hoakley April 24, 2020 Macs, Technology

File Integrity 8 : Compression, encryption and disk images

We often can’t and may not wish to store old files in standard document formats. In many cases, they’re in compressed archives, disk images, or we need them inside encrypted sparse bundles, to protect sensitive contents. Each of these container formats has a reputation of being fragile when corrupted. In this article, I look briefly at how deserved that reputation is, by deliberately corrupting some examples using Vandal.

Zip archives

Having had problems in the past with .zip archives which had apparently become corrupted to the point where they couldn’t be opened, I was expecting the same with modern examples. I was very surprised when low levels of corruption, of 1-2 B/MB, didn’t apparently cause any problems in opening and decompressing them using the macOS Archive Utility. They could also be opened using other apps which handle .zip archives, including WinZip.

That said, at higher levels of corruption all compressed archives run the risk that some of their contents become unusable, and may require specific decompression tools which cope better with damaged archives. Some forms of compression are designed to perform better, but I haven’t discovered any which implement a robust and testable form of error correction code (ECC).

Some feasible mechanisms for file corruption become more likely and/or more severe the larger a file is, or in the case of smaller files, the more files there are. Storing files in compressed archives reduces those risks, by squeezing them into a smaller space, or turning many files into one. These make the assessment of the effects of compressed archives on resilience to corruption complex: there are pros and cons.

For large compressed archives, existing ECC methods are unlikely to prove of much benefit. But for Zip archives of less than around 10 MB, it might make good sense to store them in archives with Parchive (Par2) ECC, to minimise the risk of corruption rendering them unusable. ECC should be applied to the compressed archive, not before compression.

Disk images

Apple’s standard disk images incorporate checksums which are used to verify that they are undamaged before they can be opened. Every disk image which I have damaged using Vandal, even at low rates of 1 B/MB, fails to open normally as a result.

diskimage1

You can work around this using hdiutil in Terminal, or more simply with the excellent free FastDMG, which is a friendly front-end to those complex command options. However, these still may be unable to open a corrupted disk image, and if they are able to, the contents are likely to be irreparably damaged in any case. The extent of that damage is unpredictable, and could just be the loss of a single unimportant file, or the whole image may appear empty.

If you have to use disk images to store important files, you should consider protecting them using Parchive (Par2) ECC. In general, though, they are not a format which you should choose to use for archives.

Sparse bundles and encryption

Sparse bundles consist of some top level files in the enclosing folder, and a folder full of storage bands. With such a complex structure, and data divided across bands which can be 8.4 MB in size, I expected these to be very fragile in the face of corruption. Even after corrupting two of the band files at a rate of 1 B/MB, a test encrypted sparse bundle opened correctly.

So far I have been unable to find any detailed documentation on the current sparse bundle format which establishes whether it might use some form of ECC. For the moment I am surprised at its apparent resilience to limited corruption, and will look in more detail at this in a future article here.

Encryption and resilience

Many users are concerned that encrypted volumes may prove generally less resilient to damage or corruption than unencrypted volumes, particularly internal SSDs in Macs equipped with T2 chips, which have no unencrypted option.

Because the T2 chip acts as the disk controller for internal storage in these models, and access to that storage can only be performed through that specific T2 chip, whether or not the data are encrypted shouldn’t be an issue affecting resilience at all. Disk repair and recovery tools also have to work through the disk controller, and encryption should therefore be completely transparent to them.

More significant is the fact that internal storage can only be accessed through that specific T2 chip, which is both a security feature and a limitation on recovery methods which can be used on the SSD. If a technician could remove and access the SSD in your Mac, then so could a thief, for example. Experience shows that the most common significant failure mode for most SSDs is total failure, which is usually unrecoverable whether the contents are encrypted or not, and regardless of any ECC system. The only defence here is good backing up.

Updated 1140 UTC 24 April 2020 to correct details on disk images, with thanks to Joss for reminding me that you can still open damaged disk images, and for the link to FastDMG.

