Mac OS X Previous Versions Chunk Storage Parser
This script parses MacOS chunk-storage SQLite database-files used by the previous-versions feature introduced in MacOS X Lion. The chunk-storage database is located at the following path in HFS+ and APFS volumes that support this feature -
\.DocumentRevisions-V100\.cs\ChunkStoreDatabase
The database contains several tables including one called 'CSStorageChunkListTable'. Each record in this table represents one previous version of a file and lists the chunks used to store that file's data. The chunks themselves are stored in one or more files in the following folder -
\.DocumentRevisions-V100\.cs\ChunkStorage
Previous versions of files are stored within the following folders and sub-folders -
\.DocumentRevisions-V100\AllUIDs
\.DocumentRevisions-V100\PerUID
The files in this folder are marked as compressed and accessible only by the MacOS system and root user.
The link between the previous version of a file and its chunk-data is made by a 'com.apple.decmpfs' extended attribute. This attribute contains the index of the record in the 'CSStorageChunkListTable' table that references the file's chunk-data.
This script will locate the data for each file represented by a record in the 'CSStorageChunkListTable' table and write it into a logical evidence file, which can be loaded into the current case automatically.
The script will attempt to match the recovered data to the appropriate path under the '.DocumentRevisions-V100\AllUIDs' folder. If it can't do this then the script will write the data as a stream under the relevant chunk-storage database-file.
The script will only parse HFS+\HFSX\APFS chunk storage database files having the name and path mentioned above.
The script is capable of parsing chunk storage data contained in logical evidence files provided that (a) each '.DocumentRevisions-V100' folder has been captured in its entirety, (b) each HFS+/HFSX $Attributes file has been captured (this is not necessary for APFS as EnCase presents each previous-version's compressed attribute as its file-data), and (c) that file-system paths have been preserved relative to the host volume (the representation of a volume in a LEF is simply a folder albeit EnCase will list the volume's attributes in the Attributes tab).
This script was developed for use in EnCase training. For more details, please click the following link:
Download Now