A number of different files can be recovered by scraping the HFS journal. Really, anything that was once live on the filesystem can be recovered; especially smaller files such as property lists, images, and other similar data. Because the HFS journal has a finite size, smaller files are more likely to be recovered than larger ones.
When an application suspends into the background, a capture of the screen contents is taken and written to disk. This is done so that when the user returns to the application, the window appears to zoom back into display, as if the application is immediately loaded from the background. In reality, the application takes a brief moment to load back and become active again, and the animation affords the program the time it needs.
Application screenshots are repeatedly taken whenever the application is suspended, and then later deleted or overwritten. This can also happen if a phone call is received or another event causes your application to suspend. Deleted versions of these application screenshots are often found in the HFS journal, leaking the contents of even the most securely encrypted data in your application (see Figure 6-1).
Figure 6-1. Recovered screenshot of a user’s mail, a useful tool in forensics
In addition to application screenshot leakage, secure websites are also subject to this common screenshot ...