Notifications
Clear all

Safari History

10 Posts
8 Users
0 Likes
868 Views
(@tmy880)
Posts: 23
Eminent Member
Topic starter
 

Heres the scenario. I acquired a iMac using Target Disk Mode to an Apple MacBook Pro. I then created an .E01 image of the hard drive.

I then opened up the hard drive in EnCase and it verified with 100 percent accuracy.

I then tried using EnCases Internet History (Comprehensive) Extractor and Encase keeps locking up and will not search.

Could anyone provide help with this?

Thank you.

 
Posted : 23/04/2010 3:05 am
(@patrick4n6)
Posts: 650
Honorable Member
 

Either try examining the config and history files using a Mac, or get a tool that specifically handles Safari history like CacheBack.

 
Posted : 23/04/2010 4:26 am
mwp2008
(@mwp2008)
Posts: 15
Active Member
 

At the risk of sounding stupid, are you certain that EnCase is, in fact, "locking up"?

My experience with the Internet History Search - comprehensive is that it takes a huge amount of time to run….on the order of days. And there's no indication of how long the search will take, like a progress bar.

Just a thought.

 
Posted : 23/04/2010 7:04 am
(@tmy880)
Posts: 23
Eminent Member
Topic starter
 

Yes it is locking up. The computer tries to send a windows error upon lockup and then shuts down EnCase.

I tried NetAnalysis but it doesnt work with the new XML file system that Mac uses.

It only works on older XML mac files.

 
Posted : 24/04/2010 12:15 am
(@twjolson)
Posts: 417
Honorable Member
 

I heard of a tool once called Mac Marshall (free to law enforcement) that seemed to be a sweet mac forensics program. It only runs on a Mac, because of this it uses the Forensic machines Mac OS to unencrypt and decode things, such as the internet history. (if I recall, the internet history can get stored in the encrypted home directory, and/or in an encoded version of an XML file. Some of my details maybe wrong, since I do not have practical Mac Forensics experience.

 
Posted : 24/04/2010 1:19 am
neddy
(@neddy)
Posts: 182
Estimable Member
 

Forgive me if I am mistaken but I am unsure about the references to Safari using xml as a file system. I have only examined iPhones and iPod Touch devices and they used Sqlite3 database files to store Internet history records.
I found 'Sqlite database browser' to be a most effective tool when examining the database tables. Files like 'history.plist' can be examined in this manner.
Hope this helps and indulge me if I am missing the point!

 
Posted : 24/04/2010 2:20 am
(@twjolson)
Posts: 417
Honorable Member
 

Again, I could be totally, totally wrong. But from what I recall, the plist files are binary (non-plaintext) versions of an XML file. They can be decoded.

I don't have access to the powerpoints from the lecture, but I would love for someone to prove me right or wrong so I can learn.

 
Posted : 24/04/2010 2:32 am
(@indur)
Posts: 67
Trusted Member
 

Safari's history is stored in a plist-format. Plists can be either XML or binary – Macintosh programs can use them interchangeably. XML plists are easily readable by hand. Binary plists can be converted to XML format with the Mac / Darwin tool "plutil". You can also view either of these with the Property List Editor (on a Mac) or a forensics tool that reads plists.

Safari's cache, in newer versions of Safari, is stored in an SQLite database file. There are plenty of SQLite database browsers out there that work quite well.

In addition, on newer systems, a second copy of the history is stored as a set of .webhistory files (for indexing by Spotlight). These are also plists. On systems with Safari 4+, jpg and png "screenshots" of every page in your history are also stored.

 
Posted : 26/04/2010 2:17 am
(@xaberx)
Posts: 105
Estimable Member
 

I'm no expert in macs but our new toolkiit will do safari on windows focusing on the binary version of the plist, if you can extract the history file to say a flash drive or other small volume it will detect and deconstruct it, mounting the mac image will work aswell if you have that capability, again not trying to sell or pitch our toolkit but I did write that part of the program and manual deconstruction was a pain… just posting hoping it helps you in your analysis

You can try it out at www.wiseforensics.com
There is a every other line limitation in demonstration mode. But I ran it on a test plist from a mac and itn worked fine.

Hope it helps,
Ryan Manley
Wise Forensics

 
Posted : 26/04/2010 9:11 am
(@mobileforensicswales)
Posts: 274
Reputable Member
 

Take a look at net analysis by Digital Detective

 
Posted : 26/04/2010 5:16 pm
Share: