Posted on

Knowing Where to Look for Evidence

If you’re learning to become as a computer forensic investigator or e-discovery analyst, knowing where to look for evidence is crucial. Aside from the obvious Documents folder, Pictures folder, Movies folder, Desktop folder, and Download folder, you will also need to gather information by extracting bits and pieces from other places for analysis.

SubRosaSoft’s distributor in China, CFLabs, has been one of the pioneers on Mac Forensics in China for many years, and has published numerous articles on computer forensics. Of the many entries in CFLabs’ training forum, the following table on where to search for evidence has helped us immensely when we were developing Cache Detective. And with the permission of the author, Sprite Guo, we will be translating many of the useful Mac OS X forensics articles.

Please note the information is relevant to Mac OS X 10.11; we have noticed some locations may have been changed in Mac OS X 10.12.

 

 

Location Related Records
private\var\log\system.log USB Disk usage record, System Log
\Users\UserName\Library\Calendars Calendar schedules, appointments, and etc…
\private\var\root\Library\Preferences\com.apple.dock.plist Dock display content
\Users\UserName\Library\Preferences\com.apple.dock.plist Dock display content
\private\var\root\Library\Preferences\com.apple.sidebarlists.plist Finder Sidebar
\Users\UserName\Library\Preferences\com.apple.sidebarlists.plist Finder Sidebar
\private\var\root\Library\Application Support\AddressBook\Metadata\ Contacts
\Users\UserName\Library\Application Support\AddressBook\Metadata\ Contacts
\Users\UserName\Library\Application Support\AddressBook\Sources\ Contacts
\Users\UserName\Library\Containers\com.apple.Notes\Data\Library\Notes\ Notes
\Users\UserName\Library\Containers\com.apple.Maps\Data\Library\Maps\ Maps
\private\var\root\Library\Logs\DiskUtility.log Disk Utility
\Users\UserName\Library\Logs\DiskUtility.log Disk Utility
\private\var\root\Library\Preferences\ Disk Utility Preferences
\Users\UserName\Library\Preferences\ Disk Utility Preferences
\.Trashes\ USB Disk usage record
\Users\UserName\.Trash\Recovered files USB Disk usage record
\Users\UserName\.Trash\ System Log
\Users\UserName\.bash_history Bash History
\Users\UserName\百度云同步盘\ Baidu Cloud
\Users\UserName\Dropbox\ DropBox
\Users\UserName\Library\Mobile Documents\com~apple~CloudDocs\ iCloud
\Users\UserName\Music\iTunes\iTunes Music Library.xml iTunes
\Users\UserName\VirtualBox VMs\ Virtual Box
\Applications\VMware Fusion.app\Contents\Resources\ Vmware
\Users\UserName\Documents\Virtual Machines.localized\ Vmware
\Users\UserName\Library\Application Support\VMware Fusion\Virtual Machines\ Contacts
\Users\UserName\Documents\Parallels\ Parallels
\Library\Printers\ Installed Printers
\Users\UserName\Library\Containers\com.feinno.macfetion\Data\Library\Application Support\Fetion\Cache\ Fetion
\Users\UserName\Library\Application Support\UC4Mac\ Sina Universal Communication
Users\UserName\Library\Containers\com.tencent.qq\Data\Library\Application Support\QQ\ QQ
\Users\UserName\Library\Application Support\Skype\ Skype
\Users\UserName\Library\Containers\com.taobao.aliwangwang\Data\Library\Application Support\AliWangwang\v3\profiles\ AliWangwang
\Users\UserName\Library\Containers\com.yy.macyy\Data\Library\Caches\com.yy.macyy\ YY Social Network
\Users\UserName\Library\Containers\jp.naver.line\Data\ Line
\Users\UserName\Library\Messages\ Messages
\Users\UserName\Library\Application Support\Firefox\Profiles\ Firefox
\System\Library\Tcl\8.4\tclx8.4\help\tcl\status\history Google
\Users\UserName\Library\Application Support\Chromium\Default\History Google
\Users\UserName\Library\Application Support\Google\Chrome\Default\History Google
\usr\share\zsh\5.0.5\help\history Google
\Users\UserName\Library\Application Support\Chromium\Default\Cookies Google
\Users\UserName\Library\Application Support\Google\Chrome\Default\Cookies Google
\usr\share\emacs\22.1\etc\COOKIES Google
\System\Library\Spotlight\Bookmarks.mdimporter\Contents\MacOS\Bookmarks Google
\System\Library\SyncServices\Schemas\Bookmarks.syncschema\Contents\MacOS\Bookmarks Google
\Users\UserName\Library\Application Support\Google\ Google
\Users\UserName\Library\Application Support\Google\Chrome\Default\Application Cache\Cache\data_1 Google
\Users\UserName\Library\Application Support\Google\Chrome\Default\GPUCache\data_1 Google
\Users\UserName\Library\Caches\Chromium\Default\Cache\data_1 Google
\Users\UserName\Library\Caches\Google\Chrome\Default\Cache\data_1 Google
\Users\UserName\Library\Safari\ Safari
\Users\UserName\Library\Application Support\com.operasoftware.Opera\ Opera
\Users\UserName\Library\Application Support\QQBrowser2\Default\History QQBrowser
\Users\UserName\Library\Application Support\QQBrowser2\Default\Bookmarks QQBrowser
\Users\UserName\Library\Application Support\Maxthon\Default\History Maxthon
\Users\UserName\Library\Group Containers\UBF8T346G9.Office\Outlook\Outlook 15 Profiles\Main Profile\Data\Message Sources OutLook
\Library\Preferences\SystemConfiguration\ Network Interface
\Library\Preferences\ Network Configuration, Bluetooth connectivity record, Wifi, Filezilla download
\Users\UserName\Library\Application Support\Thunder\ Thunder Download
\Users\UserName\Library\Preferences\FrostWire5\libtorrent\ Frostwire Download
\Users\UserName\Library\Application Support\uTorrent\ uTorrent Download
\Users\UserName\Library\Application Support\BitTorrent\ BitTorrent Download

