Difference between pages "USBCrypt" and "Apple Safari"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (spelling)
 
 
Line 1: Line 1:
{{Infobox_Software |
+
{{Expand}}
  name = USBCrypt |
+
Apple Safari is the default [[Web Browser|web browser]] included with [[Mac OS X]].
  maintainer = WinAbility Software |
+
  os = {{Windows}} |
+
  genre = {{Encryption}} |
+
  license = WinAbility Software License |
+
  website = [http://www.winability.com/usbcrypt/ winability.com/usbcrypt] |
+
}}
+
  
'''USBCrypt''' is a commercial (closed source) software intended primarily to encrypt external USB drives. (However, the encryption is not limited to the external drives or to the USB connection: any drive that is recognized by Windows as a valid drive with read-write access can be encrypted with USBCrypt.) USBCrypt software is [[Windows|Windows 7, Vista, XP, 2000]]-only. It supports [[AES]], and [[Twofish]] encryption with the 128- and 256-bit keys, in the [[XTS]] and [[CBC]] encryption modes.
+
== Locations ==
 +
The Safari browser uses different locations to store different kind of information.
  
== Recognizing drives encrypted with USBCrypt ==
+
The user directory:
  
USBCrypt encrypts drives by creating the file-based Virtual Encrypted Disks on them. In addition to one or more files that contain the encrypted data, USBCrypt also puts a portable software on the drive, to enable its use on other computers. While the encrypted data files contain no identifying information (and thus support [[plausible deniability]]), the presence of other supporting files makes it easy to identify the drives encrypted with USBCrypt: the root folder of the encrypted drive contains the file USBCrypt.exe as well as a folder named USBCrypt-system. The latter contains the encrypted data files as well as USBCrypt software files (DLL and SYS). The file USBCrypt.ini is a text-only file that contains settings as well as license information (including the name of the person or business who has purchased the software).
+
On MacOS-X
 +
<pre>
 +
/Users/$USER/Library/Safari/
 +
</pre>
  
== Spare-key file ==
+
On Windows XP
 +
<pre>
 +
C:\Documents and Settings\%USERNAME%\Application Data\Apple Computer\Safari\
 +
</pre>
  
When the user is encrypting a drive with USBCrypt software, s/he has the option to create a "spare key" file on the user's computer. This file contains a copy of the encryption key that can be used by the user if s/he forgets the main encryption password. Or, it can be used by a system administrator to get access to the encrypted data in case the employees leave the company and take the passwords with them. Each spare key file contains a copy of just one encryption key for the specific encrypted drive it was created for. It cannot be used to decrypt any other drive, even if the user has used the same password and encryption algorithm. USBCrypt can automatically detect whether it can decrypt a specific drive with a spare key.
+
On Windows 7
 +
<pre>
 +
C:\Users\{user}\AppData\Roaming\Apple Computer\Safari\
 +
</pre>
  
== Forensic Acquisition ==
+
The cache directory:
  
If you encounter a system that has a live USBCrypt drive, it is imperative that you capture the contents of the encrypted drive before disconnecting the drive or shutting down the system. Once the system is shutdown, the contents becomes inaccessible unless you have the proper encryption key generated by a user's password. If the encrypted drive in not live, it is imperative to secure access to the user's computer that was used to encrypt the drive: there is a possibility that the computer still has the "spare key" file stored on its hard drive, assuming the user has the selected the option to create such a file when encrypting the drive. 
+
On MacOS-X
 +
<pre>
 +
/Users/$USER/Library/Caches/com.apple.Safari/
 +
</pre>
  
== Attacks ==
+
On Windows XP
If the "spare key" file for the encrypted drive has not been obtained, then the only option for acquiring the content of a dismounted USBCrypt drive is to do a brute-force password guessing attack. USBCrypt software itself contains a built-in command to perform the brute-force attack on the drives it encrypts.
+
<pre>
 +
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Apple Computer\Safari\
 +
</pre>
 +
 
 +
On Windows 7
 +
<pre>
 +
C:\Users\{user}\AppData\Local\Apple Computer\Safari\
 +
</pre>
 +
 
 +
== History ==
 +
The browser history is stored in a [[Property list | binary plist file]] named '''History.plist''' in the user directory.
 +
 
 +
This file can be viewed directly in [[Mac OS X]] by opening file in the [[Property List Editor]] program.
 +
 
 +
For each web site, the program records the URL visited, the date and time of the last visit, and the number of times the site has been visited.
 +
 
 +
The date and time values are stored as a floating point value containing the number of seconds since Jan 1, 2001 00:00:00 UTC.
 +
 
 +
On a Windows PC History.plist file can be opened in [[Oxygen Forensic Plist Viewer]] software.
 +
 
 +
The downloads history can also be found in the user directory in a binary plist file named '''Downloads.plist'''.
 +
 
 +
== Cache ==
 +
The Safari cache is stored in '''Cache.db''' in the cache directory.
 +
 
 +
This file uses the [[SQLite database format]].
  
 
== External Links ==
 
== External Links ==
  
* [http://www.winability.com/usbcrypt/ Official website]
+
* [http://www.apple.com/macosx/features/safari/ Official website]
* [http://www.usbcrypt.com/ USBCrypt web site]
+
* [http://www.appleexaminer.com/files/Safari_Cache.db_Revisited.pdf Safari Cache Revisited] by Sean Cavanaugh
 +
 
 +
== Tools ==
 +
* [http://jafat.sourceforge.net/ J.A.F.A.T. Archive of Forensics Analysis Tools] home of Safari Forensic Tools (SFT)
  
[[Category:Encryption]]
+
[[Category:Applications]]
[[Category:Disk encryption]]
+
[[Category:Web Browsers]]

Revision as of 05:03, 22 September 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Apple Safari is the default web browser included with Mac OS X.

Contents

Locations

The Safari browser uses different locations to store different kind of information.

The user directory:

On MacOS-X

/Users/$USER/Library/Safari/

On Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Apple Computer\Safari\

On Windows 7

C:\Users\{user}\AppData\Roaming\Apple Computer\Safari\

The cache directory:

On MacOS-X

/Users/$USER/Library/Caches/com.apple.Safari/

On Windows XP

C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Apple Computer\Safari\

On Windows 7

C:\Users\{user}\AppData\Local\Apple Computer\Safari\

History

The browser history is stored in a binary plist file named History.plist in the user directory.

This file can be viewed directly in Mac OS X by opening file in the Property List Editor program.

For each web site, the program records the URL visited, the date and time of the last visit, and the number of times the site has been visited.

The date and time values are stored as a floating point value containing the number of seconds since Jan 1, 2001 00:00:00 UTC.

On a Windows PC History.plist file can be opened in Oxygen Forensic Plist Viewer software.

The downloads history can also be found in the user directory in a binary plist file named Downloads.plist.

Cache

The Safari cache is stored in Cache.db in the cache directory.

This file uses the SQLite database format.

External Links

Tools