07 The Kernel Level Truth: Linux & Macintosh File Systems | Ep. 07.2025 | Digital Forensics

When a standard Windows forensic tool encounters a drive it can't mount, the investigation doesn't stop—it moves to the kernel. Discover how to bypass the GUI and navigate the raw block-level data of Unix-like systems, where file names vanish and "Inodes" and "B-Trees" hold the keys to the truth.

In this episode, we step away from the familiar NTFS architecture to explore the structural foundations of Linux and macOS. As a Full Professor and Scholar-Academic at Tarleton State University, I break down Module 07 of the Guide to Computer Forensics and Investigations (7th Ed., 2025). We dive into the physics of Linux ext4 inodes, the sophisticated B-Tree architecture of Apple’s APFS, and the forensic challenges posed by the T2 Security Chip. This session is essential for any IT professional or business student aiming to master the cross-platform complexities of modern incident response.

Key Moments
0:00 — Intro: Hacking Myths vs. Forensic Reality
0:24 — Data Decoupling: Inodes and B-Trees Explained
1:12 — Linux ext4 Anatomy: The 4-Part Partition Hierarchy
2:03 — The Inode: Metadata Paths and Pointer Systems
2:56 — XT4 Extents: Reducing Fragmentation & Pointer Complexity
3:26 — Apple Evolution: From HFS to 64-bit APFS
3:45 — Storage Units: Logical Blocks, Allocated Blocks, and Clumps
4:18 — The Slack Space Gap: Logical vs. Physical EOF
4:42 — B-Tree Architecture: Navigating Leaf and Index Nodes
5:14 — Hardware Barriers: FileVault 2, T2 Chips, and Secure Enclaves
5:38 — Risk of Connection: Disk Arbitration and Timestamp Alteration
6:10 — Low-Level Bypass: Leveraging Kali Linux Forensics Tools
6:34 — The dc3dd Utility: Syntax and Real-Time Verification
7:10 — Conclusion: Architecture as the Key to Forensic Integrity

Resources & References
⬢ Nelson, Phillips, Steuart, and Wilson (2025). Guide to Computer Forensics and Investigations, 7th Edition.
https://www.cengage.com/c/guide-to-computer-forensics-and-investigations-7e-nelson-phillips-steuart-hua/9780357672884/
⬢ Apple Platform Security Guide (T2 & Secure Enclave) – Official specs on the hardware-locked ecosystem.
https://support.apple.com/guide/security/welcome/web
⬢ The Sleuth Kit (TSK) & Autopsy – The primary open-source suite mentioned for Unix-like analysis.
https://www.sleuthkit.org/
⬢ dc3dd Forensic Tool – The specific command-line utility used in your demo for block-level acquisition.
https://github.com/resurrecting-open-source-projects/dc3dd
⬢ Schuessler's Tech Career & Forensics Guides – Access my books on Amazon.
https://www.amazon.com/stores/author/B0GF414RK1
⬢ Schuessler's OER Library – Open Educational Resource versions of these materials.
https://oertx.highered.texas.gov/search?search_source=homepage&f.search=Schuessler

Dr. Joseph H. Schuessler, PhD
Full Professor of Computer Information Systems | Dr. Sam Pack College of Business
Quality Matters Master Reviewer & ACUE Advanced Certified in Effective Teaching

AI Production Disclosure: This content was developed through a collaborative workflow between human expertise and artificial intelligence. Gemini and NotebookLM were utilized for research synthesis, content structuring, and production assistance to ensure technical accuracy and educational clarity.

Видео 07 The Kernel Level Truth: Linux & Macintosh File Systems | Ep. 07.2025 | Digital Forensics канала Joseph H.Schuessler