Difference between revisions of "macOS"
m |
|||
Line 69: | Line 69: | ||
The directories preceding ${TARGET_DIRECTORY} may also need to have '''RWX''' group permissions set. | The directories preceding ${TARGET_DIRECTORY} may also need to have '''RWX''' group permissions set. | ||
− | == Message | + | == Message App Forensics on when working with iTunes iPhone Backup == |
+ | |||
+ | When you do a full manual backup of your iOS device the Message App's Sqlite datafiles are renamed with a long hexadecimal hash. The backups are stored in a separate directory for each iOS device you manage through iTunes. The backup files are stored under: '''~/Library/Application Support/MobileSync/Backup/396f2f99f15127b8d921798f266a39b7342f560a/3d0d7e5fb2ce288813306e4d4636395e047a3d28'''. That second-to-last hexadecimal number is the hash for the iOS decide backup directory. The number will be different for each device you manage through iTunes. That last hexadecimal is the name of the SQLite database file that stores the message text and metadata, so you want to look for this name when searching for backups. | ||
+ | <pre> | ||
+ | find ~ -name "396f2f99f15127b8d921798f266a39b7342f560a" | ||
+ | <pre> | ||
+ | |||
+ | There are various applications that can be used to export text messages. One that is simple and free is '''sms-backup.py''' found at [https://github.com/toffer/iphone-sms-backup]. | ||
+ | |||
+ | <pre> | ||
+ | sms-backup.py --input ~/Library/Application\ Support/MobileSync/Backup/396f2f99f15127b8d921798f266a39b7342f560a/3d0d7e5fb2ce288813306e4d4636395e0]47a3d28 > ~/Desktop/sms.csv | ||
+ | </pre> | ||
+ | |||
+ | == Message App Forensics == | ||
Messages are stored under '''~/Library/Messages/chat.db'''. Note that there may be some other '''sqlite3''' files in the same directory, '''chat.db-shm''' and '''chat.db-wal'''. '''DO NOT OPEN THE CHAT.DB WITH AN SQLITE CLIENT!''' The database may have been shutdown with deleted rows. The rows may be recoverable, but an sqlite3 client may trigger a '''vacuum''' process which will garbage collect deleted rows. Alternatively the client may trigger the WAL to overwrite the chat.db, so previous values of records may be lost. The best thing to do is to make a backup copy. Reimage from the backup every time you want to test some method for recovering data. At this point it's actually preferable to copy the working copy to a different machine and work on it there. | Messages are stored under '''~/Library/Messages/chat.db'''. Note that there may be some other '''sqlite3''' files in the same directory, '''chat.db-shm''' and '''chat.db-wal'''. '''DO NOT OPEN THE CHAT.DB WITH AN SQLITE CLIENT!''' The database may have been shutdown with deleted rows. The rows may be recoverable, but an sqlite3 client may trigger a '''vacuum''' process which will garbage collect deleted rows. Alternatively the client may trigger the WAL to overwrite the chat.db, so previous values of records may be lost. The best thing to do is to make a backup copy. Reimage from the backup every time you want to test some method for recovering data. At this point it's actually preferable to copy the working copy to a different machine and work on it there. |
Revision as of 13:08, 21 March 2016
Contents
- 1 smart quotes, smart dashes, automatic spelling correction are all stupid
- 2 image a disk using dd on Mac OS X
- 3 Turn off multi-touch swipe navigation for history in Chrome
- 4 Missing keys
- 5 Stupid Mac OS X Photos Export Original Error "couldn't be copied because you don't have permission to access"
- 6 Message App Forensics on when working with iTunes iPhone Backup
- 7 Message App Forensics
- 8 Use the locate command
- 9 Capture webcam snapshot from the command-line
- 10 Display images using ImageMagick 'display'
- 11 Display images from the command-line
- 12 Display video from sequence of images
- 13 Open files as if double-clicking on them.
- 14 Image processing with SIPS
- 15 Paste Board (clip-board, Desktop cut-and-paste)
- 16 Mount extfs ext2 ext3 ext4 on Mac OS X using FUSE
- 17 How to resolve: "No Java runtime present, requesting install."
- 18 Mac OS X keyboard modifiers get reset after boot or sleep
- 19 Brew: installation of Brew packages fail with "/usr/local/lib/pkgconfig is not writable."
