Need more specific information about Time Machine

Good website for Time Machine. The gentleman died in 2013, so although the information may seem dated, it still applies.

Pondini - Home

Inherit a Backup

Inherit a Backup (2)

As you're probably already doing... Make a complete backup of the disk using Disk Utility and start over. Install from known-good distros. For anything that post-dates the breach, haul over only data from the backups, and not executable code.

Not entirely certain what you're planning, so I'll take a few different guesses...

You can use Time Machine to get a copy of the questionable disk, but that's added overhead to get a single backup — unless you're going to assume the disk has been "decontaminated", that is.

If you want to clone from one computer (presumably known-good) to another, perform a Time Machine restore to a scratch disk (probably on the known-good computer), and then swap that disk over and use it as the migration source for a new installation of OS X.

If you're fetching files out of the questionable backup, you could boot OS X from an external USB device and fetch individually, or — probably easier — restore the entire TM onto an external scratch disk, boot from a USB-based installer, wipe the current questionable boot disk and reinstall OS X onto the target boot disk, then haul over the files from that external disk containing the TM restore. As mentioned earlier, don't haul over bundles or applications from that disk — only retrieve those from a known-good source.

arrividerci wrote:

If I'm properly grasping what TM will do, I could activate it on the new system, which has none of the work product files I'm after present, and it will go ahead and backup the system files (at least those that are different) onto the TM thumb drive. Then I can go ahead and selectively restore the work product. Does that sound like a valid approach?

Again, I'd create and boot a bootable USB flash drive containing a clean copy of Yosemite or El Capitan (made via that known-good system) and use OS X Recovery from there; to restore the questionable Time Machine backup onto a scratch disk, and strictly for the purpose of performing a whole-disk restoration onto the scratch disk. Pick your files out from there.

I'd not boot an untrusted configuration.

Time Machine backs up the whole system, and restores the whole system and — optionally — allows the recovery of individual files.

Given the nature of this discussion, also consider getting some local technical assistance here, too. That'd likely be best practices for appropriately managing work product, after all.

You are welcome. Apple has other articles, some of which I've pasted below.

Time Machine Troubleshooting Problems

Time Machine – Transfer Backup to a New Drive

Time Machine First Backup Interrupted

Not sure what you're up to, here. I did not suggest checking off anything during the restoration, I suggested restoring the entire Time Machine backup to a scratch disk. All of it. Then picking over just what's needed, from that now-restored disk. This is a pain to do, but it's — when the contents of the original backup are untrusted — about the only way I'm aware of that can reduce the likelihood of reinstalling some problematic files.

Scratch disks are cheap, too.

This approach only reduces the changes, too. If the attacker was somewhat more sophisticated and/or if you're worth the effort to invest in this effort, then this recovery path may not provide a clean recovery.

For some of these cases, the whole Mac is now considered "scratch" and should be replaced.

Better still: get some formal help. Restoring a Time Machine backup and dealing with file protections is (unfortunately) a small part of what can potentially arise with attempting to decontaminate a potentially-compromised system.

arrividerci wrote:

What I was thinking and what seems to have happened is that I have a bootable flash drive (FD) which should be free of software contamination.

You're potentially presuming that local files and local applications are pristine. It's unfortunate, but data files can and variously do contain executable code. Not the least of which are the macros embedded in some supposedly-text documents. This goes back to my earlier comment that decontamination is not a certainty.

On OS X, applications themselves are stored as bundles, and these can themselves be potentially problematic — if the files or bundles are transferred over from the restored configuration. This goes back to my earlier recommendation to use known-good copies of these and other tools. To minimize what was recovered from the disk.

do understand your point about certain kinds of files created by applications being able to contain malicious code but my plan was to copy the entire contents of the directory within the "users" directory on the FD to the same place on the now clean HD. Under Windows and Linux this is pretty simple but OSX seems to make it hard, or at least unnatural, to deal somewhat directly with the file system.

The OS X directory and configuration organization is a simple one, and the protections are typical of Unix. There are and always have been variations between Unix distributions, whether Linux, one of the BSD distros, or with Solaris or illumos or otherwise. Restoring the entire backup onto a scratch disk goes back to my earlier suggestion around a simple way to do this, too — restore the whole disk as it was, then look where the login usually is (under /Users) and pick off the specific files of interest that are not otherwise available. To restore the entire Time Machine to a scratch disk, and then mounting that and pulling over the data files you want or that you need. This approach is a common practice with backups on many operating systems, and largely irrespective of the platform — restore the complete copy, then transfer over specific files as needed.

I also recognize that there are other helpful reasons for having a secondary system to boot. It allows a novice, like me, to experiment without risk of screwing things up on a system intended for real operational use. Thanks for informing me about that!

Your approach is a very good way to learn how the pieces really fit together, but it'll take a while. I've certainly used it. Given my own experience with following this and similar approaches, mistakes are likely with this approach, too. It's a really good way to learn. Or if you're in a hurry or otherwise, you can enlist more formal assistance with the recovery. More experienced help. While we've all started out unfamiliar with OS X, recovering from a potential or actual breach is unfortunately the proverbial deep end of the pool. That's irrespective of the operating system, too.

There's also unfortunately no certainty here. A competent and decently-funded attacker may well have gone as far as updating device firmware, for instance. That if this target is worth the effort. That's really hard to spot.

arrividerci wrote:

... I'm only interested in performing recovery of a subset of the files contained on the backup (i.e., old TM volume). If someone can provide specific instructions about how to do that it would be greatly appreciated.

Assuming you want to recover from a TM backup suspected to contain corrupted files you do not want to restore, begin with Step 2.

Otherwise, follow only Step 1, and stop there.

1. If you have a backup that you created prior to the onset of the intrusive event, now is the time to use it. For Time Machine, boot OS X Recovery, and at the Mac OS X Utilities screen, choose Restore from Time Machine Backup. Choose a date preceding the intrusive event.
2. If you do not have a backup, create one now. To do that read Use Time Machine to back up or restore your Mac.
3. The recovery procedure will require that you erase the Mac using OS X Recovery, and then create a new User Account whose contents will be empty. You will then be able to use Setup Assistant to migrate your essential documents including photos, music, work products and other essential files.
4. To erase and install OS X read How to reinstall OS X on your Mac.
5. Follow the instructions in that document under Erase your drive and install OS X.
6. Then, follow the procedure in Move your content to a new Mac.
7. When asked how you want to transfer your information, select Transfer from a Mac, Time Machine backup, or startup disk.
8. Under Select the Information to Transfer, select only your previous User account and do not select "Applications", "Computer and Network Settings" or "Other files and folders". De-select those choices.
9. Subsequent to using Setup Assistant, you will need to reinstall the essential software you may require, once again remembering to install software only from their original sources, and omitting all non-essential software.
10. "Non-essential software" is a broad category that includes but is not limited to third party "cleaning", "maintenance", and "anti-virus" products.

In Move your content to a new Mac, you will be following the instructions under "Use Migration Assistant", and skip down to "On your new Mac". There, you will be selecting the Time Machine backup. From there you will be able to exclude anything you want, which given the circumstances you describe ought to be "Applications", "Computer and Network Settings" or "Other files and folders". Those choices should be de-selected, while leaving the User Account you wish to migrate selected. Clicking the "reveal triangle" to the left of the selected User Account will allow you to further constrain the types of files you wish to transfer.

Having said all that, I do not know if Time Machine can reliably use a USB flash drive as you have been using, since Apple's support documentation does not specifically include that type of storage medium. They use the terminology "hard drive" which to me implies a hard disk drive. You're about to find out if a flash drive will also work. I can think of no reason it shouldn't work, but I never tried to use Time Machine with one of them.

.