hoakley January 17, 2020 Macs, Technology

Time Machine: 9 Inside backup support files

Time Machine expects your trust. A lot of trust, as it’s one of the few widely used backup systems which doesn’t actually reveal what it has backed up each time. Recently, Jeff asked me how he could tell exactly what was backed up in the last Time Machine (TM) backup, and the simple answer is that you can’t. This article looks inside TM’s support files and reveals that you can, only it’s far from simple.

You will recall my previous diagram showing the structure of TM backups.

TMbackupStructure

The information that we want is stored in files which are normally hidden within each backup folder, that’s named using a datestamp like 2020-01-16-145806, where you’ll find:

.Backup.log,
.com.apple.TMCheckpoint,
.exclusions.plist,
[UUID].eventdb, [UUID].clonedb, and .[UUID].eventdb files,
[volname] a folder containing the backup for each volume which was backed up.

Here I’ll look through each of these to see what useful information they contain.

.Backup.log

This should be a short text file containing a summary of events which took place during that backup. Although it gives some details which don’t appear in the unified log, in other respects it is merely a summary of the more detailed account given there. As it contains volume names and UUIDs for each of those which were backed up, it is a useful means of establishing which volumes were backed up, and which of the other files refer to each volume.

.com.apple.TMCheckpoint

This is a binary Property List containing basic statistics for the snapshots within the backup, including the total size and the number of items within them.

.exclusions.plist

This is a very important Property List which states explicitly, for that backup, which paths were backed up, and which weren’t because they had been excluded. Although its name doesn’t mention it, it includes a dictionary sourcePaths, which is an array of paths which were on the list of items to be backed up. This typically includes

/ the root, which here represents the System volume. This apparently doesn’t traverse the firmlinks which connect it to the Data volume;
/System/Volumes/Data the Data volume;
/Volumes/Recovery the Recovery volume;
and external volumes which you have opted to include, through the /Volumes path.

Lists of paths excluded from backups are categorised thus:

apiExclusionPaths, which are set by specific apps, and might include their private log files and caches;
standardExclusionPaths, which are those set by macOS, and are discussed below;
stickyExclusionPaths, again set by macOS, and discussed below;
systemFilesExcluded, a Boolean which states whether you opted to include the System volume;
userExclusionPaths, the items which you added to the TM pane’s exclusion list.

standardExclusionPaths include Trashes, caches, temporary files, /Network, and some system databases. Although some of these might appear important, they are mostly ephemeral files which you wouldn’t want swelling your backups.

stickyExclusionPaths also includes a lot of ephemeral and similar items, but holds some surprises such as the database and thumbnails folders inside photoslibrary bundles, and iTunes Store album artwork.

clonedb files

Volumes for which snapshots have been made will normally have a clonedb file built for them. This is another binary Property List which is of limited help to the user, as all it contains are pairs and groups of integers, which appear to be inode numbers which will be used to make file and folder hard links in the backup.

eventdb files

Volumes for which the FSEvents database has been used to determine what to back up have an eventdb file written for them, and these are the richest and most useful of the support files in TM. They’re also often very large, and being binary Property Lists aren’t concise by any means. They consist of nested dictionaries, and are best viewed using a ‘folding’ editor such as BBEdit, which can collapse the leaves (files) and branches (folders) of their tree-structured data.

At the top level, these are normally declared as having no Consistency Scan, meaning they have been derived straight from FSEvents without performing a ‘deep traversal’ scan, contain only file events, and give volume UUID, which is used to name the file.

Details of items which were chosen for back up are given in the Events dictionary. At each level in this dictionary, the following data are given:

Children (omitted in leaves), an array of branches leading to files;
Flags, an integer which contains that item’s permissions;
Name, that element in the path;
SubtreeSize, the number of items within that branch.

To build the full path on that volume to any item, you concatenate the Name of each branch with the separator /. Thus, a parent of / with child Pictures, grandchild Nikon, great-grandchild (leaf) MyPhoto.jpeg is the file /Pictures/Nikon/MyPhoto.jpeg. Thus, to determine which files have been backed up, all you have to do is build the path to each of the leaves specified in the tree. Although this isn’t simple, it is feasible in an app, which could then generate a list of path and file names for all the items which were backed up from that volume. If you simply want to check whether a specific file was backed up, try searching the respective eventdb file for that filename.

Because these support files, like the whole of TM backups, are now protected, before examining any of them, it’s best to make a copy in a working folder, and open that copy.

I can feel an app coming on…

14Comments

Add yours

1

Michael Bach on January 17, 2020 at 8:09 am

Dear Howard:

Thank you for the detailed analysis (as usual :). “Backup Loupe”
https://www.soma-zone.com/BackupLoupe/
has worked for me for some years, and helped me to find paths to exclued. Then it didn’t any more. The website talks of Catalina, so I’ll give it another try (I´m on the road now). One thing: bring time (½ hr or so, depending of your backups age of course).

Looking forward to your app you were hinting at!

Best, Michael

LikeLiked by 1 person
- 2
  
  John Gilbert on January 17, 2020 at 8:38 am
  
  I too have been using BackuLoupe for many years to search out what has been gone into TM. Since it builds a database which is searchable, you can find all the backups of a particular file – very handy for getting stuff out of TM. I don’t know of anything else which does that for TM or any other backup program.
  
  It does work with Catalina, it is low cost and Robby is a most responsive developer.
  
  LikeLiked by 1 person
  - 3
    
    hoakley on January 17, 2020 at 11:34 pm
    
    Thank you, Michael and John.
    Backup Loupe looks a superb and finely-crafted replacement for Time Machine’s front end, i.e. the TM app itself rather than the backup engine. It’s a little unfortunate that its author refers to TM backups as snapshots, which of course in 10.13 came to mean something very different, but once over that confusion, it is impressive. But it’s a replacement front end rather than a tool to check quickly the details of a recent backup.
    I’ll explore a bit more with it, and can see that I need to write a guide to these third-party tools. I had heard of this app some years ago, but wasn’t aware that it was still being developed. And it does work excellently with Catalina backups, and is properly notarized etc.
    Howard.
    
    LikeLike
4

Alec on January 17, 2020 at 1:36 pm

What I’d be most interested in is identifying folders with a high number of small files such as source files or repositories (e.g. brew’s cellar, git repos,…), as a TM backup crawls to hold once there are too many files to process.

Also I’d like to identify folders with files that change too frequently. E.g. every single calendar entry of the CalDAV calendars my colleagues share with me are rebackuped on every single backup (as the hourly CalDAV sync seems to replace the files or touches their timestamp). And the photos app constantly does some freaky stuff in its database file, causing a strain to the backups.

Everything would be much easier if one could specify file types to exclude, but as we can only exclude folders, we have to identify the folders that just aren’t worth backuping via TM.

As an example I’m just now creating a fresh backup of 200GB files from a MBP to a Time Capsule connected via ethernet, Time Machine is backing up these 1.5 M files, has been working for the past four hours and is expecting to continue for another four hours – resulting in a mere 7MB/minute speed, or about one file per second. Its about the same speed via WiFi, and not faster when backing up to my Synology NAS with ext3 drives via SMB, and is quite frustrating when a hourly routine backup runs for 20+ minutes. (I’ve started using TimeMachineEditor to only backup twice a day to each the time capsule and the NAS, but still these backups are much slower than my Arq backup to the cloud)

LikeLiked by 1 person
- 5
  
  Alec on January 17, 2020 at 2:21 pm
  
  Edit: please ignore the one file per second comment, it’s actually rather 50 files per second, which explains why the average speed is only 7MB per second (and indicates that some folders on this SSD contain thousands of tiny files).
  
