Understanding DMG files part 3 of 3
For part 3 of our series, we are going to discuss sparse images, sparse bundles, and forensic concerns of DMGs.
A sparse image is a type of disk image file that can be created in Mac OS X using Disk Utility. Unlike a full image file (.dmg), which takes up as much actual space as the real disk it represents (regardless of the amount of unused space), a sparse image file (.sparseimage) takes up only as much actual disk space as the data contained within.
The Finder will report the full size of the sparse image when it is mounted; however, when it is not mounted, it will report the size of the data contained within it. A sparse image will expand in size to accomodate additional data up to the maximum size it was set for when it was created. Deleting files from the mounted sparse image will not reduce the size of the corresponding .sparseimage file.
There are two limitations with sparse images:
• A customized .sparseimage file can be made larger than the total capacity of the physical volume on which it originally resides. While the sparse image volume will seem to make that capacity available, attempting to exceed the physical capacity of the underlying volume will result in a disk error: “ran out of space.”
• Mounted .sparseimage image files automatically expand to their preassigned limit if and when data is added. They cannot be arbitrarily resized without the use of Disk Utility, hdiutil, or other software.
When the .sparseimage file is not mounted, the .sparseimage file may be resized or compacted. This is generally easiest to do from the Terminal.
Sparse bundles (.sparsebundle) were introduced with Mac OS X 10.5 (Leopard). Instead of a monolithic file, a sparse bundle is actually a bundle (looks like a directory on Windows) that stores the disk image as 8 MB files known as bands. When the content of the image is changed, one or more bands are changed, created, or deleted as needed.
These bands make it easier for backup mechanisms, such as Time Machine, to function. Instead of having to backup a single large file due to a change, only the bands that changed need to be backed up. The bands in the Finder will show as 8.4 MB because the Finder uses MB (megabyte) and not MiB (mebibyte), which would be more accurate.
A forensic tip: DMGs including sparse images and sparse bundles can be locked to prevent anything from changing. This is a critical piece of information to remember when it comes to forensics. Locking a DMG is very easy to accomplish. Start by right-clicking on the DMG and choose the “Get Info” option.
There is a check box for the option “Locked.” Checking this option will prevent any changes to the “.dmg” file when it is mounted. You can mount the .dmg and access the contents without any fear of altering the files or any metadata.
MacQuisition will automatically lock the .dmg files it creates for you.
As a final note in this series, it’s important to understand that a .dmg file is the same as a raw “.dd” file. It simply has a different extension. You can arbitrarily change the extension from .dd to .dmg and back again. The advantage to using .dmg extension is that on a Mac, you can double-click the file to mount it as a volume. The latter isn’t possible to do if the file has a .dd extension.
There is a difference when it comes to split images. For raw .dd images, the extensions are just a sequence such as .000, .001, .002 and so on. For .dmg files, they need to be set as .dmg for the first segment, .002.dmgpart for the second, .003.dmgpart for the third and so on. We are currently updating and improving our DMG Rename tool (available free of charge to current BlackBag software and training customers, and MiCFE certified professionals) that does this quickly and accurately.