- 20 Show all files in the Finder (and all application file dialogs) -- show hidden files
- 21 .DS_store sucks
- 22 Fink (use "brew" nowadays)
- 23 Show top level mounted drives (volumes) in the Finder
- 24 Use Automator to set a global system hotkey to launch a new iTerm window
smart quotes, smart dashes, automatic spelling correction are all stupid
Turn all this crap off.
defaults write NSGlobalDomain NSAutomaticDashSubstitutionEnabled 0 defaults write NSGlobalDomain NSAutomaticQuoteSubstitutionEnabled 0 defaults write NSGlobalDomain NSAutomaticSpellingCorrectionEnabled 0 defaults write com.apple.TextEdit SmartQuotes 0 defaults write com.apple.TextEdit SmartDashes 0 defaults write NSGlobalDomain AppleShowScrollBars -string "Always" defaults write com.apple.menuextra.clock DateFormat -string "EEE MMM d h:mm:ss a" defaults write com.apple.menuextra.battery ShowPercent "YES" defaults write com.apple.finder AppleShowAllFiles -bool true defaults write NSGlobalDomain AppleShowAllExtensions -bool true defaults write com.apple.finder ShowStatusBar -bool true defaults write com.apple.finder QLEnableTextSelection -bool true defaults write com.apple.finder _FXShowPosixPathInTitle -bool true defaults write com.apple.finder FXEnableExtensionChangeWarning -bool false chflags nohidden ~/Library defaults write com.apple.desktopservices DSDontWriteNetworkStores -bool true # This is necessary to actually get the menuextra bar to refresh its display. killall SystemUIServer -HUP
image a disk using dd on Mac OS X
Using dd on Mac OS X is basically the same as any other UNIX, but unmounting the disk first is a little different.
diskutil list
There's a difference between these two, but I forget the distinction. I believe that the second one is more comprehensive, but the first is what the umount command suggests using instead.
diskutil unmount /dev/disk2 # or diskutil unmountDisk /dev/disk2
dd if=/dev/disk2 of=disk.img bs=1m conv=noerror,sync
This is a stupid feature. It wouldn't make navigation all that much smoother even if I did use it often, but most often it gets triggered accidentally while multi-touch scrolling, which is a feature I use on almost every page.
defaults write com.google.Chrome AppleEnableSwipeNavigateWithScrolls -bool FALSE
Missing keys
- [Ins] (insert key and shift-insert)
- To paste the X11 clipboard use [shift][fn][return]. The plain insert key is [fn][return], but just about the only thing I use it for is to paste X11 selections, so [shift][fn][return] is usually what I'm looking for in this note.
Stupid Mac OS X Photos Export Original Error "couldn't be copied because you don't have permission to access"
You get this error when trying to export original photos from Apple Photos.
couldn't be copied because you don't have permission to access...
For some reason Photos seems to export as the staff user, so your destination directory must have group read/write/execute permissions.
chmod -R g+rwx ${TARGET_DIRECTORY}
The directories preceding ${TARGET_DIRECTORY} may also need to have RWX group permissions set.
Message App Forensics on when working with iTunes iPhone Backup
When you do a full manual backup of your iOS device the Message App's Sqlite datafiles are renamed with a long hexadecimal hash. The backups are stored in a separate directory for each iOS device you manage through iTunes. The backup files are stored under: ~/Library/Application Support/MobileSync/Backup/396f2f99f15127b8d921798f266a39b7342f560a/3d0d7e5fb2ce288813306e4d4636395e047a3d28. That second-to-last hexadecimal number is the hash for the iOS decide backup directory. The number will be different for each device you manage through iTunes. That last hexadecimal is the name of the SQLite database file that stores the message text and metadata, so you want to look for this name when searching for backups.
