hoakley December 3, 2019 Macs, Technology

Time Machine: 1 How it works, or fails to

This is the first in a series of articles in which I will try to explain much of what I know about Time Machine (TM), starting from its basic principles, how it is implemented in macOS from Sierra (and earlier) to Catalina, and how to troubleshoot and fix its problems. I didn’t intend writing a series, just a single article about its issues in Catalina. But without understanding what is going on when backing up, that didn’t make much sense. This first article explains the principles involved, how they’ve changed over different versions of macOS, and the tools you need for diagnosis.

Making backups is, in principle, a simple task. The first backup just consists of a copy of everything that the user wants backed up. Each backup after that is then a copy of everything that has changed since the last backup was made. When you want to restore any item(s) from your backup, you can select which version of them to retrieve, going right back to the very first.

TM is only one choice among a range of backup systems for macOS. It’s distinctive and popular because:

it’s free and bundled with macOS;
it’s well integrated with macOS;
it uses macOS to create a Finder illusion, with which users are familiar;
by default, it makes small backups each hour, which fit in with most usage patterns better than making large backups each night;
it generally works well, and can back up to a wide range of media, which needn’t be costly.

Other strategies are adopted by competitors, including most notably Mike Bombich’s Carbon Copy Cloner and David Nanian’s SuperDuper!

Origins

For many years, TM relied on two features which were distinctive of macOS:

the FSEvents database, which records changes made to the files and folders on each volume;
hard links to both files and folders, which are used to minimise the size of TM backups.

Hard links are an incredibly efficient way of making each backup look as if it’s a complete copy of the original, when in fact all those files and folders which have remained unchanged since the last backup are represented by hard links back to the previous version. Hard links to files are a common feature of file systems, but hard links to directories (folders) are not normally supported. Apple added them to HFS+ for this purpose.

Without them, this scheme wouldn’t work: unchanged folders would have to be created in the backup as real folders containing many more hard links to the files within. The number of hard links in each backup would quickly become huge, as every file in that backup would have to be represented either by a hard link or a new backup. If your internal storage contained one million files, of which only ten needed to be backed up, TM would have to create 999,990 hard links for that one backup alone.

At its earliest and simplest, TM’s backup service, backupd, was run every hour as a scheduled task. It looked at the FSEvents database on each volume it had to back up, discovered what needed to be copied into the new backup, copied those items across to the backup, and created the hard links required to make that look like a complete duplicate of the original.

TMbackup105

The final maintenance phase ensured that hourly backups cover the most recent period. Prior to that, TM reduces the number of backups to minimise demands on their storage. However, the total size of backups inevitably rises until eventually even the largest backup storage is exhausted.

Diagnosing problems in those early backups is straightforward, thanks to TM making relatively infrequent log entries marking each step of the way.

Sierra

By the release of macOS Sierra, Apple had modified this simple behaviour in two respects. First, to ensure that backups remained within the scope of Spotlight search, once this sequence is complete, Spotlight’s mdworker processes index the latest backup into the main Spotlight indexes. The other change was to increase flexibility in the timing of backups. There is no need for them to occur precisely every hour, so Apple added TM backups to a complex background despatching system which aims to call them off when the system is ready for them to run. This despatching system is run by two subsystems, DAS (Duet Activity Scheduler) and CTS (Centralized Task Scheduling), and aims to run each hourly backup within a period of 5-10 minutes around the intended hourly interval.

TMbackup1012

Unfortunately, there is a bug in Sierra which Apple never fixed, leading to failure of the DAS-CTS scheduling system after running continuously for about 5 days or more. To this day, if you run TM in Sierra and don’t shut down or restart your Mac, automatic scheduling of TM backups will eventually stop happening regularly.

High Sierra and APFS

In addition to fixing this scheduling bug in High Sierra, that new version of macOS brought a complete new file system, APFS, designed to offer file system snapshots. A snapshot is a complete copy of the file system metadata at an instant in time. By retaining the previous versions of files rather than overwriting them immediately, a snapshot can be used to restore a volume to that previous state extremely quickly. This replaces the older Mobile Time Machine, introduced in about 2015, which had intended to provide limited backup facilities when proper backups couldn’t be made to an independent volume.

Apple saw the opportunity to replace the FSEvents database as the means of working out what to back up. In High Sierra and Mojave, snapshots are made and TM analyses those to determine what has changed and thus needs backing up. This turns out to be a bit more complex than it sounds, requiring a second snapshot to be made once backing up is complete, and is in any case only available when backing up APFS volumes.

TMbackup1014

Catalina

TM had to change in Catalina anyway, because of the use of a Volume Group for what had previously been the single startup volume. For users wanting to back up the whole of the Volume Group, the default in 10.15, this brought a change to the structure of backups. Apple has also taken the opportunity to back up the Recovery volume, which previously wasn’t an option in TM. The effect for many users who have only been backing up a single startup volume is that Catalina now backs up three: the read-write Data volume, read-only System volume, and the normally unmounted Recovery volume.