  LikeLiked by 1 person
  - 6
    
    Alec on January 17, 2020 at 11:14 pm
    
    Here’s the summary of todays fresh backup from a MBP to a Apple Time Capsule last generation, connected via Ethernet (USB-C to Gigabit adapter), without using the MBP during this time:
    
    17.1.2020, 10:02:50: Found 1587290 files (207,83 GB) needing backup
    17.1.2020, 10:02:50: 229,31 GB required (including padding), 492,63 GB available
    17.1.2020, 11:02:21: Copied 22,19 GB of 207,83 GB, 249803 of 1587290 items
    17.1.2020, 12:02:22: Copied 46,03 GB of 207,83 GB, 649500 of 1587290 items
    17.1.2020, 13:02:23: Copied 79,67 GB of 207,83 GB, 653963 of 1587290 items
    17.1.2020, 14:02:24: Copied 113,3 GB of 207,83 GB, 733102 of 1587290 items
    17.1.2020, 15:03:03: Copied 136,72 GB of 207,83 GB, 853731 of 1587290 items
    17.1.2020, 16:03:05: Copied 152,01 GB of 207,83 GB, 1024445 of 1587290 items
    17.1.2020, 17:03:13: Copied 174,21 GB of 207,83 GB, 1172877 of 1587290 items
    17.1.2020, 17:58:15: Copied 1556047 items (198,89 GB) from volume Macintosh HD. Linked 0.
    
    Cutting down the number of transferred files would most likely dramatically improve speed. If only one could tell which folders to exclude easily (personally, I don’t think I really need to backup anything on a daily basis that can be reinstalled within a few minutes).
    
    LikeLiked by 1 person
  - 7
    
    John Gilbert on January 18, 2020 at 1:19 am
    
    As well as searching for the small files on the source disk, you can look on the TM disk with the tmutil command. For example, I have just done this in Terminal:
    cd /Volumes/Toshiba3/Backups.backupdb/Beth
    tmutil compare 2019-12-29-025028 2019-12-28-035259
    where those date and times are of consecutive backups. Substitute your own disk, folders & dates.
    That will list all the new, different or deleted files in the newer backup. It will be a long list!!
    
    This is, in effect, what BackupLoupe does behind the scenes, except that it also stores the results in a database.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on January 18, 2020 at 8:23 am
      
      Thank you, John.
      Yes, you can do that, although with more than a million files in a backup, I’m not sure that it helps in this case!
      Howard.
      
      LikeLike
- 9
  
  hoakley on January 17, 2020 at 11:43 pm
  
  Thank you.
  The best way to discover those folders is not by looking in your backups, but by looking in the live folders on your Mac. You may find one of the third-party file analysis tools like DaisyDisk helpful, perhaps.
  TM wasn’t designed for very large and relatively infrequent backups like yours: you’d probably be better off using an app which is intended to be run overnight, for example. TM is best used when its brief and small backups pass almost unnoticed, hence the normal hourly schedule.
  The other factor worth reconsidering is backing up over a network. That is inevitably slower than over a fast local connection such as Thunderbolt 3. I’m currently intending to replace my old hard disk RAID on TB1 with a TB3 unit containing SSDs, which is the sort of backup drive which you need for such large backups.
  Howard.
  
  LikeLike
  - 10
    
    Alec on January 18, 2020 at 12:28 am
    
    Daisy disk does not display the number of files, but only their size. It e.g. won’t tell me that each subscribed CalDAV calendar has a few thousand files of 1-2KB each. I don’t know of any app that can tell which folders (and subfolders) contain the most files. Also there’s no app that will tell me which files in my backup are constantly being replaced.
    
    And as for my backup: I’m backing up the default 256GB SSD of a MBP, four times a day (in the evening, after work, every two hours). I don’t consider this a “very large and relatively infrequent” backup. Hourly is just too frequent, as even at an hourly interval the backup is ~1GB and takes 10-30 minutes, meaning that the MBP is nearly constantly backing up, which is why I reduced to bi-hourly.
    
    I do not keep my chargers connected over night for security reasons, so backups when asleep is no option for me.
    
    I honestly wonder what TM was designed for, if not for backing up a laptop to an AirPort Time Capsule. I certainly do not want to go back to the 1990s, manually plugging in an external drive every few hours. And TM would not need to be so slow, Arq is *much* faster, as it seems to gather and compress files parallel to uploading them, instead of doing one after the other – it just does not allow a quick full restore, which is why I also run TM.
    