14Comments

Add yours

1

Joss on April 24, 2020 at 7:40 am

You can easily open corrupted DMGs by skipping the verification with the hdiutil CLI. Or you can use a GUI tool like FastDMG – https://sveinbjorn.org/fastdmg –, which has been my drop-in replacement for the macOS default DiskImageMounter for many years. But I haven’t tested if copying files from a corrupted & quick-mounted DMG volume will work. If a file on the DMG is corrupted, you won’t be able to copy it to your main volume, I’m pretty sure of that, so if there’s just one file on the DMG, then you’re out of luck. If there are many files, you might have more luck, and maybe all of the files are OK except for one. If there’s an app bundle on the DMG, you probably have to copy parts of it in batches, until you find the corrupted part; if it’s just a png etc. in ./Contents/Resources, the app might still launch. (But the code signature will be toast, of course.) But again, these are just hunches, because I haven’t tested any of it.

LikeLiked by 1 person
- 2
  
  hoakley on April 24, 2020 at 8:50 am
  
  Thank you – I knew this and have done it in the past!
  I have made a quick amendment, and will revisit those damaged disk images and report their results.
  Howard.
  
  LikeLike
- 3
  
  hoakley on April 24, 2020 at 11:47 am
  
  Thank you. I retrieved my original corrupted disk images, and one of them still wouldn’t open at all. The others opened, but as you expected (and I have experienced before), the contents are also damaged. At least macOS no longer crashes when opening damaged DMGs as it has done in the past!
  It’s a shame that the format doesn’t seem to offer any ECC options, which could have made it resilient. I’m still baffled why my test sparse bundle seems to be so resilient, and will be looking at that format in more detail.
  Howard.
  
  LikeLike
4

Jonas on April 24, 2020 at 3:35 pm

I keep my most security-sensitive files in an encrypted .sparseimage file on my (old) Mac. The image has been growing for years, and is currently almost 12 GB on the Mac’s internal SSD. It contains many folders and sub-folders, but the largest individual file inside the image is under 200 MB.

This has been fine for the local (external drive) backups that I keep, but I haven’t included the image in my offsite/cloud backups (via Arq to AWS/S3), because a few individual files in the image change slightly throughout the day — and I assume that the whole 12GB sparseimage would be treated by Arq as one big blob, and uploaded every hour, greatly increasing my AWS cost. Another complicating factor is that Arq itself encrypts the data before uploading it… so would that mean double-encryption, and therefore more potential for problems?

I’ve been tempted to convert the encrypted .sparseimage to an encrypted .sparsebundle, although I have no experience with that format. Am I correct in assuming that, if I did that, only the altered “bands” would be uploaded to AWS each hour, rather than the whole thing? Are there potential problems or complications with using a sparse bundle rather than a sparse image in this way?

Another option: perhaps I should just point Arq at the individual (unencrypted) files within the current mounted .sparseimage volume, and rely solely on Arq’s encryption for the uploaded backups?

Any insights into these questions would be much appreciated!

LikeLiked by 1 person
- 5
  
  hoakley on April 24, 2020 at 4:21 pm
  
  Thank you.
  Single file storage like this poses many problems, but it does solve the issue of encryption. Most backup systems are file-based, so every time the image is updated, they’ll see the whole file as required fresh backup. I don’t know whether a sparse bundle would get around this problem by only changing some of its storage bands. As I plan to take a careful look at sparse bundles soon, that might be a good thing I can look at.
  Although double encryption is, in the crypto literature, seen as bad, I don’t really think it’s too important here.
  I think as far as your Arq backups are concerned, provided they’re properly encrypted, backing up from the unencrypted originals in the mounted image sounds an excellent and efficient plan to me.
  Given both local copies and good remote backups, I’m not sure that you should be particularly concerned about threats to file integrity, although it’s always worth keeping a watchful eye.
  Howard.
  
