Pages

Monday, September 18, 2017

Interpreting volume info from FXDesktopVolumePositions

On a mac, if you wanted to get a list of all connected volumes, you would typically lookup FXDesktopVolumePositions under the com.apple.finder.plist file (for each user). This is available under /Users/<USER>/Library/Preferences/  The volumes listed here can include anything mounted, a CD, a DMG file, a volume from external disk, network mapped volume or anything else that mac sees as a mounted volume/device.

Figure 1: Snippet of 'FKDesktopVolumePositions' from com.apple.finder.plist

The above snippet shows every volume connected to one of our test machines. What's strange is the way the volume information is stored. Ignoring the icon position data (which resides a level below not shown in that screenshot), all that's available is a string that looks like this:


HandBrake-0.10.2-MacOSX.6_GUI_x86_64_0x1.b2a122dp+28

Studying this a bit, it appears that the random looking hex number after the name is not really random. It represents the 'Created date' of the volume's root folder (for most but not all the entries!). The date format is Mac Absolute Time (ie, number of seconds since 2001).
The picture below shows the breakup.


Figure 2: Interpreting volume info from FXDesktopVolumePositions entry


The first part of the entry (till the last underscore) is the name as it appears in the Finder window. The next part ignoring the period is the created date. This is followed by p+ and then a decimal number (usually 0, 26, 27, 28 or 29). I believe that number represents a volume type. From what I can see in some limited testing, if volume type=28, then the hex number is always the created date.

Large external disks (USB) that identify as fixed disks and most DMG volumes will show up as type 28. All USB removable disks show up under type 29 and here the hex number is not a created date, it is unknown what this may be. Sometimes this number is negative for type 29, and a lot of volumes share the same number.

There is still some mystery about the hex number. For type=28, sometimes it is less than 8 digits long, and needs to be padded with zeroes at the end. This does produce an accurate date then. Also, sometimes it is longer than 8 digits! In these cases, truncating the number at 8 digits has again produced an accurate date in limited testing. It is unclear what those extra digits would denote.

Update: As pointed out by Geoff Black, the part after the underscore is just the way floats are represented (including the p+xx part).

Following this discovery, mac_apt has been updated to parse this date.

4 comments:

  1. Hey Yogesh, the whole string after the last "_" is a hexadecimal float string. In Python, you can use "float.fromhex(s)", then convert that to Mac Absolute Time. Only certain filesystems seem to have positive values (HFS+ only?). Verified this with SANS training materials and personal testing.

    https://docs.python.org/3/library/stdtypes.html#float.fromhex

    Geoff

    ReplyDelete
  2. Good post Yogesh.The information about mounted volumes/dmg's can also be ascertained using macOS Unified Logs:

    1.log show --info --
    predicate 'process == "fseventsd" && eventMessage contains "/Volumes"'

    2.log show --info --predicate
    '(process=="fseventsd" or process=="deleted") and (eventMessage contains "/Volumes/" or
    eventMessage contains "fseventsd getting new uuid:")'


    The logarchive's can be extracted from a suspect machine and parsed/analyzed on a macOS native terminal.Most importantly its difficult to get the serial nos of the USB device as macOS records the UUID's of the devices in the Unified Logs .It was tested on macOS High Sierra

    ReplyDelete
  3. Thanks for the info Swastik. The unified logs, fseventsd logs and the quicktime thumbnail cache all have traces of volume activity.

    ReplyDelete