Posted on

Revisit Unhiding the User Library folder

Back in 2011, when Apple released Mac OS X 10.7 Lion, it boasted over a hundred improvements to enhance the user experience, and one of them was the hiding of the User Library folder. To get around it, simply launch the Terminal (found in the Utilities folder inside your Applications folder) and paste in the following command and press the Enter key:

sudo chflags nohidden ~/Library/

Messing with the Terminal app isn’t an elegant method , but it allows you to access Library folder to remove a preference file, or delete an Application Support folder.

Beginning with Mac OS X 10.8 Mountain Lion forward, Apple has introduced a quick and  easy way to access the Library folder.

In the Finder window, hold down the Option key while accessing the Go menu on the top menu bar, and select Library, the Library folder will open, allowing you to access its contents.

Unhide Library Option

The technique will not change the Library folder to permanently visible. Once you close the Library folder, it will no longer show up in the Home folder. To access the Library folder again, you will have to perform the same procedure of selecting option-Go-Library.

If you need to access the Library folder frequently, You can still employed the Terminal method described above to unhide the Library, which will be turned visible until you tell Terminal to hide it with the command

sudo chflags hidden ~/Library/

Under macOS 10.12 Sierra, the Option-Go-Library method no longer works. Instead, you will need to do the following*:

From the Go menu, select the home folder.

Select Go to Home Folder

Your Home folder will open and with the visible folders displayed.

Home Directory with No Llibrary

To reveal the Library folder, Select Show View options and click on the check box for Show Library Folder.

Show View Option

Checking it will allow the Library to stay visible, even after a restart.

Home Folder with Library Displayed

*The procedure also works on Mac OS X 10.11.

Posted on

Knowing Where to Look for Evidence

If you’re learning to become as a computer forensic investigator or e-discovery analyst, knowing where to look for evidence is crucial. Aside from the obvious Documents folder, Pictures folder, Movies folder, Desktop folder, and Download folder, you will also need to gather information by extracting bits and pieces from other places for analysis.

SubRosaSoft’s distributor in China, CFLabs, has been one of the pioneers on Mac Forensics in China for many years, and has published numerous articles on computer forensics. Of the many entries in CFLabs’ training forum, the following table on where to search for evidence has helped us immensely when we were developing Cache Detective. And with the permission of the author, Sprite Guo, we will be translating many of the useful Mac OS X forensics articles.

Please note the information is relevant to Mac OS X 10.11; we have noticed some locations may have been changed in Mac OS X 10.12.

 

 