  LikeLike
6

Jonas on April 24, 2020 at 8:22 pm

Thanks, Howard. I look forward to seeing what more you discover about sparse bundles.

One thing I wonder is whether different backup (and other) programs treat them differently — that is, might one program see the bundle as one blob (similar to how it would see a sparse image) while another program, more sophisticated about the format, would see the individual “bands”?

Beyond that, I’m still unclear as to the difference between “packages” and “bundles”, or what happens to them in other (non-Mac) environments… I’m guessing that Windows (and maybe Linux?) would see them as just folders, and I’m guessing that the file system within an AWS S3 “bucket” is more like Linux. This could get complicated really fast.

LikeLiked by 1 person
- 7
  
  hoakley on April 24, 2020 at 9:36 pm
  
  Some backup apps might see these as single items, but I suspect most will see them as structured folders.
  A bundle is a specific type of package – I explain this in more detail here. On other file systems, they’re just seen as directories.
  Howard.
  
  LikeLike
8

Alun J. Carr on April 24, 2020 at 9:00 pm

The StuffIt sitx archive format supports ECC at user-selectable levels:

https://my.smithmicro.com/stuffit-deluxe-mac.html

LikeLiked by 1 person
- 9
  
  hoakley on April 24, 2020 at 9:09 pm
  
  Thank you. It’s years since I last used it, so I’ll take a look at it next week.
  Howard.
  
  LikeLike
- 10
  
  hoakley on April 24, 2020 at 10:49 pm
  
  Hmm. Just had a look. It looks like StuffIt Deluxe is a dead product: no update since 2016, and neither notarized nor compatible with High Sierra, let alone Catalina.
  Howard
  
  LikeLike
11

EcleX on April 25, 2020 at 6:56 am

Thanks for the interesting article. What is “Vandal”? On the other hand, sometimes in the past I have been able to fix the

Warning
The following disk images couldn’t be opened
image data corrupted
or
corrupt image

using DiskWarrior or DropDMG
https://c-command.com/dropdmg

LikeLiked by 1 person
- 12
  
  hoakley on April 25, 2020 at 6:59 am
  
  Thank you.
  Vandal is my app for deliberately corrupting files.
  That warning is the one given when the disk image doesn’t match its checksum, and appears to be corrupted. As I explain, you may still be able to open it a different way, although chances are its contents will be broken.
  Howard.
  
  LikeLike
  - 13
    
    EcleX on April 25, 2020 at 11:00 am
    
    Thanks. More:
    
    Help Desk
    TIP OF THE MONTH
    Occasionally I’ll download a disk image that doesn’t mount due to a “no mountable filesystems” error. I’ve recently learned that I needn’t discard these seemingly broken images. Instead, I launch Disk Utility, drag the disk image into the list of volumes in the Disk Utility window, select the image, and click on Repair Disk. If the image can be repaired, Disk Utility will fix it, and afterward the disk image mounts.
    Nathan Wilairat, Berkeley, California
    https://www.macworld.com/article/1029863/aprilmac911.html
    
    Corruption in DMG disk images
    https://www.cnet.com/news/corruption-in-dmg-disk-images
    
    LikeLiked by 1 person
    - 14
      
      hoakley on April 25, 2020 at 11:20 am
      
      Thank you.
      It’s worth checking the dates on articles like those: the first is from 2004, and the second from 2009, I think.
      The drag and drop procedure described in the first article doesn’t work at all in the current version of Disk Utility. However, you can open disk images from the File menu. Of the three damaged DMGs I have here, one doesn’t appear at all, even with an error. The other two are mounted OK, and Disk Utility will run First Aid, which reports no errors because of course it’s only checking the file system, and not the integrity of the files within it.
      So my conclusion is that trying to repair damaged disk images in the current version of Disk Utility is likely to be a complete waste of time.
      Howard.
      
      LikeLike

·Comments are closed.

Share this:

Related