Backing up the Data and Recovery volumes brings further challenges, as neither was suited to the new technique of determining what needed to be backed up as the difference between APFS snapshots, or snapshot diff. It seems that technique wasn’t performing particularly well with plain APFS volumes such as the Data volume anyway, and Apple decided to return to using the FSEvents database.

This gives TM in Catalina a choice of four different techniques to determine what to back up from each of two or more volumes:

first backup, in which the entire contents of the volume are backed up, as happens when a volume is first backed up;
deep scan, in which the entire folder heirarchy is searched exhaustively, and all items which have been modified since the last backup are included in the list to be backed up (default for the Recovery volume);
FSEvents, in which TM analyses the FSEvents database and backs up all items which are recorded there as having been modified since the last backup (default for other volumes);
snapshot diff, in which TM compares the latest with the previous snapshot, and calculates what has changed between them (not available for HFS+ volumes, and probably only used as a fallback for APFS volumes when FSEvents is deemed unreliable or missing).

TMbackup1015

What was originally three fairly simple steps in 10.5 has now become five steps, with the second particularly complex, choosing between quite different techniques for determining what to back up.

Troubleshooting

TM problems broadly fall into three categories:

those which prevent the first backup from completing,
those occurring when regular hourly backups should be occurring,
those preventing a backup from being used, typically to restore items.

These are made more complex by the fact that TM can now back up to multiple destinations, including both local and networked storage (NAS). As the latter isn’t normally to an HFS+ volume expected on local storage, TM there uses a different strategy of copying items using SMB to a sparsebundle hosted on the network storage.

Taking the simplest cases first, there are two main classes of problem to be tackled:

diagnosing an incomplete backup (normally the first) to a local HFS+ volume,
discovering what problems have been occurring during periodic backups made recently.

Tools

TM has always been a considerate and informative user of the log. The best way to tackle backups which are still in progress is to examine TM’s entries for that backup in the log. In El Capitan and earlier, that is easy to accomplish using Console, but from Sierra to Catalina the new unified log presents more of a challenge. Console in 10.12 and later is essentially unable to examine recent log entries, and can only stream fresh entries as they occur, unless you fancy making a logarchive and trying to browse that.

The best GUI tool for examining recent log entries in Sierra and later is my free Consolation 3, which defaults to settings which make this task very simple, however daunting its main window may appear.

consol3tmcat

Simply leave the Filter with the Time Machine radio button selected, select the syslog Style (although custom styles can be much better when installed), use the Period stepper to change the period to 1, 2, or whatever, select hour in the next popup menu, and click on Get log.

Although you can plough through hourly batches of TM log entries looking for problems, once TM is making reasonably regular backups and you want to check them, use my free T2M2 utility. That analyses logs over the chosen period and reports any problems found, together with basic statistics. The latter now includes a breakdown of TM’s use of different strategies for determining what to back up. Although you can run T2M2 while a backup is still being made, it isn’t designed for that, and results then need careful interpretation as they contain an incomplete backup.

t2m2191

In the next article, I will look in more detail at the logs of backups and explain what can go wrong in them.

This series is dedicated to James Pond (1943-2013), who really did know everything about Time Machine.

43Comments

Add yours

1

EcleX on December 3, 2019 at 8:58 am

Thanks for the article. Given time, Apple Time Machine backups get eventually corrupted. But there is an efficient preventive measure, that is using DiskWarrior 5 to rebuild the directory of the Time Machine disk routinely. For instance, once or twice a month, depending on the amount of items that it holds, and the amount of new items modified or saved into the source disk.

The most amazing thing is that if you rebuild the directory of the source and Time Machine disks with DiskWarrior, just a single new backup is enough to generate issues in the Time Machine disk. That may not be critical, but over time they add up and eventually corrupt the Time Machine disk, making it useless to restore a full macOS system, as said above. Worst of all, no warning is issued at all until you try to restore from such backup. Shocking!

Hopefully, the new Time Machine 2 from Apple will fix such serious problem that involves data loss, further supporting APFS for target disks, releasing also full documentation about how to write to them (as done about how to read them by September 2018), so that developers can release utilities like Diskwarrior 6 to rebuild the directory of such disks. Just in case. Time will tell…

LikeLiked by 1 person
- 2
  
  hoakley on December 3, 2019 at 11:39 pm
  
  Thank you.
  All data storage eventually becomes corrupted – it’s a question of how long and when. That isn’t an issue for how TM works, and will be considered in a later article in the series.
  If you are suggesting that making a single TM backup to HFS+ storage results in file system errors, then you have something very seriously wrong there. Current HFS+ implementations are much less liable to directory problems of this kind than in the past, and few TM users ever encounter them.
  Howard.
  
