Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Tutorials

Safari Forensic Tutorial

Paul Anderson by Paul Anderson
April 20, 2013
in Tutorials
1
apple safari4 beta 0
74
SHARES
1.2k
VIEWS
Share on FacebookShare on Twitter

Introduction

You might also like

Application hardening tips

Low Level IPhone programming

CDP Flood Attack

In Mac OS X, iOS and in many apple products store serialized objects in property list files (.plist). These file are used to store information of applications, bundles, User settings. These files are of two types namely binary property lists and XML property lists. XML plist files can be directly viewed from any program which process XML files while binary plist files should be converted to plain text for investigation.

Location of Safari Property List Files
We will be investigating the files under the following locations.

Windows XP:
C:\Documents and Settings\%username\Application Data\Apple Computer\Safari
Windows Vista and 7:
%appdata%\Apple Computer\Safari
Mac OS X:
/Users/$username/Library/Safari

I will be discussing the main objectives in the Safari Browser:

  • History.plist
  • Downloads.plist
  • Bookmarks.plist
  • Cookies.binarycookies
  • cache.db

I will be using SFT tool(http://jafat.sourceforge.net/files.html) in all examples

History.plist
This file stores the visited URLs along with last visited date and time, number of visits, page title. Here is an example of my Computer.
Code:

URL Last Visit Date/Time Number of visits Page Title
http://www.nytimes.com/ 2013-04-06 13:06:26 -0700 1 The New York Times - Breaking News, World News & Multimedia
http://pastebin.com/raw.php?i=qiktzpfU 2013-04-06 13:06:16 -0700 1 http://www.hackthis.co.uk/?login 2013-04-06 13:04:23 -0700 1 HackThis!! - The Hackers Playground
http://hackthis.co.uk/ 2013-04-06 13:04:13 -0700 1 HackThis!! - The Hackers Playground
http://www.youtube.com/ 2013-04-06 13:03:54 -0700 1 YouTube
http://www.wikipedia.org/ 2013-04-06 13:03:45 -0700 1 Wikipedia
http://www.apple.com/startpage/ 2013-04-06 12:52:53 -0700 1 Apple - Start

PnZbW0b

Downloads.plist
This file contains the entries of downloaded files and does not contain any cache files including images or any media. We can view this file using the SFT tool safari_downloads in this manner. This is a example from my Computer.

Code:

DownloadEntryProgressBytesSoFar: 5900
DownloadEntryPath: C:\Users\Un0wn\Downloads\24897.rb
DownloadEntryIdentifier: 59990399-A44C-CE40-B79D-07B2F99DAF66
DownloadEntryURL: http://www.exploit-db.com/download/24897/ DownloadEntryPro
gressTotalToLoad: 5900 Status: Completed

Vpfh0Ik

Bookmarks.plist
This file contains all the saved bookmarked URLs. This file can be processed by the SFT tool sft_bm.
Code:

Folder Title: BookmarksBar
URL_Title: Apple URL: http://
www.apple.com/
URL_Title: Yahoo! URL: http://www.yahoo.com/
URL_Title: Google Maps URL: http://maps.google.com/
URL_Title: YouTube URL: http://www.youtube.com/
URL_Title: Wikipedia URL: http://www.wikipedia.org/
: Folder Title: News
URL_Title: CNN URL: http://www.cnn.com/
URL_Title: The New York Times URL: http://www.nytimes.com/
URL_Title: Google News URL: feed://news.google.com/?output=rss
URL_Title: CNET News.com URL: http://www.news.com/
URL_Title: ESPN URL: http://espn.go.com/
URL_Title: Los Angeles Times URL: http://www.latimes.com/
URL_Title: BBC News URL: http://news.bbc.co.uk/
URL_Title: NPR URL: http://www.npr.org/
URL_Title: USA Today URL: http://www.usatoday.com/
: Folder Title: Popular
URL_Title: eBay URL: http://www.ebay.com/
URL_Title: Amazon URL: http://www.amazon.com/
URL_Title: Flickr URL: http://www.flickr.com/
URL_Title: Expedia Travel URL: http://www.expedia.com/
URL_Title: Orbitz URL: http://www.orbitz.com/
URL_Title: Facebook URL: https://www.facebook.com/
URL_Title: Monster Jobs URL: http://www.monster.com/
URL_Title: CareerBuilder URL: http://www.careerbuilder.com/
URL_Title: Disney URL: http://disney.go.com/
URL_Title: craigslist URL: http://www.craigslist.org/

mcJ57bl

Cookies.binarycookies
This file contains all the information related to cookies. This file can be parsed by safari_cookie_bin. This file is located inside the cookie folder in the same location. This includes the URL, the creation and expiration time, the cookie content.

