Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Mac OS X Previous Versions Chunk Storage Parser

This script parses Mac OS X chunk-storage SQLite database-files used by the previous-versions feature introduced in Mac OS X Lion. The chunk-storage database is located at the following path in HFS+ and APFS volumes that support this feature -

\.DocumentRevisions-V100\.cs\ChunkStoreDatabase

The database contains several tables including one called 'CSStorageChunkListTable'. Each record in this table represents one previous version of a file and lists the chunks used to store that file's data. The chunks themselves are stored in one or more files in the following folder -

\.DocumentRevisions-V100\.cs\ChunkStorage

Previous versions of files are stored within the following folders and sub-folders -

\.DocumentRevisions-V100\AllUIDs

\.DocumentRevisions-V100\PerUID

The files in this folder are marked as compressed and accessible only by the Mac OS X system and root user.

The link between the previous version of a file and its chunk-data is made by a 'com.apple.decmpfs' extended attribute. This attribute contains the index of the record in the 'CSStorageChunkListTable' table that references the file's chunk-data.

This script will locate the data for each file represented by a record in the 'CSStorageChunkListTable' table and write it into a logical evidence file, which can be loaded into the current case automatically.

The script will attempt to match the recovered data to the appropriate path under the '.DocumentRevisions-V100\AllUIDs' folder. If it can't do this then the script will write the data as a stream under the relevant chunk-storage database-file.

The script will only parse HFS+/HFSX/APFS chunk storage database files having the name and path mentioned above.

Download Now



Version: 3.0.1
Tested with:
EnCase Forensic 8.07
Developer: Simon Key
Category: Artifact

8743 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
7450 Downloads
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
141 Downloads
App
Artifact

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key
98 Downloads
App
Artifact

Windows Search Application Data Parser

This script parses data maintained by the Windows search function relating to recently-used applications and documents
By Simon Key
84 Downloads
App