A few of the applications listed above are extremely popular in China and Greater China Region. Products like Baidu Cloud, QQ, AliWangWang, and Thunder have huge installed bases and are supported by Cache Detective.

Posted on

View Web Cache Data on Mac OS X

Web caches store copies of documents the user has accessed on the internet in order to reduce server access time when visiting that site again. The information contained inside web caches can help an investigator prove a crime was committed, build a timeline of events, and prove intent.

Forensics investigators or eDiscovery experts often employ sophisticated utilites to search  the contents of these folders for cache information. This will show you websites that have been browsed who’s files have not been over-written as well as present cache files that have not been flushed.

There are other utilities that can be used to extract files, but they will need to be told on where to search. Here is a short list on where to look for cache data of various popular web browsers.

  • The default web browser in Mac OS X is Safari. The Safari web cache is located: ~/Users/”USERNAME”//Library/Caches/com.apple.Safari
  • The default storage location for Firefox‘s web cache is: ~/Users/”USERNAME”/Library/Caches/Firefox/
  • The default storage location for Chrome‘s web cache is: ~/Users/”USERNAME”/Library/Caches/Google
  • The default storage location for Opera‘s web cache is: ~/Users/”USERNAME”/Library/Caches/Opera Cache

There are a large number of other folders contained within the ~/Users/“USERNAME”/Library/Cache folder that may be of interest for investigators also.

If you are interested in extracting cache files easily, and don’t want to spend the money on an expensive forensics software, consider SubRosaSoft Cache Detective. Cache Detective is a very easy-to-use utility that read the cache of many browser and chat applications and extract the files currently stored in their cache folders. It comes with presets to extract pictures, text, movies, etc… from popular browsers such as Safari, Chrome, FireFox, Opera, Chromium, Chrome Canary, and more.

Cache Detective is optimized to work on the startup volume. For cache data on non-startup volume, Cache Detective allows users to manually locate and extract the cache data.