{
	"id": "7d2723e1-a567-4ce1-8f07-a95ad7cc2ec1",
	"created_at": "2026-04-06T00:22:16.376752Z",
	"updated_at": "2026-04-10T03:20:28.711346Z",
	"deleted_at": null,
	"sha1_hash": "0af560b8323286694b12ba128c0451bcc996dd49",
	"title": "Identifying Resource and Data Forks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78098,
	"plain_text": "Identifying Resource and Data Forks\r\nArchived: 2026-04-05 17:31:28 UTC\r\nFiles on Mac OS X can be composed of two distinct halves called forks. Much more popular in the OS 9 days,\r\nresource forks were used to contain objectlike information such as icons, strings, and small chunks of code, while\r\nthe data fork was used for unclassified raw data such as that involved in composing an image file. In Mac OS X,\r\nmost files keep their data exclusively in the data fork, but resource forks are still used by older applications, and\r\neven by Mac OS X to store elements such as custom file icons.\r\nCopying Forked Files on HFS Plus\r\nWhen you use the graphical user interface to move files around, the File Manager built in to Mac OS X handles\r\nforked files automatically.\r\nAs of Mac OS X v10.4, most command-line utilities, such as cp, mv, and tar, now handle forked files properly.\r\nPrevious versions of Mac OS X required command-line utilities that were designed for use with forked files. Two\r\nsuch commandsditto (with the rsrcFork option) and CpMacwere specifically written to handle forked files\r\ncorrectly. Though it is no longer necessary to use these utilities, ditto is still included on all Mac OS X systems.\r\nYou must install the Developer Tools package to get CpMac, which will then be placed in the /Developer/Tools/\r\ndirectory.\r\nThe following figure shows what happens when you copy files within an HFS Plus file system or between two\r\nsuch file systems using cp, tar, ditto rsrcFork, or CpMac.\r\nYou can use a number of commands to check whether a file has a resource fork. If you need to check only for the\r\nexistence of a resource fork, you can simply use the ls command. Normally you look at a long file listing with the\r\nl option:\r\nls l MyFile rwr r 1 david david 3624 Oct 20 22:02 MyFile\r\nhttps://flylib.com/books/en/4.395.1.192/1/\r\nPage 1 of 3\n\nIn the line above, the data fork is 3,624 bytes. You can examine the resource fork by looking at what acts like a\r\nhidden object inside the file, as follows:\r\nls l MyFile/..namedfork/rsrc rwr r 1 david david 9928 Oct 20 22:02 MyFile/..namedfork/rsrc\r\nAlthough it's redundant, you can also use this method to look specifically at the data fork, like this:\r\nls l MyFile/..namedfork/data rwr r 1 david david 3624 Oct 20 22:02 MyFile/..namedfork/data\r\nYou can dump the contents of a resource fork by using the developer tool DeRez. Note that the Mac OS 9\r\napplication program SimpleText appears to be empty when you look at it with ls. All the content of this file is in\r\nthe resource fork. Note that the output of DeRez is the same whether the file has a resource fork or a shadow file\r\n(shadow files are discussed in the next section).\r\nCopying Forked Files to Other File Systems\r\nWhen you use the Finder to move forked files to a file system that does not support forks, such as UFS, the File\r\nManager puts the resource fork information into shadow files. A shadow file has the same name as the original\r\nfile, with ._ prepended to its name. When you copy the file back to an HFS Plus file system, the File Manager re-creates the specific file forks.\r\nThe same happens when you use ditto rsrcFork or CpMac to copy files to and from a nonHFS Plus file system.\r\nCopying Forked Files With Non-Mac Applications\r\nIn Mac OS X versions prior to v10.4, ordinary UNIX command-line utilities, such as cp and mv, were not\r\ndesigned to handle file forks or shadow files. When you used cp to copy forked files or files with shadow files,\r\nyou lost the resource fork or shadow file. This was true whether the destination was HFS Plus or another file\r\nsystem. DeRez will also report that the copy has no resource fork and ls lists no shadow files.\r\nhttps://flylib.com/books/en/4.395.1.192/1/\r\nPage 2 of 3\n\nSimilarly, applications on Windows computers were not designed to handle file forks or shadow files. This can be\r\nan issue if, for example, you transfer files back and forth between your Mac OS X computer and a Windows\r\ncomputer using a flash memory storage device. If you use the Finder or CpMac to copy the files to the device, the\r\nfiles will preserve their shadow files. But if you rename the files or move them around while the device is\r\nconnected to the Windows computer, the shadow files are lost.\r\nIn some cases, you won't notice any problems if the resource fork is missing. In other cases, however, you may\r\nnotice missing file information. Fonts may be absent from a document. Mac OS X might not know what\r\napplication to use to open the file. In most cases, a file's custom icon will be replaced with a more generic icon.\r\nSource: https://flylib.com/books/en/4.395.1.192/1/\r\nhttps://flylib.com/books/en/4.395.1.192/1/\r\nPage 3 of 3\n\nexistence of a l option: resource fork, you can simply use the ls command. Normally you look at a long file listing with the\nls l MyFile rwr r 1 david david 3624 Oct 20 22:02 MyFile\n   Page 1 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://flylib.com/books/en/4.395.1.192/1/"
	],
	"report_names": [
		"1"
	],
	"threat_actors": [],
	"ts_created_at": 1775434936,
	"ts_updated_at": 1775791228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0af560b8323286694b12ba128c0451bcc996dd49.pdf",
		"text": "https://archive.orkl.eu/0af560b8323286694b12ba128c0451bcc996dd49.txt",
		"img": "https://archive.orkl.eu/0af560b8323286694b12ba128c0451bcc996dd49.jpg"
	}
}