  LikeLike
  - 3
    
    EcleX on December 4, 2019 at 7:58 am
    
    Thanks. Yet, that is not our experience with thousands of Macs at the University. Not all data storage becomes corrupted eventually. For instance, using a disk to store movies (large monolithic files) usually does not corrupt it (eventually, the disk does not hold many items, since they are large and fill the disk).
    
    But making backups of disks with many (millions) items using Time Machine renders such backups corrupted and useless with time, without any warning. You do not notice it until you want to restore from them. And sometimes the scenario is even worse: you make the restoration with Migration Assistant and all seems OK, but some items have been lost in the process. I noticed that by sheer chance, since the source booting old Mac had much more used disk space that the destination one in the new Mac. Fortunately, I could fix it using SuperDuper instead, but that is another story.
    
    And yes, shockingly and surprisingly, a single Time Machine backup shows issues under the described situations, identified and fixed with DiskWarrior. Nothing wrong at all in the source or destination disks before making the backup. That is not only our experience with thousands of Macs at the University, but also the one of many people who have discovered it. Search the Internet with Google to find it.
    
    Hopefully, Time Machine 2 fully supporting saving from and to APFS will fix all those issues.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on December 4, 2019 at 8:20 am
      
      Thank you.
      I’m not sure where you are, but maybe it’s something unique to your location!
      Just think about this slowly: millions, maybe tens of millions, of Mac users back up using Time Machine to HFS+ disks every day. Only a very small fraction of those use DiskWarrior in the fashion you describe.
      So how come so many people don’t suffer the same problems which you claim when recovering from their Time Machine backups? If what you claim is true, TM should be a complete disaster – the only backup system which can never restore anything reliably unless you spend hours every few weeks repairing its broken backups. Is that really the case? Why hasn’t it been on the front pages of Mac magazines since 10.5?
      Howard.
      
      LikeLike
  - 5
    
    EcleX on December 4, 2019 at 12:13 pm
    
    The explanation may be that no error warning is issued at all. People may have problems and not know about them. Not even when restoring, except when the Time Machine disk is with very significant corruption. Corruption adds up with time, until it reaches a threshold of no return. From then on, the disk cannot be used to restore and only then macOS warns about the problem. Additionally, the really serious issues of data loss may only happen for disks containing many items, changed every day saving and deleting items, and only eventually, given time.
    
    But it is extremely easy to check for anyone interested: just rebuild the directory if the Time Machine disk with the latest Diskwarrior 5.2 and you will be amazed about what it finds and fixes. BTW, on a Samsung Portable SSD X5 2 TB containing 19 million items, that takes just 15 minutes in the background (you can work meanwhile).
    
    LikeLiked by 1 person
    - 6
      
      hoakley on December 4, 2019 at 8:37 pm
      
      I don’t think that this is correct, and would be grateful for evidence to support this claim beyond DiskWarrior, please. I think that you are confusing directory errors (which are fixed by fsck, for example) with optimising directory trees, which is totally different and what DiskWarrior has always excelled at.
      By the way, the rest of us aren’t running HFS+ on SSDs, but on hard disks, which are much slower to check and rebuild. And as DiskWarrior isn’t compatible with APFS, which we are running on our SSDs, we can’t use it there anyway.
      I’m also beginning to suspect, from user reports, that HFS+ may have adverse effects on the working life of some SSDs too, as there are now quite a few people reporting shockingly early failures, of SSDs under a year old. Unfortunately, frequently rebuilding directories on them will also accelerate their ageing, so maybe DiskWarrior isn’t such good news for SSDs after all.
      Howard.
      
      LikeLike
  - 7
    
    EcleX on December 4, 2019 at 11:01 pm
    
    Since you ask for it, here it goes (besides our experience, and among other resources):
    
    Time Machine backups to a Time Capsule get corrupted on a yearly basis
    
    Time Machine backups to a Time Capsule get corrupted on a yearly basis from MacOS
    
    Fix Time Machine Sparsebundle NAS Based Backup Errors
    https://www.garth.org/archives/2011,08,27,169,fix-time-machine-sparsebundle-nas-based-backup-errors.html
    
    Recurrent problem with Time Machine failing
    https://apple.stackexchange.com/questions
    
    The above link is broken now, but it contained: “I had this issue over & over on two machines here; eventual fix was DiskWarrior on the Time machine drives. No amount of fiddling with the boot drive would fix it for more than a week or two”.
    