Code:

URL Name Created Expires Path Contents
.www.yahoo.com fpc 2013-04-06T16:28:48.000000Z 2014-04-06T03:56:58.000000Z / d=XMMvkO9wskhnek5BFnXSQoS5xdSWt6RrvSXAb7X6p.cXsMbbkCVttT1bp7PzRMsBgcOnrXvfttHiyOu3bFFSn_wSXgb2NzFEDSNqWKUb9YrnHaH5opWITf54YIYq6CT4Hja.fRE7RcmW5Jy0aqBKhe2RiIuCU0.q0tSl_BoX3NMi9zsbyiEAsvy7lY1xhv7eEfVQwOc-&v=2
.www.yahoo.com fpms 2013-04-07T01:40:34.000000Z 2014-04-07T01:40:33.000000Z / p_30345810=%7B%22stream_filter%22%3A%22%3A%3A1365300633674%22%7D
rss.nytimes.com MF2 2013-04-06T16:30:11.000000Z 2015-04-06T03:58:23.000000Z / 1r1rot9a9a0ep
www.nytimes.com _chartbeat2 2013-04-06T20:06:41.000000Z 2013-05-06T20:06:41.000000Z / hf0zkn0xymr79ks7.1365265807248.1365278801138.00000000000001
www.nytimes.com krux_segs 2013-04-06T20:06:36.000000Z 2013-04-09T20:06:36.000000Z /
www.nytimes.com kxe_ICdF6_0U&Campaign_ID 2013-04-06T20:06:29.000000Z 2013-04-08T20:06:29.000000Z / nyt2013_163x90_digi_hp_3J3H8&Page=homepage.nytimes.com

sBLyceB

Cache.db
The cache files can be easily dumped by the SFT tool safari_wicache. This cache.db file is included the following location.
Code:

C:\Users\%username%\AppData\Local\Apple Computer\Safari
safari_wincache -f cache.db -s C:\cache

9wmsYtd

And further more you can use sqlite GUI to view these cache files by using this query.
Code:

SELECT * FROM cfurl_cache_receiver_data; Further more if you want to learn about the safari cache.db investigating see the reference.

All property list file can be also processed by a tool called plutil.pl by Pete M. Wilson which is a open source perl script that can convert binary plist files to a XML readable form.

References
http://forensicsfromthesausagefactory.blogspot.com/2010/06/safari-browser-cache-examination-of.html
http://jafat.sourceforge.net/Analyzing_Safari_With_SFT.pdf

This is the last tutorial and from this I conclude the Browser forensic Tutorial Series. Thank you for reading these and I am happy if you learned something new.
-Un0wn_X

Tags: forensichow tosafarisecuritytutorial
Share30Tweet19
Paul Anderson

Paul Anderson

Editor and chief at ZeroSecurity. Expertise includes programming, malware analysis, and penetration testing. If you would like to write for ZeroSecurity, please click "Contact us" at the top of the page.

Recommended For You

Application hardening tips

by Paul Anderson
May 31, 2014
0
Application hardening tips

When a exploit has been discovered in an operating system or program the vendor pushes a patch or upgrade that eliminates the vulnerability. “Hardening” is the act of...

Read more

Low Level IPhone programming

by Paul Anderson
May 28, 2014
0
Low Level IPhone programming

Video from JailbreakCon Twitter: @JailbreakCon - http://twitter.com/JailbreakCon "Low Level iPhone Programming (And more!)" by winocm Slides: http://cl.ly/3B0U0i3X3n2W

Read more

CDP Flood Attack

by Paul Anderson
October 9, 2013 - Updated on February 24, 2014
0
Hacking With Netcat Basics

The Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer protocol developed by Cisco Systems. It is used to share information about other directly connected Cisco equipment,...

Read more

LFI exploitation via php://input

by Paul Anderson
September 9, 2013 - Updated on September 16, 2013
0
LFI exploitation via php://input

Released by Zentrix, video description: Credits to my brothers Hooded Robin for teaching me this and also to Haxor. Special thanks to my brothers in Intra and Intra...

Read more

Metasploit Tutorial By Un0wn_X

by Paul Anderson
April 19, 2013 - Updated on April 22, 2013
0
Hacking With Netcat Basics

I made a small tutorial on integrating DNS in Metasploit backdoor executables. If you don’t know about creating backdoors please refer my previous tutorial http://www.youtube.com/watch?v=NiBsBKGf80Y.  You should know how to...

Read more
Next Post
Microsoft Discovers Trojan that hides files to evade analysis

Microsoft Discovers Trojan that hides files to evade analysis

Related News

BreachForums Owner Arrested and Charged

BreachForums Owner Arrested and Charged

March 17, 2023
ChipMixer platform tied to crypto laundering scheme – seized by authorities

ChipMixer platform tied to crypto laundering scheme – seized by authorities

March 17, 2023
NSA intercepting U.S. Routers

NSA intercepting U.S. Routers

June 6, 2014 - Updated on March 17, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.