Insights Blog

Using L01 Collections for Mac Data

A number of our customers who perform targeted collections (primarily for eDiscovery, but increasingly for forensic investigations as well) have successfully collected Windows data for years using the L01 format.  As Macs have become more prevalent, our clients have continued to use this format for also collecting Mac data.  Unfortunately, using the L01 format to collect Mac data can create significant challenges that usually add time and cost, while potentially sacrificing quality.
The issues arise because the ‘logical’ file collection is run from a Windows-based tool, which obviously relies on a Windows operating system. It’s a logical assumption that this type of collection is not optimal for Mac file systems.  As a result, during the collection, data can be changed, potentially jeopardizing the investigation or complicating the litigation process.  Most often the following occur:

  1. Modification and creation dates are changed because they are replaced with the date and time of the collection.
  2. File names and paths can be truncated because Windows is limited by a 255 character length.
  3. Type and creator codes are separated or completely removed because these metadata fields do not exist within the Windows FAT and NTFS file systems.
  4. Data and resource forks are separated.

While any one of the above alone can degrade the data, many occur concurrently, further complicating the matter for the extraction of the data by Mac data processors.
Everyone agrees that it is optimal to review and analyze data in a native environment, and logically therefore, it is also optimal to acquire data in a native environment.  Acquiring Mac data using a native Mac format (such as .dmg) and writing out the data to an HFS-formatted drive helps avoid a number of the above-mentioned problems.  Our tool, MacQuisition, utilizes a licensed version of Mac OS X that offers a native option for creating forensic images.  Another option (if you’re comfortable with UNIX) is to use Terminal in Mac OS X to identify and copy out data to an HFS-formatted drive.
Here’s one example to copy out protected (read-only) data:
Within Terminal, create a read-only DMG directly from the collection folder using the following command (using Folder_A and Folder_B as examples):

hdiutil create -srcfolder /path/to/Folder_A -srcfolder /path/to/Folder_B -format UDRO /destination/to/name.dmg

Then you have two options for copying out the data:
1) Create a read-only DMG directly from collection folder:

sudo hdiutil create -srcfolder <collection> -format UDRO <destination DMG>

You can add multiple -srcfolders
2) Create a sparse image, copy collection data into it, and then convert it to a read-only DMG:

hdiutil create SPARSE -size <size> -fs HFS+J -volname <destination sparse>

Use any of the following to copy collection into spase:

cp -Rip

rsync -aWEpr

pax -r -w -pe

hdiutil convert <sparse> -format UDRO -o <destination DMG>

Again, L01 files are really not the issue here; rather, the underlying Windows operating system and file systems that are utilized are not optimized to handle Mac data.  Hopefully this offers some practical alternatives for optimally collecting Mac data.

BlackBag Team