    Volume Rebuild 17 hours and counting
    https://www.micromat.com/component/kunena/techtool-pro-11/5364-volume-rebuild-17-hours-and-counting
    
    Alsoft DiskWarrior saves the Time Machine drive
    https://gigaom.com/2008/05/28/alsoft-diskwarr
    
    On the other hand:
    
    Some experts backup into PCIe flash storage NOT using Tme Machine because seems COMPLEX:
    Recover Time Machine backups from APFS disk?
    https://discussions.apple.com/thread/8088923
    
    Others say AUTOMATIC Time Machine backups get CORRUPTED after SIX MONTHS:
    Rebuild and Partition Failed
    https://www.micromat.com/component/kunena/techtool-pro-11/5246-rebuild-and-partition-failed
    and
    Volume Rebuild – FSRoot Tree rebuild…How long?:
    https://www.micromat.com/component/kunena/techtool-pro-9/5068-volume-rebuild-fsroot-tree-rebuild-how-long
    
    Others confirm that Time Machine backups get CORRUPTED:
    Why I Don’t Rely on Time Machine
    https://joeontech.net/why-i-dont-rely-on-time-machine.html
    
    Others RENEW (start fresh from scratch) Time Machine backups every 2 to 3 years (you!):
    How Time Machine makes backups
    https://eclecticlight.co/2018/10/17/how-time-machine-makes-backups
    
    In relation to ageing SSD due to rebuilding their directories, I do not know to which extent that could be significant, but DriveDx shows my booting disk with all 100% OK and the Time Machine one alike, except:
    
    177 Wear Leveling Count: 7 –> 99% OK
    241 Total LBAs Written: 9.9 TB –> 99% OK
    
    which I think that is OK since August 2017 when I started using both (2 TB each). I rebuild their directories with DiskWarrior at least twice a month, and right after a Mac crash, forced shut down and cold booting, etc, albeit that is rare. I also run Disk Utility First Aid and Cocktail twice a month. I used to also boot in safe mode rebooting before login twice a month, but no longer do it, since it seems useless after doing the previous actions. I turn off the Mac overnight. I am using macOS 10.12 Sierra.
    
    LikeLike
    - 8
      
      hoakley on December 4, 2019 at 11:57 pm
      
      Thank you. I’m afraid it’s late tonight, and tomorrow I am at a funeral for most of the day, but will get a chance in the next couple of days to respond properly. Interestingly, most of those concur with my experience, or are based on using NAS, which don’t use HFS+ as a file system at all!
      Howard.
      
      LikeLike
  - 9
    
    EcleX on December 7, 2019 at 5:57 pm
    
    Thanks for the follow up. No hurry at all. This is a friendly reminder, just in case you forgot.
    
    LikeLiked by 1 person
  - 10
    
    EcleX on December 10, 2019 at 2:06 pm
    
    Your wise feedback will be most appreciated. Thanks.
    
    LikeLiked by 1 person
  - 11
    
    EcleX on December 30, 2019 at 12:29 pm
    
    If possible, your reply will be most appreciated. Thanks, and Happy New Year!
    
    LikeLiked by 1 person
    - 12
      
      hoakley on December 30, 2019 at 11:13 pm
      
      Thanks.
      I will be addressing this in another article on my series about Time Machine.
      Howard.
      
      LikeLike
13

Marcos on December 3, 2019 at 9:53 pm

Great article! I was under the – now I know incorrect – assumption that Time Machine was failry neglected.

The fact that you still cannot use APFS and how brittle and slow network backups has always bothered me. I suspect Apple is working on some grandiose overhaul of the macOS backup story that is several years overdue and that APFS and iCloud somehow both are part of it.

LikeLiked by 1 person
- 14
  
  hoakley on December 3, 2019 at 10:12 pm
  
  Thank you.
  I don’t think that Apple has delayed backing up to APFS: I think it would be largely unused by users at present.
  APFS sucks on hard disks, and always will do, as it’s been designed for SSDs, as it needed to be. Most current Time Machine backups are still made to hard disks, though, and we aren’t all going to throw them away overnight and spend a great deal more money on SSDs to store our backups. So if Apple were to offer backups to APFS now, who’s going to replace their existing backup drives with SSDs which are several times the cost?
  As far as iCloud storage is concerned, users are again the limitation (and their common sense!). My first backup here amounts to over 1 TB, and my total backup storage used is 2 TB. I’d have to have a fibre-optic Internet connection to make that feasible, which is (here in the country) very expensive indeed. Not only that, but whilst I like iCloud for off-site backups, its availability isn’t anywhere near as good as a RAID sat at the back of my Mac. And how long would it take to perform a full restore from backup?
  So, yes, Time Machine 2.0 is coming, but there’s much more than just the engineering to consider.
  Howard.
  
  LikeLike
  - 15
    
    EcleX on December 3, 2019 at 11:15 pm
    
    SSD pricing is now quite affordable. For instance, the best external portable SSD (note that there are cheaper ones!) is now just $249.99 for 2 TB:
    
    Samsung Portable SSD T5
    Samsung T5 Portable SSD – 2TB – USB 3.1 External SSD (MU-PA2T0B/AM), Black
    https://www.amazon.com/dp/B073H4GPLQ
    
    That is dirty cheap for what you get. And it is tiny (similar to a credit card footprint) and light (51 g). Routine Time Machine backups on it take seconds. A real joy! New higher-capacity models (4 TB & 8 TB) expected soon; probably by January 2020 at CES.
    
