Understanding DMG files part 2 of 3
In part one of this series we covered the different types of DMG files. In part two we will discuss format types, partition schemes, and encryption.
There are 6 types of formats that can make up a DMG image. You can use Disk Utility to create a DMG with any of the following types:
The default is Mac OS Extended (Journaled), which is also the default format for a default Mac OS X install.
Mac OS Extended
Mac OS 8.1 and later supports a volume format named Mac OS Extended or more commonly known as HFS Plus (HFS+). HFS+ optimizes the storage capacity, so instead of a 4k file requiring 64K of space in Mac OS Standard format, it will only require the actual 4K on disk.
Mac OS Extended (Journaled)
Journaling for the Mac OS Extended (HFS Plus) file system enhances computer availability and fault resilience.
Mac OS Extended (Case-Sensitive)
This is the same file system as above, but it treats file names with case sensitivity. That means files with the same name are treated differently. So the file text.txt is different from the file Text.txt and both can exist together. This matches the behavior of UNIX.
Mac OS Extended (Case-Sensitive, Journaled)
This is HFS+ with a combination of case sensitivity and journaling.
The most common filesystem but older and typically used with MS-DOS and Windows. There is a file size limit of 4GB on a FAT volume.
The Extended file allocation table (exFAT) is a newer file system which is better suited for mobile storage. The exFAT file system handles large files and is supported by Mac OS X 10.6.5 and higher
There are many partition schemes available to choose from for a DMG image:
The hard disk partition creates an Apple Partition Map but also includes the Apple_Driver partitions which is used by older Mac systems.
The CD/DVD images adhere to standards such as ISO-9660 and its extension Joliet, which has to do with the filesystem on such media. It’s generic standards to read CD/DVD data on other operating systems
No Partition Map
There is no partition scheme used at all.
Apple Partition Map
This partition scheme is used by PowerPC Mac computers. PowerPC Macs can only boot from disks that have this scheme. However, you can’t put FAT partitions on the disk.
Master Boot Record
This is how MSDOS and Windows organize a disk, so use this if you have an external drive that you also want to use with a Windows machine. You can also use the HFS+ file system on disks with a master boot record, but older Mac versions do not support this.
GUID Partition Table
This is how Intel Macs organize their boot disks. You can put partitions with any of the supported file systems on a GUID disk, but only Mac OS greater than 10.4 can access these disks.
DMG files can be encrypted using either 128 or 256 bit AES encryption.
The interesting thing to note about setting encryption on a DMG is that by default the “Remember password in my keychain” option is checked. This means that unless a user un-checks that box the password will be in the users keychain.
You can also use a dictionary attack against an encrypted DMG to try and break the password.
forensics research and development, and corporate investigations, our team understands forensics. Digital Forensics is more challenging than ever before due to advancements in technology. The BlackBag Team exists to find solutions for these challenges, thereby empowering our customers to seek, reveal, and preserve the truth.Meet some of our experts at https://www.blackbagtech.com/company/our-team/
Latest posts by BlackBag Team (see all)
- Triaging with MacQuisition - February 18, 2020
- BlackLight – Ingestion of Cellebrite Mobile Extractions - February 5, 2020
- Getting Through the Data Quickly - December 4, 2019