Skip to main content

Try to Be More Sensitive

Discovering Insensitivity

Running through the steps of an exercise during the Mobile Forensic Analysis course from Hexordia. I ran into an interesting sensitivity issue. For me, unsolved issue like this are not acceptable. I'm sure that if you are a forensicator like me, this same standard applies to you. Let's walk through my testing and the solution I discovered.

The Problem with Insensitivity

I was dealing with data from Apple File System from an iOS image in ZIP format. Although many tools can parse the ZIP file as is, others may require the file to be extracted. You may want to manually browser through the files and folders as well. When performing the ZIP extraction on a Windows computer, you are likely to run into a problem. This problem will cause you to miss possibly vital information.

The problem I speak of is based on the File System's inability to handle case sensitivity. In the screenshot below, you will note that the extraction was attempting to put two files in the same folder with the same name except for the one had a capital letter and the other did not.

Whether you chose to overwrite or skip this file, the answer is still wrong. We need both files to allow a complete view of the data from the iOS extraction.

This issue first presented itself attempting to extract the ZIP file to an NTFS volume. I next tried the extraction to an external exFAT formatted thumb drive. I found the same problem.

Maxim Suhanov a more detailed blog detailing case sensitivity on Windows files system here.

Mac OS exFAT Sensitivity Testing

Some websites suggested that exFAT was case sensitive even though my testing on Windows 11 (22H2) showed this to be false. It was time to open a MacBook Pro laptop and test the theory. I inserted a thumb drive and formatted it from the Mac as exFAT. I then first created a folder with the name "Test", capitalizing the first letter. I attempted to create a second folder with the same name but without capitalization. It also failed.



Acquiring Sensitivity

This looks like we have hit a dead end. However, I'm not fond of giving up 😉. After some research using a popular search engine I located the answer from a Microsoft article here. It details how to set case sensitivity on a specific subfolder on an NTFS volume.

TIP: Create a new empty folder before applying the fsutil command. It will not work if the folder is not empty.

After following the directions in the section "Changing the case sensitivity of files and directories" I  extracted the iOS full file system image to my Windows 11 computer without errors or loss of data.

Be Sensitive to the Data's Needs

The next time you need to extract an image from iOS, Linux or other case sensitive File System on Windows, have an NTFS volume and configure the empty folder using the fsutil command. The most important thing to remember is that is can be done!


Comments

Post a Comment