find ~ -name "396f2f99f15127b8d921798f266a39b7342f560a" <pre> There are various applications that can be used to export text messages. One that is simple and free is '''sms-backup.py''' found at [https://github.com/toffer/iphone-sms-backup]. <pre> sms-backup.py --input ~/Library/Application\ Support/MobileSync/Backup/396f2f99f15127b8d921798f266a39b7342f560a/3d0d7e5fb2ce288813306e4d4636395e0]47a3d28 > ~/Desktop/sms.csv
Message App Forensics
Messages are stored under ~/Library/Messages/chat.db. Note that there may be some other sqlite3 files in the same directory, chat.db-shm and chat.db-wal. DO NOT OPEN THE CHAT.DB WITH AN SQLITE CLIENT! The database may have been shutdown with deleted rows. The rows may be recoverable, but an sqlite3 client may trigger a vacuum process which will garbage collect deleted rows. Alternatively the client may trigger the WAL to overwrite the chat.db, so previous values of records may be lost. The best thing to do is to make a backup copy. Reimage from the backup every time you want to test some method for recovering data. At this point it's actually preferable to copy the working copy to a different machine and work on it there.
cp -a ~/Library ~/Library.backup cp -a ~/Library.backup ~/Library.working_copy
You will also probably want to get rid the extended attributes on the files while you work with them.
xattr -rc Library.working_copy
Paths to data directories
I don't understand the relationship between Messages and Containers/com.apple.iChat. Is the iChat directory a backup or archive Messages? The formats are different; the iChat directory has a collection of plist files that form an archive of conversations (the files have .ichat extensions, but they are plist binaries). It may even be something left over from an OS upgrade or application upgrade.
- ~/Library.working_copy/Messages/
- ~/Library.working_copy/Containers/com.apple.iChat/
To view the plist binaries it's probably more useful to convert them to XML.
plutil -convert xml1 "Noah Spurrier on 2015-05-29 at 13.45.51.ichat"
You may want to simply convert all the ichat files to XML format:
find "~/Library.working_copy/Containers/com.apple.iChat/Data/Library/Messages/Archive" -name "*.ichat" -exec plutil -convert xml1 "{}" \;
The file will have the same name and extension, it will simply be XML now. I have not figured out how to parse the format. Apparently it is a common Mac serialization format. The text of the messages appear to be near a key named NS.string; although, this is also used for other fields. As a quick and dirty hack this will work:
grep -A 1 NS.string "Noah Spurrier on 2015-05-29 at 13.45.51.ichat"
Use the locate command
I like to have the locate database update to date so I can use the locate command. The following enabled the locate launch daemon and it updates the locate database. For some reason, the OS X version requires that the locate.updatedb command be run from the root directory.
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.locate.plist sudo bash -c "cd /; /usr/libexec/locate.updatedb"
Capture webcam snapshot from the command-line
Install imagesnap
Use Brew to install imagesnap
brew install imagesnap imagesnap
Or install using a precompiled binary from here: http://www.iharder.net/current/macosx/imagesnap/ or http://iharder.sourceforge.net/current/macosx/imagesnap/ or https://github.com/rharder/imagesnap
Capture images using imagesnap
Capture from a specific video device (use imagesnap -l to list device names):
imagesnap -d "HD Pro Webcam C920"
Do this to take a sequence of images. Recall Bash variables such that ${1-1} yields command-line arg 1 if defined. If no argument was given then it yields the default value after the -, in this case 1. So this always returns 1 if no argument is given.
image_sequence () { while :; do imagesnap -q $(date +%Y%m%d%H%M%S).png sleep ${1-1} done }
Display images using ImageMagick 'display'
You may see this error:
display: delegate library support not built-in `' (X11) @ error/display.c/DisplayImageCommand/1894.
The problem is that you installed the wrong build of ImageMagick. Run the following to install ImageMagick with X11 display support:
brew uninstall imagemagick brew install imagemagick --with-x11
Display images from the command-line
This works on almost any file as well as images.
qlmanage -p FILENAME.jpg
Display video from sequence of images
mplayer -vo corevideo "mf://2015*.png" -mf type=png;fps=20
Open files as if double-clicking on them.
open picture.img open my_document.doc open page.html
Image processing with SIPS
Built-in, native tool for resize and performing simple manipulations of images.
Paste Board (clip-board, Desktop cut-and-paste)
pbcopy < foo.txt pbpaste >> bar.txt
Mount extfs ext2 ext3 ext4 on Mac OS X using FUSE
If you use a Mac and want to mount Linux extfs drives then the easiest way to do this is to use FUSE for OS X with fuse-ext2. OSXFUSE is based on a defunct project called MacFUSE. fuse-ext2 does not appear to be updated frequently, but the old releases seem to work on the latest version of Mac OS X (Mavericks).