    LikeLike
    - 16
      
      hoakley on December 3, 2019 at 11:34 pm
      
      Thank you. I’m sorry – you miss the point.
      I’m an existing TM user. I have an external RAID with 4 x 2 TB hard disks. I can replace all four of those, which deliver 6 TB of backup space, for the cost of a single 2 TB SSD. The cost to me to maintain my existing storage is nil, zero, nothing. Even if I have to replace all the drives, it is a quarter of the cost of the SSDs alone.
      To replace my existing RAID with a 4 x 2 TB external SSD RAID would cost me towards £/$/€ 2000. Who in their right mind would do that without having to, unless they’re spending someone else’s money?
      The reality is that TM to SSD is a minority sport and will remain so for several years to come. Large and capacious hard disk are much cheaper than SSDs, and most TM users already have them.
      Howard.
      
      LikeLike
  - 17
    
    EcleX on December 4, 2019 at 7:44 am
    
    Most people do not have arrays of disks for backups, but a single external disk. That is what I meant. On the other hand, it is better to backup each disk to a single dedicated disk, than backing them all to an array.
    
    Sure, mechanical rotational disks will be always cheaper for the foreseeable future. Does it mean that Apple should have never switched to SSD? Why not keep using floppy disks or other obsolete technology in arrays? They would be slower but really, really, really cheap.
    
    What I meant is that most people do not even need a 2 TB Time Machine disk, and that even that SSD is a steal at current price. If we give priority to cheap, we would not be using Macs at all. Or other technologies. Technology has its price, but pays off. That is what I meant.
    
    Once you try SSD, you do not want mechanical rotational disks, even for free. The same as once you try Mac, you do not want Linux or Windows, even for free, even if cheaper, or even free. Still, there are some people that use the price argument to use Linux. For me, SSD and Mac pays off because I am much more productive that way. Cheap may be expensive, eventually.
    
    At the end, freedom of choice is good, so let anyone do whatever they want, but knowing the advantages and disadvantages of each choice. That is, again, what I meant.
    
    LikeLiked by 1 person
    - 18
      
      hoakley on December 4, 2019 at 8:11 am
      
      Thank you.
      You claim that “it is better to backup each disk to a single dedicated disk, than backing them all to an array”, which is demonstrably incorrect, and the whole reason for RAID. My RAID set can suffer a single disk failure and rebuild its contents without data loss. If I were backing up to a number of separate disks, then any single disk failure would lose the entire contents of that backup. You don’t need to perform the calculations to see that the latter is higher risk. That’s why so many people and businesses use RAID systems.
      We are discussing not the appropriate media for internal storage, where performance is critical, but that for backup storage. With backups running in the background, it actually matters little to me whether each backup takes 3 minutes or 30 seconds – certainly not so much that I’m going to pay out three or four times the price for something that I don’t even notice.
      If you seriously think that a 2 TB SSD “is a steal” at current pricing, then you have too much free income. Most users will simply look at the price difference between a branded HD of the same capacity and an SSD, and won’t even have to think.
      But all this is utterly irrelevant: the great majority of Time Machine users currently back up to hard drives, whether branded external units, RAID systems, or NAS. How are you going to convince them to throw away those old systems and replace them before they become old, and purchase much more expensive SSD replacements? Unless they have more money than sense, they won’t. They’ll continue to use the hard drive systems until they need to replace them, and many will then baulk at the pricing and buy HD again. So switching backup storage from HD won’t happen overnight, but will take several years at least.
      So as I said for the future, backing up to SSD remains a minority sport, and will continue to be so for some years to come.
      Howard.
      
      LikeLike
19

EcleX on December 4, 2019 at 12:31 pm

Thanks. Yes, arrays are great in business or institutions to backup many computers at once. Retrospect is great for that. But I meant for personal use. Most people have private data that do not want backed up that way.

On the other hand, there is the danger of ransomware. Sure, Macs dot not seem to be the main target, but that may strike as well, affecting even all connected Macs and disks in a network. The fact that it has not happened before does not mean that it will not happen in the future.

A good strategy for personal backups is to do one with Time Machine (every hour; always connected disk) and others with applications like SuperDuper and Carbon Copy Cloner (connecting disks only when doing the backup; for instance on 1st and 15th of each month, rotating them). And even to keep backups off site for extra security.

Then, there is also the environmental aspect. SSD are quiet (zero noise), consume less energy, do not get has hot and are quicker than mechanical rotational ones, besides being more reliable. Now, when you want to search for something, SSD are lightning fast as compared to the HDD.

People gladly pay 3,000 USD or whatever for a new Mac to throw it away in seven years when it is no longer supported by Apple macOS upgrades, or even before. Sometimes with soldered CPU, SSD and RAM at two to five times the market cost for the same item. There are much cheaper alternatives in Windows, Linux and DIY. Yet, for me, the Mac pays off because all its advantages, increasing my productivity. That is what I meant also for SSD. Mac is to Windows what SSD is to HDD.

