file system

HFS+ Grammar Updates – Now with Windows & Linux Support!

Updated HFS+ Grammars:

My Synalyze It! HFS+ grammars have been updated thanks to some feedback from ‘Cugu’ who pointed out an error in the Reserved Field in the Header Record. It should have been 4x16 bytes, not just 4 bytes. Thanks ‘Cugu’! The updated grammars can be accessed in the Resources Section.

Windows & Linux Support:

Windows and Linux support for the Synalyze It! Grammars are now available by using Hexinator by the same creator as Synalyze It! This program appears to be free as of this writing. Hexinator works and feels just like Synalyze It!

An example of Hexinator with my HFS+ Catalog File Grammar.


The HFS+ file system is an often forgotten part of Mac OS X analysis. Everyone always talks about being able to parse the FAT or NTFS file system files, but I almost never hear about someone needing or wanting to parse the HFS+ special files.

In my new SANS FOR518 - Mac Forensic Analysis class I have the students parse by hand certain aspects of an HFS+ file system. Perhaps I enjoy a good case of schadenfreude, but I believe learning how a file system stores data is one of the fundamentals in this industry that everyone should understand.

I’m not asking everyone to parse their file system files by hand in every case, but you should have the background knowledge and ability to do it if the need arises. Perhaps you need to validate a tools output or analyze data that is corrupted and not able to be parsed by a tool. Let me tell you, parsing HFS+ will give you a whole new appreciation for the simplicity that is NTFS or FAT!

HFS+ is comprised of the volume header and five “special files”. Three of these files use balanced trees (or B-trees) to organize its file and folder data.

  • Volume Header – Contains data about the volume (surprise?), timestamps, allocated blocks, location of “special” files, etc.
  • Catalog File – Contains a B-tree with data about each file and folder and its hierarchy. Timestamps, CNID, owner information, file extents, etc. (Think $MFT on NTFS)
  • Attributes File – Contains a B-tree with additional attributes for files and folders usually in the form of extended attributes. My favorite extended attribute is!
  • Allocation File – Contains a bitmap of how the volume is allocated.
  • Extents Overflow File – Contains a B-tree overflow from the Catalog file of where files are allocated.
  • Startup File – Used for booting other systems – I have personally not seen this implemented on newer systems.

While creating the HFS+ section for my course, I created a HFS+ Reference Sheet and Synalyze It! Grammar files. My hope is to help folks understand and parse (by hand) the HFS+ file system structures.

Note: The following reference sheet and grammar files are still a work in progress – comments and suggestions are welcome!

FOR518 Reference and HFS+ Reference Sheet

Synalyze It! Grammar Files:

Synalyze It! is a very powerful hex editor that a user can create or use grammars to view certain data structures. An example of the Volume Header grammar is show below.

For those that want to learn more about HFS+, I highly recommend the following references: