automatically. You can use programs such as Disk Utility to shrink it to reclaim unused space.
SPARSE BUNDLE DISK IMAGE
A sparse image is one large file on your disk, whereas a sparse bundle is actually lots of small files (8 megabytes each). A sparse bundle image works and looks the same as a sparse disk image, but being a bundle, you can right-click on it and select “show package contents” and see the individual 8 meg “bands.” The sparse bundle was introduced with Mac OS X 10.5 in order to support Time Machine (especially with FileVault, where the entire home directory is a sparse bundle). Time machine will only copy the bands that have been changed since the last backup, so the backups are much quicker.