I know that most backups are done to HDD now, but the future is SSD as their price becomes more competitive. I guess that they will replace all HDD in about five to 10 years. That is what I meant. And when you try SSD, you are gladly surprised. I am not alone:

Why I Will Never Buy a Hard Drive Again
https://www.tomshardware.com/news/cheap-ssds-are-killing-hard_drives,37563.html

Last but not least, I always people to believe nothing, but to get the available critical information, try for themselves, and then decide.

LikeLiked by 1 person
- 20
  
  hoakley on December 4, 2019 at 8:28 pm
  
  Retrospect is not great. In the past, I was burned several times by it, either failure of backups or, more commonly, incompatibility.
  To say that RAID systems are only for backing up multiple computers over a network is, frankly, wrong. A lot of single Macs are backed up to RAID systems, which provide increased reliability, faster storage on hard disk, and large capacity at a modest price.
  I’m surprised that you keep resurrecting this ‘threat’ of ransomware. Whilst it isn’t zero, the risk of ransomware on Macs is extremely low and getting lower by the day. It’s several years since the last significant attack, which was small, and fairly ineffective. Among other things, the T2 chip is a great deterrent as a particularly robust disk controller, and the new read-only system volume in Catalina is another major blow for anyone aspiring to develop ransomware.
  When you write “the future is SSD as their price becomes more competitive”, I agree completely. Which is why this isn’t the time for Time Machine to migrate to APFS. Can you imagine all the users who would then have to back up to hard drives running APFS?
  I happen to have quite a lot of SSDs, which now outnumber my active hard disks, and my MBP does back up to a single SSD for testing purposes. But I am dreading the cost of replacement of my RAID system – getting 6 TB on SSD is absurdly costly at present, by the time you’ve bought 3 x 2 TB SSDs and a suitable enclosure. I’d gladly accept donations, of course 🙂
  Howard.
  
  LikeLike
  - 21
    
    EcleX on December 5, 2019 at 1:06 pm
    
    I remember that Retrospect was great in the old days of Mac OS Classic and Apple Workgroup Server (AIX). They had no competition. We had an intranet based on that. Then they did not release versions for Mac OS X on due time, and a plethora of new developers created different backup applications; some of them being great. Then Retrospect was released for such OS, but most users were already using competing products.
    
    On the other hand, the ideal would be if Time Machine 2 supported backing up to both HFS+ for HDD, as well as APFS for SSD.
    
    LikeLiked by 1 person
    - 22
      
      hoakley on December 5, 2019 at 4:28 pm
      
      Thank you.
      It was in classic macOS that I got burned badly by Retrospect.
      I accept some of the responsibility for those backup utilities – one of the first tools I wrote for Mac OS X was hfspax, a port of pax to work with resource forks. That was free, and some (with my consent) bundled it up with a friendly front-end as a backup utility. It is long-since dead, of course, but the one survivor from those days is Mike Bombich’s Carbon Copy Cloner.
      I’m not sure about whether Apple will concurrently support two completely different backup formats – it would cause no end of trouble – and that may be another reason for delay.
      Howard.
      
      LikeLike
23

max march on December 4, 2019 at 4:12 pm

EcleX- you say most people don’t use arrays or RAID, then you say the way to do it is TM plus CCC plus SD. Who is going to do that?

As for ransomeware- My PC friends have been telling me for 30 years that ‘next year your Mac will get a real virus’. And I have never wasted a penny on A/V software. Your ransomeware comment reeks of that.
Someday Macs will get ransomeware.
Right, but if my drive isn’t called MACINTOSH HD- will they be able to use AppleScript to get the path?
All windows drives are C:- so you KNOW the path to the goods before you start. (Don’t even get me started on saying Windows doesn’t rely on DOS. Whats Win HD name “c:”? Theres the DOS. Pathing, DOS. PowerShell- the new DOS lol)

LikeLiked by 1 person
24

EcleX on December 4, 2019 at 7:48 pm

Hi max march, I meant using different disks. So, Time Machine backups to disk 1, SuperDuper to disk 2 and Carbon Copy Cloner to disk 3. Actually, Most people do not make backups, but amongst the ones that do… what I said…

Concerning ransomware, there is also for Mac. For instance, among other resources:

macOS malware
https://en.wikipedia.org/wiki/MacOS_malware

Mabouia: born the first MAC OSX ransomware – PoC
https://www.linkedin.com/pulse/mabouia-born-first-mac-osx-ransomware-poc-rafael-salema-marques

Yes, Ransomware Can Affect Macs Too
https://gizmodo.com/yes-ransomware-can-affect-macs-too-1763239644

