The first time I tried to mount a Mac OS X partition in Linux, I ran into several issues. Here were the problems I had and the resolution.
HFS+ partition structure
Man computer forensic jobs are on Windows or even Linux computer which use the DOS partition structure. So, the first time you come across a Apple partition, things look a bit different. The following are the partitions, as seen by mmls and parted, on a HFS+ USB drive:
mmls output
wintermute:/mnt# mmls /dev/sdc
MAC Partition Map
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: ----- 0000000000 0000000000 0000000001 Unallocated
01: 00 0000000001 0000000063 0000000063 Apple_partition_map
02: Meta 0000000001 0000000004 0000000004 Table
03: 01 0000000064 0000262207 0000262144 Apple_Free
04: 02 0000262208 0160086511 0159824304 Apple_HFS
05: 03 0160086512 0160086527 0000000016 Apple_Freeparted output
wintermute:/mnt# parted /dev/sdc GNU Parted 1.7.1 Using /dev/sdc Welcome to GNU Parted! Type 'help' to view a list of commands. (parted) print Disk /dev/sdc: 82.0GB Sector size (logical/physical): 512B/512B Partition Table: mac Number Start End Size File system Name Flags 1 0.51kB 32.8kB 32.3kB Apple 3 134MB 82.0GB 81.8GB hfs+ Apple_HFS_Untitled_1
HFS+ partition and journaling
When you mount the HFP+ partition, you issue the following:
wintermute:/mnt# mount -t hfsplus /dev/sdc3 /mnt/sdc/
and while everything looks good from mount:
wintermute:/mnt# mount
/dev/sdc3 on /mnt/sdc type hfsplus
the journaled filesystem has actually caused some issues. You notice this is you want to write to the drive or if you look at dmesg:
sdc1: rw=0, want=262211, limit=63
hfs: unable to find HFS+ superblock
hfs: write access to a jounaled filesystem is not supported, use the force option at your own risk, mounting read-only.
Disabling journaling on HFP+ file system
If you need to write data to this drive (helpful as I move files between Linux, Windows and OS X forensic workstations), you can remove the journaling from the file system. This is not recommended for the system partition on a Mac but is fine for a data drive. Of course, understanding the benefits of a journaled file system for data recovery is important. Anyway, to remove the journal I issued from following command on my OS X workstation per Apple’s support article:
neuromancer:/Volumes root# /usr/sbin/diskutil disableJournal /Volumes/mac-backup
On your Mac: Open Disk Utility under Applications -> Utilities Select the volume to disable journaling on. Choose Disable Journaling from the File menu.
Write away
Placing the drive back in Linux and mount with the same command as above resulting in a writable HFS+ partition on my Linux workstation:
wintermute:/mnt# mount
/dev/sdc3 on /mnt/sdc type hfsplus (rw)
REFERENCES
http://progadmin.blogspot.com/2010/07/mount-hfsplus-mac-os-file-system-under.html
http://viaforensics.com/computer-forensics/how-to-mount-mac-os-x-hsf-partition-in-linux.html
http://superuser.com/questions/84446/how-to-mount-a-hfs-partition-in-ubuntu-as-read-write