Location Related Records
private\var\log\system.log USB Disk usage record, System Log
\Users\UserName\Library\Calendars Calendar schedules, appointments, and etc…
\private\var\root\Library\Preferences\com.apple.dock.plist Dock display content
\Users\UserName\Library\Preferences\com.apple.dock.plist Dock display content
\private\var\root\Library\Preferences\com.apple.sidebarlists.plist Finder Sidebar
\Users\UserName\Library\Preferences\com.apple.sidebarlists.plist Finder Sidebar
\private\var\root\Library\Application Support\AddressBook\Metadata\ Contacts
\Users\UserName\Library\Application Support\AddressBook\Metadata\ Contacts
\Users\UserName\Library\Application Support\AddressBook\Sources\ Contacts
\Users\UserName\Library\Containers\com.apple.Notes\Data\Library\Notes\ Notes
\Users\UserName\Library\Containers\com.apple.Maps\Data\Library\Maps\ Maps
\private\var\root\Library\Logs\DiskUtility.log Disk Utility
\Users\UserName\Library\Logs\DiskUtility.log Disk Utility
\private\var\root\Library\Preferences\ Disk Utility Preferences
\Users\UserName\Library\Preferences\ Disk Utility Preferences
\.Trashes\ USB Disk usage record
\Users\UserName\.Trash\Recovered files USB Disk usage record
\Users\UserName\.Trash\ System Log
\Users\UserName\.bash_history Bash History
\Users\UserName\百度云同步盘\ Baidu Cloud
\Users\UserName\Dropbox\ DropBox
\Users\UserName\Library\Mobile Documents\com~apple~CloudDocs\ iCloud
\Users\UserName\Music\iTunes\iTunes Music Library.xml iTunes
\Users\UserName\VirtualBox VMs\ Virtual Box
\Applications\VMware Fusion.app\Contents\Resources\ Vmware
\Users\UserName\Documents\Virtual Machines.localized\ Vmware
\Users\UserName\Library\Application Support\VMware Fusion\Virtual Machines\ Contacts
\Users\UserName\Documents\Parallels\ Parallels
\Library\Printers\ Installed Printers
\Users\UserName\Library\Containers\com.feinno.macfetion\Data\Library\Application Support\Fetion\Cache\ Fetion
\Users\UserName\Library\Application Support\UC4Mac\ Sina Universal Communication
Users\UserName\Library\Containers\com.tencent.qq\Data\Library\Application Support\QQ\ QQ
\Users\UserName\Library\Application Support\Skype\ Skype
\Users\UserName\Library\Containers\com.taobao.aliwangwang\Data\Library\Application Support\AliWangwang\v3\profiles\ AliWangwang
\Users\UserName\Library\Containers\com.yy.macyy\Data\Library\Caches\com.yy.macyy\ YY Social Network
\Users\UserName\Library\Containers\jp.naver.line\Data\ Line
\Users\UserName\Library\Messages\ Messages
\Users\UserName\Library\Application Support\Firefox\Profiles\ Firefox
\System\Library\Tcl\8.4\tclx8.4\help\tcl\status\history Google
\Users\UserName\Library\Application Support\Chromium\Default\History Google
\Users\UserName\Library\Application Support\Google\Chrome\Default\History Google
\usr\share\zsh\5.0.5\help\history Google
\Users\UserName\Library\Application Support\Chromium\Default\Cookies Google
\Users\UserName\Library\Application Support\Google\Chrome\Default\Cookies Google
\usr\share\emacs\22.1\etc\COOKIES Google
\System\Library\Spotlight\Bookmarks.mdimporter\Contents\MacOS\Bookmarks Google
\System\Library\SyncServices\Schemas\Bookmarks.syncschema\Contents\MacOS\Bookmarks Google
\Users\UserName\Library\Application Support\Google\ Google
\Users\UserName\Library\Application Support\Google\Chrome\Default\Application Cache\Cache\data_1 Google
\Users\UserName\Library\Application Support\Google\Chrome\Default\GPUCache\data_1 Google
\Users\UserName\Library\Caches\Chromium\Default\Cache\data_1 Google
\Users\UserName\Library\Caches\Google\Chrome\Default\Cache\data_1 Google
\Users\UserName\Library\Safari\ Safari
\Users\UserName\Library\Application Support\com.operasoftware.Opera\ Opera
\Users\UserName\Library\Application Support\QQBrowser2\Default\History QQBrowser
\Users\UserName\Library\Application Support\QQBrowser2\Default\Bookmarks QQBrowser
\Users\UserName\Library\Application Support\Maxthon\Default\History Maxthon
\Users\UserName\Library\Group Containers\UBF8T346G9.Office\Outlook\Outlook 15 Profiles\Main Profile\Data\Message Sources OutLook
\Library\Preferences\SystemConfiguration\ Network Interface
\Library\Preferences\ Network Configuration, Bluetooth connectivity record, Wifi, Filezilla download
\Users\UserName\Library\Application Support\Thunder\ Thunder Download
\Users\UserName\Library\Preferences\FrostWire5\libtorrent\ Frostwire Download
\Users\UserName\Library\Application Support\uTorrent\ uTorrent Download
\Users\UserName\Library\Application Support\BitTorrent\ BitTorrent Download

A few of the applications listed above are extremely popular in China and Greater China Region. Products like Baidu Cloud, QQ, AliWangWang, and Thunder have huge installed bases and are supported by Cache Detective.

Posted on

View Web Cache Data on Mac OS X

Web caches store copies of documents the user has accessed on the internet in order to reduce server access time when visiting that site again. The information contained inside web caches can help an investigator prove a crime was committed, build a timeline of events, and prove intent.

Forensics investigators or eDiscovery experts often employ sophisticated utilites to search  the contents of these folders for cache information. This will show you websites that have been browsed who’s files have not been over-written as well as present cache files that have not been flushed.

There are other utilities that can be used to extract files, but they will need to be told on where to search. Here is a short list on where to look for cache data of various popular web browsers.

  • The default web browser in Mac OS X is Safari. The Safari web cache is located: ~/Users/”USERNAME”//Library/Caches/com.apple.Safari
  • The default storage location for Firefox‘s web cache is: ~/Users/”USERNAME”/Library/Caches/Firefox/
  • The default storage location for Chrome‘s web cache is: ~/Users/”USERNAME”/Library/Caches/Google
  • The default storage location for Opera‘s web cache is: ~/Users/”USERNAME”/Library/Caches/Opera Cache

There are a large number of other folders contained within the ~/Users/“USERNAME”/Library/Cache folder that may be of interest for investigators also.

If you are interested in extracting cache files easily, and don’t want to spend the money on an expensive forensics software, consider SubRosaSoft Cache Detective. Cache Detective is a very easy-to-use utility that read the cache of many browser and chat applications and extract the files currently stored in their cache folders. It comes with presets to extract pictures, text, movies, etc… from popular browsers such as Safari, Chrome, FireFox, Opera, Chromium, Chrome Canary, and more.

Cache Detective is optimized to work on the startup volume. For cache data on non-startup volume, Cache Detective allows users to manually locate and extract the cache data.

Posted on

Good Backup Is A Lifesaver

While it’s very important to be prepared for data loss with a powerful data recovery program like FileSalvage, it’s also important to keep current backups of your important files.  File recovery programs can recover many of the lost files in the event of accidental deletion and some other data loss situations but with some forms of data loss they can’t replace having a backup copy.

1 in 5 computers suffer fatal hard drive crashes that can leave your valuable files gone forever even for the best of data recovery software.  Using SubRosaSoft Disk Copy to make a backup of your data can insure that if a hard drive crash does happen, you’re prepared.  Paying a data recovery company to get your files back usually costs thousands of dollars and takes time plus there is no guarantee they will be able to get all your information back.  The fast read and write speeds of modern hard drives makes backing up even large amounts of data fairly quick and it really pays off when disaster happens.  Rather than wasting time trying to recover your lost files, simply restore them from your backup and you’re ready to go again.

While SubRosaSoft Disk Copy supports multiple backup modes such as cloning, synchronization, incremental backups, and scheduled backups, it’s limited to Mac drives and will not clone non-Mac partitions such as Windows or Linux. If you want to backup a multi-partition drive or a dual boot (Mac OS X and Windows) device, consider SubRosaSoft CopyCatX instead. CopyCatX is device and file system independent application, which means that the user can clone or create disk images from any normal Mac OS drive, Windows, Linux device, or even TiVO drive.

Posted on

SubRosaSoft.com Announces SubRosaSoft Disk Copy Version One

Feature-rich Mac OS X backup software simplifies daily backup routine to protect your data.

FREMONT, Calif.–(BUSINESS WIRE)–SubRosaSoft.com Inc., announces the immediate availability of SubRosaSoft Disk Copy, a well-rounded and very easy-to-use backup and cloning system. It can create bootable copies of a startup drive, manage synchronization of volumes, handle incremental bootable copies, and run backups using a schedule.

“SubRosaSoft Disk Copy is designed for Mac OS X 10.9 and above, and optimized for Yosemite and El Capitan. Disk Copy supports multiple backup modes such as Cloning and Synchronization of drives,” explains Ben Slaney, programmer of SubRosaSoft Disk Copy. “It can also make incremental snapshots that back up your most recent changes, and retain older versions of files you can retrieve, if needed. All these backup tasks can be scheduled and automated at times convenient for you.”

An exciting feature of Disk Copy is the use of hard links to reduce the amount of space required for incremental backup. “To keep disk usage down to absolute minimum, SubRosaSoft Disk Copy Incremental Backup uses hard links.” According to Slaney, “The backup will appear and behave as an exact clone, but only take up a small amount of space. You can store many time-stamped backups of your drive or folders, and you can go back and pull out copies of any particular files that you want.”

Written specifically for Mac OS X Mavericks and above, SubRosaSoft Disk Copy includes powerful features that give you greater control and flexibility over cloning, backup, and the duplication of data:

  • Easy-to-use interface — The application’s single-window design makes cloning and backing up a simple process.
  • Extremely fast incremental backups — Instead of cloning an entire drive, this feature adds only new or updated files to your destination.
  • Filtering capability — Allows you to exclude files from a backup.
  • Stop and Resume — Interrupt a backup and start it again later.
  • Save your backup settings — Use Disk Copy’s scheduling features to create automatic backups or to save settings for manual backups you can run when you need.

SubRosaSoft Disk Copy is designed to run on Macs with the following minimum specifications:

  • Apple Power Macintosh CPU (Intel based)
  • Mac OS X (10.9 Mavericks or higher)
  • At least 2 GB of RAM

MSRP for SubRosaSoft.com is $34.95 and it’s available as download only. For more information on SubRosaSoft Disk Copy and downloading a fully functional trial version of the software, please visit: SubRosaSoft.com

Note to editors: SubRosaSoft Disk Copy is a trademark of SubRosaSoft.com Inc. Mac OS X is a trademark or registered trademarks of Apple Inc. All trademarks and registered trademarks remain the property of their respective owners.

Contacts

SubRosaSoft.com

Mark Hurlow, 510-870-7883

mhurlow@subrosasoft.com