Update: Posted follow up article to mount HFS+ dd images

The first time I tried to mount a Mac OS X partition in Linux, I ran into several issues. Here were the problems I had and the resolution.

HFS+ partition structure

Man computer forensic jobs are on Windows or even Linux computer which use the DOS partition structure. So, the first time you come across a Apple partition, things look a bit different. The following are the partitions, as seen by mmls and parted, on a HFS+ USB drive:

mmls output

wintermute:/mnt# mmls /dev/sdc
MAC Partition Map
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  -----   0000000000   0000000000   0000000001   Unallocated
01:  00      0000000001   0000000063   0000000063   Apple_partition_map
02:  Meta    0000000001   0000000004   0000000004   Table
03:  01      0000000064   0000262207   0000262144   Apple_Free
04:  02      0000262208   0160086511   0159824304   Apple_HFS
05:  03      0160086512   0160086527   0000000016   Apple_Free

parted output

wintermute:/mnt# parted /dev/sdc
GNU Parted 1.7.1
Using /dev/sdc
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print

Disk /dev/sdc: 82.0GB
Sector size (logical/physical): 512B/512B
Partition Table: mac

Number  Start   End     Size    File system  Name                  Flags
1      0.51kB  32.8kB  32.3kB               Apple
3      134MB   82.0GB  81.8GB  hfs+         Apple_HFS_Untitled_1

HFS+ partition and journaling

When you mount the HFP+ partition, you issue the following:

wintermute:/mnt# mount -t hfsplus /dev/sdc3 /mnt/sdc/

and while everything looks good from mount:

wintermute:/mnt# mount
/dev/sdc3 on /mnt/sdc type hfsplus

the journaled filesystem has actually caused some issues. You notice this is you want to write to the drive or if you look at dmesg:

sdc1: rw=0, want=262211, limit=63
hfs: unable to find HFS+ superblock
hfs: write access to a jounaled filesystem is not supported, use the force option at your own risk, mounting read-only.

Disabling journaling on HFP+ file system

If you need to write data to this drive (helpful as I move files between Linux, Windows and OS X forensic workstations), you can remove the journaling from the file system. This is not recommended for the system partition on a Mac but is fine for a data drive. Of course, understanding the benefits of a journaled file system for data recovery is important. Anyway, to remove the journal I issued from following command on my OS X workstation per Apple’s support article:

neuromancer:/Volumes root# /usr/sbin/diskutil disableJournal /Volumes/mac-backup

Write away

Placing the drive back in Linux and mount with the same command as above resulting in a writable HFS+ partition on my Linux workstation:

wintermute:/mnt# mount
/dev/sdc3 on /mnt/sdc type hfsplus (rw)