[Bug?] Missing files in Autopsy 4.21/4.22 from macOS 10.4 disk image (HFS+) #7970
Description
Hi everyone,
I’m running into an issue with Autopsy 4.21 and 4.22 on Ubuntu 22.04.
I’m analyzing a .img disk image created from a macOS 10.4 (Tiger) system running in QEMU. When I mount the image manually (using sudo mount -t hfsplus -o uid=myuseruid MacOS10.4.img /mnt), I can see all the expected files in the filesystem.
However, when I add the image as a disk in Autopsy, some of those files do not appear at all in the interface, even though they clearly exist in the image.
The filesystem is HFS+, since it’s macOS 10.4.
I wrote a script to compare the file list from the mounted image and the file list from Autopsy. On this disk, there is a difference of around 20,000 files — they appear when the image is mounted, but are missing in Autopsy.
See the example below:
Script output :
View on the mount point :
Autopsy View :
You can see in the Autopsy view that the directory containing the missing files is shown as empty, and I can’t even see the parent directory as I do with other directories in the Listing section:
Parent folder that should appear in the Listing section:
Are there any known limitations in Autopsy or SleuthKit when dealing with HFS/HFS+ from older macOS versions? Or any settings I should tweak to ensure all files are visible?
Thanks in advance for any help or guidance!