How to resolve: "No Java runtime present, requesting install."
When trying to run java from the command-line you may get this message, No Java runtime present, requesting install.. After installing the JRE: (Java Runtime Environment), you find that you still get this message from the command-line. Restarting the terminal session does not fix this. You must add the following line to /etc/bashrc or your own ~/.bashrc:
export JAVA_HOME="/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home"
Mac OS X keyboard modifiers get reset after boot or sleep
If you set your Caps Lock key to be a Control key you may find that this setting gets lost after the machine reboots or restores after a sleep. The problem may be with a corrupt ~/Library/Preferences/.GlobalPreferences.plist file. To fix this delete or move this file out of the way, reset the Caps Lock key modifier back to Control then reboot. The problem should go away.
Brew: installation of Brew packages fail with "/usr/local/lib/pkgconfig is not writable."
During a step that creates symlinks you may see a message like this:
Error: Could not symlink file: /usr/local/Cellar/x264/r2197.4/lib/pkgconfig/x264.pc /usr/local/lib/pkgconfig is not writable. You should change its permissions.
I'm not sure what causes this. This seems to fix it; although, I'm not sure if this is the correct ownership to set:
sudo chown -R $USER /usr/local/lib/pkgconfig
In Open and Save dialog boxes you can press Command-Shift-. (dot) to temporarily show hidden files. If you want to see hidden files in the Finder and all other applications then run the following from a command-line shell.
defaults write -g AppleShowAllFiles -boolean true #defaults write -g AppleShowAllFiles YES defaults write com.apple.finder AppleShowAllFiles -boolean true # or should I really use the following?: # defaults write com.apple.finder AppleShowAllFiles YES killall Finder
older style
defaults write -g AppleShowAllFiles -bool true
This will affect only the Finder:
defaults write com.apple.finder AppleShowAllFiles TRUE killall Finder
.DS_store sucks
.DS_store spreads like the common cold. There is no way to turn it off for locally mounted drives, including removable media, but you can disable it from being created on network drives.
defaults write com.apple.desktopservices DSDontWriteNetworkStores true
Also add to your .gitignore file:
.DS_store/
Fink (use "brew" nowadays)
I mostly use "brew" now.
Install Fink and Fink Commander.
Install [XCode].
Show top level mounted drives (volumes) in the Finder
This is some same Applescript that I wrote. This gets me started with the basics.
(* Show top level mounted drives (volumes) in the Finder *) tell application "Finder" activate make new Finder window with properties {target:computer container} (* I can't set the column view in properties when making new Finder window because the user may have set the Finder view option "Always open in list view". *) set current view of front window to column view set zoomed of front window to true (* if using list view then adjust some of the columns... set sort column of list view options of front window to name column set sort column of list view options of front window to kind column set width of column id name column of list view options of front window to 200 set width of column id modification date column of list view options of front window to 170 set width of column id size column of list view options of front window to 90 set width of column id kind column of list view options of front window to 120 *) end tell (* tell application "System Events" if UI elements enabled then keystroke "t" using {command down, option down} else tell application "System Preferences" activate set current pane to pane "com.apple.preference.universalaccess" display dialog "UI element scripting is not enabled. Check \"Enable access for assistive devices\"" end tell end if end tell *)
Use Automator to set a global system hotkey to launch a new iTerm window
This doesn't work very well because it turns out that a lot of applications use Option-Command-T. I would like to find a better solution to this problem.
In Automator create a new document and select a Service" as the type for your new document. Set the following options:
Service receives: no input in: any application
From the Library add the action Run AppleScript and set the following text in the editor:
on run {input, parameters} tell application "iTerm" reopen activate end tell tell application "System Events" to keystroke "n" using command down end run
Save the workflow as hotkey iTerm.
Open System Preferences to set a hotkey to launch the work flow.
System Preferences | Keyboard | Shortcuts | Services | General | hotkey iTerm
Add a shortcut and press alt-command-t to set this hotkey sequence to launch a new iTerm window. I tried ctrl-alt-t and ctrl-command-t, but these were being used by other applications.