This script parses Mac OS X chunk-storage SQLite database-files used by the previous-versions feature introduced in Mac OS X Lion. The chunk-storage database is located at the following path in HFS+ and APFS volumes that support this feature -

\.DocumentRevisions-V100\.cs\ChunkStoreDatabase

The database contains several tables including one called 'CSStorageChunkListTable'. Each record in this table represents one previous version of a file and lists the chunks used to store that file's data. The chunks themselves are stored in one or more files in the following folder -

\.DocumentRevisions-V100\.cs\ChunkStorage

Previous versions of files are stored within the following folders and sub-folders -

\.DocumentRevisions-V100\AllUIDs

\.DocumentRevisions-V100\PerUID

The files in this folder are marked as compressed and accessible only by the Mac OS X system and root user.

The link between the previous version of a file and its chunk-data is made by a 'com.apple.decmpfs' extended attribute. This attribute contains the index of the record in the 'CSStorageChunkListTable' table that references the file's chunk-data.

This script will locate the data for each file represented by a record in the 'CSStorageChunkListTable' table and write it into a logical evidence file, which can be loaded into the current case automatically.

The script will attempt to match the recovered data to the appropriate path under the '.DocumentRevisions-V100\AllUIDs' folder. If it can't do this then the script will write the data as a stream under the relevant chunk-storage database-file.

The script will only parse HFS+/HFSX/APFS chunk storage database files having the name and path mentioned above.