Difference between pages "Mount shadow volumes on disk images" and "Apple Safari"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
Windows Shadow Volumes when created are automatically mounted at the
+
{{Expand}}
file system root by Windows.  Unfortunately this is invisible to the
+
Apple Safari is the default [[Web Browser|web browser]] included with [[Mac OS X]].
user and can not be directly accessed.  Mklink, an included command
+
line utility that ships with Windows is able to create a symbolic link
+
that allows access to these shadow volumes.
+
  
Shadow Volumes that exsit on a drive image are no different.  They too
+
== Locations ==
can be accessed by creating a symbolic link to the location of the
+
The Safari browser uses different locations to store different kind of information.
volume.  There is a caveat here though -- the Shadow Volume is mounted
+
at the local file system's root rather than the drive image's file
+
system root.
+
  
This example will be showing how to mount a virtual disk image in the
+
The user directory:
VHD format using Windows 7's built in tools.  It will then proceed to
+
detail the steps of mounting a Shadow Volume that exists on the disk
+
image. Note: Windows 7 Professional or Ultimate edition are required
+
as the necessary tools are not bundled with other versions.
+
  
 +
On MacOS-X
 +
<pre>
 +
/Users/$USER/Library/Safari/
 +
</pre>
  
==Mounting the Disk Image== 
+
On Windows XP
 +
<pre>
 +
C:\Documents and Settings\%USERNAME%\Application Data\Apple Computer\Safari\
 +
</pre>
  
The first step is to mount the VHD.  If you have a RAW image or
+
On Windows 7
another similar format these can be converted to VHD using a tool such
+
<pre>
as qemu-img (http://wiki.qemu.org/Main_Page) or vmToolkit's Vmdk2Vhd
+
C:\Users\{user}\AppData\Roaming\Apple Computer\Safari\
utility (http://vmtoolkit.com/).
+
</pre>
  
* To mount the VHD bring up the Start menu in Windows.
+
The cache directory:
  
* Right click on "Computer" and click "Manage".  This will bring up a
+
On MacOS-X
window titled "Computer Management". [[File:manage.png|thumb|Open the Computer Management window.]]
+
<pre>
 +
/Users/$USER/Library/Caches/com.apple.Safari/
 +
</pre>
  
* Now double click on "Storage" in the center pane. [[File:storage.png|thumb|Click "storage" in the center pane.]]
+
On Windows XP
 +
<pre>
 +
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Apple Computer\Safari\
 +
</pre>
  
* Next double click the "Manage Storage" in the center pane. [[File:disk_management.png|thumb|Double click "manage storage" in the center pane.]]
+
On Windows 7
 +
<pre>
 +
C:\Users\{user}\AppData\Local\Apple Computer\Safari\
 +
</pre>
  
* Now click the "More Actions" menu in the right most pane and select "Attach VHD". [[File:attach_vhd.png|thumb|Select Attach VHD in the right pane.]]
+
== History ==
 +
The browser history is stored in a [[Property list | binary plist file]] named '''History.plist''' in the user directory.
  
* Browse to the location of the drive image that you would like to mount and hit "OK".
+
This file can be viewed directly in [[Mac OS X]] by opening file in the [[Property List Editor]] program.
  
 +
For each web site, the program records the URL visited, the date and time of the last visit, and the number of times the site has been visited.
  
Now that the image is mounted we can begin the examine the Shadow Volumes on it.
+
The date and time values are stored as a floating point value containing the number of seconds since Jan 1, 2001 00:00:00 UTC.
  
===Command Prompt Method===
+
On a Windows PC History.plist file can be opened in [[Oxygen Forensic Plist Viewer]] software.
  
These steps can also be accomplished using an administrator enabled Command Prompt. To perform these steps using the command prompt the diskpart command must be used.
+
The downloads history can also be found in the user directory in a binary plist file named '''Downloads.plist'''.
  
* To start type "diskpart" at the command prompt.
+
== Cache ==
<code>C:\> diskpart </code>
+
The Safari cache is stored in '''Cache.db''' in the cache directory.
  
When diskpart starts the prompt will change to say DISKPART>.
+
This file uses the [[SQLite database format]].
  