    LikeLiked by 1 person
    - 11
      
      hoakley on January 18, 2020 at 8:22 am
      
      Thank you.
      DaisyDisk doesn’t show the number of files, but its sunburst map gives a good visual impression, which is often much more useful.
      I’m sorry, I’m confused as to how often you’re making each TM backup. Earlier you said you were only making TM backups twice a day.
      However, if it’s taking 10-30 minutes to back up 1 GB, there’s something seriously wrong somewhere.
      You also write here that running hourly backups was writing around 1 GB, but that TM was just making a fresh backup of ~200 GB, which for a backup from a 256 GB SSD seems incredible. Are you really touching nearly 80% of the total space on your boot volume every two hours?
      TM was designed for the average Mac user, and has served them well. But the average Mac user doesn’t have 200 GB to back up every couple of hours. If that’s what you really need to do, then you need a completely different approach, I believe.
      Howard.
      
      LikeLike
  - 12
    
    Alec on January 18, 2020 at 12:19 pm
    
    Howard, sorry for the confusion. I backup my late-2016 MBP SSD to two targets (Time Capsule and Synology NAS) when at home, daily on evenings after work at a 2 hour interval: 5pm, 7pm, 9pm, 11pm. Therefor two backups per day are saved at each target. Each of these backups usually are 500MB to 2GB, take at least 10+ minutes, copy 2000-5000 files and link 20000-50000 files. Preparation of each backup takes another 5+ minutes (where the target HDD is really active and loud), and frequently the cleaning up phase takes even longer. There’s no significant difference in speed whether I connect via Gigabit Ethernet or via WiFi, and log files do not indicate any problems.
    
    The reason for slow TM speeds is (I think) that copying/linking thousand of tiny files (such as calendar .ics entries from CalDAV calendars shared with me in ~/Library/Calendars, I have 77278 files in that folder, totalling 120MB) is highly ineffective in TM. Also the entire backup is probably larger than necessary (1.5 M files), as I frequently fail to identify additional folders with many files (e.g. /usr/local/Cellar from brew, ruby gems, git repositories,…) which I could omit as they can easily be recreated by a reinstall from the internet.
    
    I frequently use Daisy Disk, but I don’t find it useful for configuring TM backups: backing up 10GB .mp3 files is much faster than backing up a 200MB folder containing dozens of thousand small files. I guess that is caused by TM processing files one after the other, and for each 1KB file the HDD needs to reposition the drive head to the corresponding bands file, which takes a few ms on a spinning disk, and that sums up. Arq (which I also use to daily backup the user folder to the cloud) is more efficient, it seems to compress many small files into one chunk before uploading (and compression/chunking and uploading are parallel processes).
    
    The quoted “fresh” backup was not a daily routine backup. I just started the backup from scratch on the Time Capsule, as the backup grew too large, and I create a clean new backup every ~6 months. This is what took 8 hours for copying 200GB (1.5M files), resulting in an average speed of 7MB per second.
    
    In case you’re interested, I can email you some logs. I’d appreciate any input. Thanks!
    
    LikeLiked by 1 person
  - 13
    
    Alec on January 18, 2020 at 3:38 pm
    
    E.g. here’s a regular backup I just had. It copied 3825 items (1,52 GB), linked 24235, and took 15 minutes. That’s rather fast compared to other backups I’m seeing, but still: 1.5 GB, 15 minutes. Sigh.
    https://gist.githubusercontent.com/maia/47715ba7e2b04aa78cc4848a23dbeb2a/raw/f3dcf092f33fe36914800cfb91dc7fdcd5808343/gistfile1.txt
    (paths shortened for brevity)
    
    LikeLiked by 1 person
14

Jeff on January 17, 2020 at 5:46 pm

Little did I know what a complex answer my question about ‘backed up files’ would raise. Thanks for delving into this! And I have a feeling that that “app” gleaming in the back of your eye will prove quite interesting. 🙂

LikeLiked by 1 person

·Comments are closed.

Share this:

Like this:

Related