Difference between pages "SIM Forensics" and "Apple Safari"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Created page with "''Under Construction'' The SIM Card is the basic memory device inside of many mobile phones in use today. This small piece of hardware has been key to solving many cases in ...")
 
 
Line 1: Line 1:
''Under Construction''
+
{{Expand}}
 +
Apple Safari is the default [[Web Browser|web browser]] included with [[Mac OS X]].
  
The [[SIM Card]] is the basic memory device inside of many mobile phones in use today. This small piece of hardware has been key to solving many cases in the world of [[SIM Card Forensics]]. However, without the proper knowledge of the SIM card's filesystem, the user will be missing out on all the valuable information the [[SIM Card]] holds.
+
== Locations ==
 +
The Safari browser uses different locations to store different kind of information.
  
 +
The user directory:
  
== Getting Started ==
+
On MacOS-X
 +
<pre>
 +
/Users/$USER/Library/Safari/
 +
</pre>
  
[[File:What_you_need.jpg|250px|thumb|Items you'll need]]
+
On Windows XP
 +
<pre>
 +
C:\Documents and Settings\%USERNAME%\Application Data\Apple Computer\Safari\
 +
</pre>
  
This is a list of items to get you started on reading SIM Cards and their information:
+
On Windows 7
 +
<pre>
 +
C:\Users\{user}\AppData\Roaming\Apple Computer\Safari\
 +
</pre>
  
# [[Windows]] operating system
+
The cache directory:
# [[SIMCon]][http://www.simcon.no/]
+
#* Program used to read SIM Cards
+
# [[SIM Cards]]
+
# SIM Card Reader
+
  
<br />
+
On MacOS-X
<br />
+
<pre>
<br />
+
/Users/$USER/Library/Caches/com.apple.Safari/
<br />
+
</pre>
  
== Quick Guide for SIMCon ==
+
On Windows XP
 +
<pre>
 +
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Apple Computer\Safari\
 +
</pre>
  
# Make sure the SIM Card Reader with SIM Card is connected
+
On Windows 7
# Open [[SIMCon]]
+
<pre>
# Click File > Read SIM or Click [[File:Simcon.png]] in the upper left corner of [[SIMCon]]
+
C:\Users\{user}\AppData\Local\Apple Computer\Safari\
# Click OK when the next dialog box pops up
+
</pre>
#* '''Note''', some SIM cards are locked. This is where the PIN needs to be entered if known.
+
#* If the PIN is unknown, the SIM cannot be read.
+
# Click OK again when the next dialog box pops up
+
  
== Definitions ==
+
== History ==
 +
The browser history is stored in a [[Property list | binary plist file]] named '''History.plist''' in the user directory.
  
=== MF ===
+
This file can be viewed directly in [[Mac OS X]] by opening file in the [[Property List Editor]] program.
* Only '''one''' MF
+
* The Master File (MF)
+
* Root of the SIM Card file system
+
* Equivalent to the root directory or "/" in the Linux filesystem
+
  
=== DF ===
+
For each web site, the program records the URL visited, the date and time of the last visit, and the number of times the site has been visited.
* Dedicated Files (DF)
+
* Equivalent to a folder in a Windows/Linux filesystem
+
* Usually three DF's
+
** DF_GSM / DF_DCS1800 / DF_TELECOM
+
  
==== DF_DCS1800 / DF_GSM ====
+
The date and time values are stored as a floating point value containing the number of seconds since Jan 1, 2001 00:00:00 UTC.
* Contains network related information
+
* Specifying data in DF_GSM writes only to DF_GSM on the SIM
+
* The SIM is expected to mirror GSM and DCS1800
+
  
==== DF_TELECOM ====
+
On a Windows PC History.plist file can be opened in [[Oxygen Forensic Plist Viewer]] software.
* Contains the service related information
+
  
=== EF ===
+
The downloads history can also be found in the user directory in a binary plist file named '''Downloads.plist'''.
* Elementary Files (EF)
+
* Holds one to many records
+
* Represent the leaf node of the filesystem
+
* EF's sit below the DF's in the filesystem hierarchy
+
  
=== PLMN ===
+
== Cache ==
* Public Land Mobile Network
+
The Safari cache is stored in '''Cache.db''' in the cache directory.
** A PLMN is a network that is established and operated by an administration or by a recognized operating agency (ROA) for the specific purpose of providing land mobile telecommunications services to the public. [http://en.wikipedia.org/wiki/Public_land_mobile_network]
+
  
=== LAI ===
+
This file uses the [[SQLite database format]].
* Location Area Identity
+
** Each location area of a public land mobile network (PLMN) has its own unique identifier which is known as Location Area Identity (LAI). [http://en.wikipedia.org/wiki/Location_Area_Identity]
+
  
== Filesystem ==
+
== External Links ==
  
=== EF_ICCID ===
+
* [http://www.apple.com/macosx/features/safari/ Official website]
 +
* [http://www.appleexaminer.com/files/Safari_Cache.db_Revisited.pdf Safari Cache Revisited] by Sean Cavanaugh
  
This displays the ID or Card Identity of the SIM Card, this can also be found on the SIM card itself.
+
== Tools ==
 +
* [http://jafat.sourceforge.net/ J.A.F.A.T. Archive of Forensics Analysis Tools] home of Safari Forensic Tools (SFT)
  
[[File:Ef_iccid.png|350px|thumb|left|EF_ICCID]]
+
[[Category:Applications]]
 
+
[[Category:Web Browsers]]
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
----
+
 
+
=== DF_GSM ===
+
 
+
==== EF_IMSI ====
+
 
+
* International Mobile Subscriber Identity (IMSI)[http://en.wikipedia.org/wiki/IMSI]
+
* 310  -  260  -  653235860
+
* MCC  -  MNC  -  MSIN
+
** MCC[http://en.wikipedia.org/wiki/List_of_mobile_country_codes] (3 Digits)
+
*** Mobile Country Code
+
** MNC[http://en.wikipedia.org/wiki/Mobile_Network_Code] (2 Digits EU / 3 Digits NA)
+
*** Mobile Network Code
+
** MSIN[http://en.wikipedia.org/wiki/MSIN] (Remaining Digits)
+
*** Mobile Subscription Identification Number
+
*** Within the network's customer base
+
 
+
[[File:Ef_imsi.png|350px|thumb|left|EF_IMSI]]
+
 
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
----
+
 
+
==== EF_PLMNSEL ====
+
 
+
* List of all PLMN's (see [[Sim_Filesystem#PLMN]])
+
 
+
[[File:Plmnsel.png|350px|thumb|left|EF_PLMNSEL]]
+
 
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
----
+
 
+
==== EF_LOCI ====
+
* Location Information
+
** Contains Location Area Identity (see [[Sim_Filesystem#LAI]])
+
*** LAI Network Code (see [[Sim_Filesystem#PLMN]] / [[Sim_Filesystem#LAI]])
+
 
+
[[File:Ef_loci.png|350px|thumb|left|EF_LOCI]]
+
 
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
----
+
 
+
=== DF_TELECOM ===
+
 
+
==== EF_ADN ====
+
 
+
 
+
[[File:EF_adn.png|350px|thumb|left|EF_ADN]]
+
 
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
<br />
+
----
+

Revision as of 05:03, 22 September 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Apple Safari is the default web browser included with Mac OS X.

Contents

Locations

The Safari browser uses different locations to store different kind of information.

The user directory:

On MacOS-X

/Users/$USER/Library/Safari/

On Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Apple Computer\Safari\

On Windows 7

C:\Users\{user}\AppData\Roaming\Apple Computer\Safari\

The cache directory:

On MacOS-X

/Users/$USER/Library/Caches/com.apple.Safari/

On Windows XP

C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Apple Computer\Safari\

On Windows 7

C:\Users\{user}\AppData\Local\Apple Computer\Safari\

History

The browser history is stored in a binary plist file named History.plist in the user directory.

This file can be viewed directly in Mac OS X by opening file in the Property List Editor program.

For each web site, the program records the URL visited, the date and time of the last visit, and the number of times the site has been visited.

The date and time values are stored as a floating point value containing the number of seconds since Jan 1, 2001 00:00:00 UTC.

On a Windows PC History.plist file can be opened in Oxygen Forensic Plist Viewer software.

The downloads history can also be found in the user directory in a binary plist file named Downloads.plist.

Cache

The Safari cache is stored in Cache.db in the cache directory.

This file uses the SQLite database format.

External Links

Tools