*Next select the drive image by typing "select vdisk file=<path to image>" where <path to image> is the path to the vhd file.
+
== External Links ==
  
<code>DISKPART> select vdisk file=C:\myimage.vhd</code>
+
* [http://www.apple.com/macosx/features/safari/ Official website]
 +
* [http://www.appleexaminer.com/files/Safari_Cache.db_Revisited.pdf Safari Cache Revisited] by Sean Cavanaugh
  
*Last type "attach vdisk" or optionally if you'd like to mount it read only "attach vdisk readonly".
+
== Tools ==
 +
* [http://jafat.sourceforge.net/ J.A.F.A.T. Archive of Forensics Analysis Tools] home of Safari Forensic Tools (SFT)
  
<code>DISKPART> attach vdisk readonly </code>
+
[[Category:Applications]]
 
+
[[Category:Web Browsers]]
==Mounting the Shadow Volume==
+
 
+
To work with the Shadow Volumes we will use the VSSAdmin tool bundled
+
with Windows 7 Ultimate and Professional editions.
+
 
+
* Start by opening an Administrator enabled command shell.  This can be done by right clicking on the Command Prompt application in Start > Accessories > Command Prompt and selecting "Run As Administrator".
+
 
+
* Once the command prompt is open you can view the available Shadow Volumes by typing: "vssadmin list shadows".
+
 
+
<code>C:\> vssadmin list shadows </code>
+
 
+
* At this point you may see a long list of Shadow Volumes that were
+
created both by the machine the disk image is from as well as local
+
shadow volumes.  To list just the Shadow Volumes associated with the
+
drive image you can add an optional /FOR=<DriveLetter:\> where
+
DriveLetter is the drive letter that the drive image is mounted on.
+
 
+
<code>C:\> vssadmin list shadows /for=E:\ </code> [[File:vssadmin_list.png|thumb|vssadmin list]]
+
 
+
* Now that we have a list of the Shadow Volumes we can mount them using the mklink tool. To do this, on the command line type:
+
 
+
<code>"mklink /D C:\</code><some directory><code> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#"</code>
+
 
+
Where <some directory> is the path that you'd like the mount the
+
Shadow Volume at, and the # in HarddiskVolumeShadowCopy is the number
+
o the Shadow Volume to mount.  Please note that the trailing slash is
+
absoutely necessary. Without the slash you will receive a permissions
+
error when trying to access the directory.
+
 
+
<code>mklink /D C:\shadow_volume_1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\</code>
+
 
+
* If all was successful you should receive a message that looks like this:
+
 
+
<code>symbolic link created for <some directory> <<===>> \\?GLOBALROOT\Device\HarddiskVolumeShadowCopy1\</code>
+
 
+
You can now browse the files contained in the Shadow Volume just like
+
any other files in your file system! [[File:success.png|thumb|Success!]]
+
 
+
== Also See ==
+
* [[Windows Shadow Volumes]]
+
 
+
[[Category:Howtos]]
+

Revision as of 05:03, 22 September 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Apple Safari is the default web browser included with Mac OS X.

Locations

The Safari browser uses different locations to store different kind of information.

The user directory:

On MacOS-X

/Users/$USER/Library/Safari/

On Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Apple Computer\Safari\

On Windows 7

C:\Users\{user}\AppData\Roaming\Apple Computer\Safari\

The cache directory:

On MacOS-X

/Users/$USER/Library/Caches/com.apple.Safari/

On Windows XP

C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Apple Computer\Safari\

On Windows 7

C:\Users\{user}\AppData\Local\Apple Computer\Safari\

History

The browser history is stored in a binary plist file named History.plist in the user directory.

This file can be viewed directly in Mac OS X by opening file in the Property List Editor program.

For each web site, the program records the URL visited, the date and time of the last visit, and the number of times the site has been visited.

The date and time values are stored as a floating point value containing the number of seconds since Jan 1, 2001 00:00:00 UTC.

On a Windows PC History.plist file can be opened in Oxygen Forensic Plist Viewer software.

The downloads history can also be found in the user directory in a binary plist file named Downloads.plist.

Cache

The Safari cache is stored in Cache.db in the cache directory.

This file uses the SQLite database format.

External Links

Tools