BitTorrent Client Transmission Again Victimized by OS X Malware
https://www.macrumors.com/2016/08/30/transmission-keydnap-os-x-malware

Hackers compromised free CCleaner software, Avast’s Piriform says
https://www.reuters.com/article/us-security-avast/hackers-compromised-free-ccleaner-software-avasts-piriform-says-idUSKCN1BT0R9

Hackers Using iCloud’s Find My iPhone Feature to Remotely Lock Macs and Demand Ransom Payments
https://www.macrumors.com/2017/09/20/hackers-find-my-iphone-remote-mac-lock

Can ransomware hijack Mac backups? Yes, but…
https://www.macworld.com/article/3220964/can-ransomware-hijack-mac-backups-yes-but.html

And last but not last, the fact that a particular person like you has not suffered ransomware on Mac does not mean in any way that tomorrow will not suffer it. Indeed, there is ransomware for Mac, as demonstrated above.

LikeLiked by 1 person
- 25
  
  hoakley on December 4, 2019 at 8:16 pm
  
  To be strictly accurate, there has been ransomware for macOS. It appears to have failed, and with the T2 chip and other measures, macOS is at a very low risk of ransomware. There are far far worse things which you should be protecting yourself against before you start investing substantial sums against ransomware on the Mac.
  And hard disk failure causing data loss is several orders of magnitude more likely.
  Howard.
  
  LikeLike
  - 26
    
    EcleX on December 4, 2019 at 11:06 pm
    
    You are right, but the idea of ransomware is terrifying if you depend on the Mac for your workflow. Mainly if it affects connected devices as well. Yes, I know that does not exist now, but nobody knows about the future.
    
    On the other hand, backups can save from a SSD failure but not from ransomware if affecting connected disks for continuous backups. So, If the disk fails, I will restore from the most current backup, which will probably be the Time Machine one. I may lose the last hour of work, but not more.
    
    LikeLiked by 1 person
  - 27
    
    EcleX on December 7, 2019 at 12:59 pm
    
    Update: in the above example of Transmission, their web site was hacked twice and the application injected with malicious code. So, people that downloaded and installed it with administrator credentials as required were a potential target for ransomware. That could happen any time in the future again with any application, even downloaded from the developer. So, we are all susceptible of ransomware.
    
    LikeLiked by 1 person
    - 28
      
      hoakley on December 7, 2019 at 4:54 pm
      
      Thank you.
      That’s not quite correct. The first time that the Transmission site was hijacked, it did, for a short period, provide a signed ransomware product, whose signing certificate was rapidly revoked by Apple. That was almost four years ago, in early 2016, and I reported it here. No one seems to know how many Mac users were affected by that, but it appears to have been very few indeed, and there certainly wasn’t any major incident reported anywhere that I’m aware of.
      The second time that year that the same site was hacked, it didn’t deliver ransomware, but Keydnap malware, which is quite different, as I detailed in this article at the time.
      A great deal has changed since then. For a start, if you’re running Catalina, you ordinarily can only run three classes of software: products supplied and installed by Apple, those supplied and delivered by the App Store, and independently-distributed apps which are notarized by Apple. Part of the notarization process involves uploading the software to Apple, where it is examined to detect if it might be malware. So the trick which was used to distributed ransomware before would normally be blocked from running by Catalina.
      That doesn’t mean that no Mac is susceptible to ransomware. However, it is generally thought to be one of the least likely threats to macOS systems, and that is also strengthened by Catalina’s new read-only system volume, which makes it almost impossible for malware to modify system files such as file systems and kernel extensions.
      The moral of the story is simple: to minimise your risk, you should always be running the latest version of macOS, as it is that which has the best protection against malware. Furthermore, you should only ever bypass any security protection if you are absolutely certain that the software isn’t malicious.
      Howard.
      
      LikeLike
  - 29
    
    EcleX on December 7, 2019 at 5:55 pm
    
    Thanks for the great information. Looks nice.
    
    LikeLiked by 1 person
  - 30
    
    EcleX on January 8, 2020 at 11:52 am
    
    This was on Windows Servers, but here it is as an example of backup encryption by ransomware:
    
    Travelex Infected With Sodinokibi Ransomware, Attacker Wants $3M
    https://www.macobserver.com/link/travelex-sodinokibi-ransomware/
    
    Sodinokibi Ransomware Hits Travelex, Demands $3 Million
    https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million
    
    LikeLiked by 1 person
    - 31
      
      hoakley on January 8, 2020 at 11:55 am
      
      Thank you. Yes, Windows servers. Not Macs.
      Howard
      
      LikeLike
32

Elsewhere for December 20, 2019 - Floccinaucical on December 21, 2019 at 6:24 pm

[…] Riggins: hoakley on Time Machine: How it works, or fails to This is a series of in-depth well-written articles about macOS Time Machine, how it works, and how […]

LikeLike
33

David C. on February 18, 2020 at 6:52 pm

At the start of the article, you mention two alternatives to Time Machine: Carbon Copy Cloner and Super Duper!. These are both great products, but they are both dive-cloning products.

