Difference between pages "Apple Safari" and "Live view"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
{{Expand}}
+
Live View[http://liveview.sourceforge.net/] is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk. The end result is that one need not create extra "throw away" copies of the disk or image to create the virtual machine.
Apple Safari is the default [[Web Browser|web browser]] included with [[Mac OS X]]. The support files for this browser are stored in the user's home directory in <tt>/Users/[username]/Library/Safari/</tt>.
+
  
== Locations ==
+
Live View is capable of booting
The Safari browser uses different locations to store different kind of information.
+
  
The user directory:
+
    * Full disk raw images
 +
    * Bootable partition raw images
 +
    * Physical Disks (attached via a USB or Firewire bridge)
  
On MacOS-X
+
Containing the following operating systems
<pre>
+
/Users/$USER/Library/Safari/
+
</pre>
+
  
The cache directory:
+
    * Windows XP, 2000, 2003, NT, Me, 98
 +
    * Linux (limited support)
  
On MacOS-X
+
Behind the scenes, Live View automates a wide array of technical tasks. Some of these include: resolving hardware conflicts resulting from booting on hardware other than that on which the OS was originally installed; creating a customized MBR for partition-only images; and correctly specifying a virtual disk to match the original image or physical disk.
<pre>
+
/Users/$USER/Library/Caches/com.apple.Safari/
+
</pre>
+
  
== History ==
+
Live View is developed by CERT, Software Engineering Institute
The browser history is stored in a [[Property list | binary plist file]] named '''History.plist''' in the user directory.
+
 
+
This file can be viewed directly in [[Mac OS X]] by opening file in the [[Property List Editor]] program.
+
 
+
For each web site, the program records the URL visited, the date and time of the last visit, and the number of times the site has been visited.
+
 
+
The date and time values are stored as a floating point value containing the number of seconds since Jan 1, 2001 00:00:00 UTC.
+
 
+
On a Windows PC History.plist file can be opened in [[Oxygen Forensic Plist Viewer]] software.
+
 
+
The downloads history can also be found in the user directory in a binary plist file named '''Downloads.plist'''.
+
 
+
== Cache ==
+
The Safari cache is stored in '''Cache.db''' in the cache directory.
+
 
+
This file uses the [[SQLite database format]].
+
 
+
== External Links ==
+
 
+
* [http://www.apple.com/macosx/features/safari/ Official website]
+
* [http://www.appleexaminer.com/files/Safari_Cache.db_Revisited.pdf Safari Cache Revisited] by Sean Cavanaugh
+
* [http://jafat.sourceforge.net/ J.A.F.A.T. Archive of Forensics Analysis Tools] home of Safari Forensic Tools (SFT)
+
 
+
[[Category:Applications]]
+
[[Category:Web Browsers]]
+
[[Category:Mac OS X]]
+

Revision as of 10:07, 27 March 2007

Live View[1] is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk. The end result is that one need not create extra "throw away" copies of the disk or image to create the virtual machine.

Live View is capable of booting

   * Full disk raw images
   * Bootable partition raw images
   * Physical Disks (attached via a USB or Firewire bridge)

Containing the following operating systems

   * Windows XP, 2000, 2003, NT, Me, 98
   * Linux (limited support)

Behind the scenes, Live View automates a wide array of technical tasks. Some of these include: resolving hardware conflicts resulting from booting on hardware other than that on which the OS was originally installed; creating a customized MBR for partition-only images; and correctly specifying a virtual disk to match the original image or physical disk.

Live View is developed by CERT, Software Engineering Institute