Web caches store copies of documents the user has accessed on the internet in order to reduce server access time when visiting that site again. The information contained inside web caches can help an investigator prove a crime was committed, build a timeline of events, and prove intent.
Forensics investigators or eDiscovery experts often employ sophisticated utilites to search the contents of these folders for cache information. This will show you websites that have been browsed who’s files have not been over-written as well as present cache files that have not been flushed.
There are other utilities that can be used to extract files, but they will need to be told on where to search. Here is a short list on where to look for cache data of various popular web browsers.
- The default web browser in Mac OS X is Safari. The Safari web cache is located: ~/Users/”USERNAME”//Library/Caches/com.apple.Safari
- The default storage location for Firefox‘s web cache is: ~/Users/”USERNAME”/Library/Caches/Firefox/
- The default storage location for Chrome‘s web cache is: ~/Users/”USERNAME”/Library/Caches/Google
- The default storage location for Opera‘s web cache is: ~/Users/”USERNAME”/Library/Caches/Opera Cache
There are a large number of other folders contained within the ~/Users/“USERNAME”/Library/Cache folder that may be of interest for investigators also.
If you are interested in extracting cache files easily, and don’t want to spend the money on an expensive forensics software, consider SubRosaSoft Cache Detective. Cache Detective is a very easy-to-use utility that read the cache of many browser and chat applications and extract the files currently stored in their cache folders. It comes with presets to extract pictures, text, movies, etc… from popular browsers such as Safari, Chrome, FireFox, Opera, Chromium, Chrome Canary, and more.
Cache Detective is optimized to work on the startup volume. For cache data on non-startup volume, Cache Detective allows users to manually locate and extract the cache data.