Catalog Node IDs (CNID)

From ForensicsWiki
Jump to: navigation, search

A Catalog Node ID, also known as "CNID", is a unique 4 byte (32 bit unsigned) sequentially incrementing value unique to every file on a Mac system.

Because CNIDs increment when new files are created, they can be used to timeline system activity.

CNIDs 1-16 are reserved for use by Apple.

  • 0 Invalid, never used
  • 1 Parent ID of root folder
  • 2 Root folder ID
  • 3 Extents Overflow file ID
  • 4 Catalog file ID
  • 5 Hypothetical Bad Blocks file - see Extents Overflow
  • 6 Allocation file ID
  • 7 Startup file ID
  • 8 Attributes file ID
  • 9-13 Unused
  • 14 Temp Catalog file
  • 15 Temp used during exchangedata() call
  • 16 First user catalog node

If CNIDs run out of room (for example, 4 billion values used on HFS+), the CNIDs will wrap around.

Sources: Mac OS X and iOS Internals, by Jonathan Levin, 2013: page 633. Mac OS X Internals, by Amit Singh, 2007: 12.7.1-12.7.2

See also: Mac fsevents; Mac QuickLook cache; Unix index node / Unix inode