It might be worth mentioning “classical” backup solutions as well. Where all the files to be backed up are copied to a single backup file or to a specialized backup device like a tape drive. Popular Mac products of this genere are Retrospect (which you mentioned in some prior comments) and various products from Tolis (e.g. BRU). macOS also supports popular UNIX backup programs of this type including the venerable “tar” utility.

Classical backup solutions have the disadvantage that you can’t boot the backup (as you can with a disk clone), so restoring a dead system requires reinstalling the OS or booting from an emergency boot disk, after which you can run the backup software to restore your files.

I used this approach (using Retrospect) for many years, back when my preferred backup device was a tape drive. Unfortunately, over the years, hard drives got so big that suitable tape drives were too expensive for personal use, so I switched to using more hard drives as backup devices. I continued with Retrospect in this capacity for a few years, but when their license fees got too expensive, I switched to Carbon Copy Cloner.

I would still love to add tape and a classical backup software package to my solution, but even the least expensive LTO drives are still very pricey, and other tape technologies are pretty much obsolete these days.

LikeLiked by 1 person
- 34
  
  hoakley on February 18, 2020 at 8:04 pm
  
  Thank you.
  CCC and SuperDuper! do work very well as backup utilities – I’m currently using the former for just that purpose here. They are also enormously popular with ordinary users who’d never go near Retrospect, let alone pay its exorbitant price.
  I do tiptoe gently into the realms of alternatives in a later article in this series, as I didn’t think a series on Time Machine should start off by discussing what you could/should use instead. I will be writing more on adjuncts and alternatives in the near future too: any list should include ChronoSync, for example, which is also running here at present.
  Howard.
  
  LikeLike
35

Perfectlyfadeddelusions on February 20, 2020 at 3:19 pm

Reblogged this on Zero to Hero Perfectlyjadeddelusions.

LikeLike
36

EcleX on April 25, 2020 at 1:28 pm

As far as I know, Time Machine stores its huge index in
“/.Spotlight-V100/Store-V2/”alphanumeric or hexadecimal text string showing here”/0.indexPositions”.

Yet, such folder has a minus sign. Ia there a way to see its contents and sizes? Thanks.

LikeLiked by 1 person
- 37
  
  hoakley on April 25, 2020 at 2:11 pm
  
  Thank you.
  I think you’d have to turn SIP off and su root to see inside that.
  Howard.
  
  LikeLike
  - 38
    
    EcleX on April 25, 2020 at 7:28 pm
    
    Thanks. How to do it? I mean, applications like Path Finder
    https://cocoatech.com
    do not allow to see its contents, even login as the Mac administrator. I guess that you meant using Terminal. How?
    
    LikeLiked by 1 person
    - 39
      
      hoakley on April 25, 2020 at 7:35 pm
      
      Danger! Turning off SIP is a serious undertaking. If you don’t know what you’re doing, don’t attempt it. Even if you’re confident, stick a note on the display that SIP is turned off, so that you don’t forget to turn it back on as soon as possible.
      Start up in Recovery, open Terminal there and enter
      csrutil disable
      then after entering that, type
      reboot
      to restart in normal SIP-disabled mode. I think you’ll then need to sudo or su root in Terminal to be able to look inside that folder, but don’t touch anything there or you’ll have to have the whole of your backup re-indexed, which will take a very long time.
      As soon as you’re done, restart in Recovery, open Terminal, and enter
      csrutil enable
      then
      reboot
      back into normal mode again.
      Howard.
      
      LikeLike
  - 40
    
    EcleX on April 25, 2020 at 10:22 pm
    
    Many thanks. Using the information that you provided, I searched the Internet with Google and found this article:
    
    Seeing Error “Operation Not Permitted” in macOS Catalina or Mojave?
    https://appletoolbox.com/seeing-error-operation-not-permitted-in-macos-mojave/#Getting_Error_Message_Operation_Not_Permitted_in_macOS_High_Sierra_Sierra_or_El_Capitan
    
    So, for the moment, I will not do it, as you also recommend. I wonder if there is an application that allows to see the size of the Spotlight index, since that is all that I want.
    
    LikeLiked by 1 person
    - 41
      
      hoakley on April 25, 2020 at 10:28 pm
      
      As far as I am aware, no app can look inside that folder, so long as SIP is enabled. Apple is giving us a heavy hint here, I think.
      Howard.
      
      LikeLike
  - 42
    
    EcleX on May 3, 2020 at 9:20 pm
    
    So, is it possible to know the size of the Spotlight index? Thanks.
    
    LikeLiked by 1 person
    - 43
      
      hoakley on May 3, 2020 at 10:38 pm
      
      Not as far as I know.
      Howard.
      
      LikeLike

·Comments are closed.

Share this:

Like this:

Related