Difference between pages "Windows Memory Analysis" and "Apple Safari"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Sample Memory Images: Sample images containing communication artifacts added.)
 
 
Line 1: Line 1:
Analysis of [[physical memory]] from [[Windows]] systems can yield significant information about the target operating system. This field is still very new, but holds great promise.
+
{{Expand}}
 +
Apple Safari is the default [[Web Browser|web browser]] included with [[Mac OS X]].
  
== Sample Memory Images ==
+
== Locations ==
 +
The Safari browser uses different locations to store different kind of information.
  
Getting started with memory analysis can be difficult without some known images to practice with.
+
The user directory:
  
* The 2005 [[Digital Forensic Research Workshop]] [http://www.dfrws.org/2005/challenge/ Memory Analysis Challenge] published two Windows 2000 Service Pack 1 memory images with some [[malware]] installed.
+
On MacOS-X
 +
<pre>
 +
/Users/$USER/Library/Safari/
 +
</pre>
  
* The [http://dftt.sourceforge.net/ Digital Forensics Tool Testing] project has published a few [http://dftt.sourceforge.net/test13/index.html Windows memory images].
+
On Windows XP
 +
<pre>
 +
C:\Documents and Settings\%USERNAME%\Application Data\Apple Computer\Safari\
 +
</pre>
  
* The [[CFReDS Project]] has created some [http://www.cfreds.nist.gov/mem/memory-images.rar downloadable memory images].
+
On Windows 7
 +
<pre>
 +
C:\Users\{user}\AppData\Roaming\Apple Computer\Safari\
 +
</pre>
  
* A number of RAM images can be downloaded from http://forensic.belkasoft.com/bfs/en/download.asp. Images include ones with Gmail emails, Skype activity, Paltalk chats, browser URLs etc.
+
The cache directory:
  
== See Also ==
+
On MacOS-X
* [[Memory analysis]]
+
<pre>
* [[Tools:Memory Imaging]]
+
/Users/$USER/Library/Caches/com.apple.Safari/
* [[Pagefile.sys]]
+
</pre>
* [http://msdn.microsoft.com/en-us/library/aa366778%28VS.85%29.aspx Memory Limits for Windows Releases], Microsoft MSDN.
+
  
== History ==
+
On Windows XP
 +
<pre>
 +
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Apple Computer\Safari\
 +
</pre>
  
During the 1990s, it became a [[best practice]] to capture a [[Tools:Memory_Imaging|memory image]] during [[Incident Response|incident response]]. At the time, the only way to analyze such memory images was using [[strings]]. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.
+
On Windows 7
 +
<pre>
 +
C:\Users\{user}\AppData\Local\Apple Computer\Safari\
 +
</pre>
  
In the summer 2005 the [[Digital Forensic Research Workshop]] published a ''Memory Analysis Challenge''. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by [[Chris Betz]], introduced a tool called [[memparser]]. The second, by [[George Garner]] and [[Robert-Jan Mora]] produced [[KnTList]].
+
== History ==
 +
The browser history is stored in a [[Property list | binary plist file]] named '''History.plist''' in the user directory.
  
At the [[Blackhat (conference)|Blackhat Federal]] conference in March 2007, [[AAron Walters]] and [[Nick Petroni]] released a suite called [[volatools]]. Although it only worked on [[Windows XP]] Service Pack 2 images, it was able to produce a number of useful data. [[volatools]] was updated and re-released as [[Volatility]] in August 2007, and is now maintained and distributed by [https://www.volatilesystems.com/ Volatile Systems].
+
This file can be viewed directly in [[Mac OS X]] by opening file in the [[Property List Editor]] program.
  
==Bibliography==
+
For each web site, the program records the URL visited, the date and time of the last visit, and the number of times the site has been visited.
; 2012
+
* [http://events.ccc.de/congress/2012/Fahrplan/events/5301.en.html Defeating Windows memory forensics], by Luka Milkovic, 29C3: 29th Chaos Communication Congress
+
; 2011
+
* [http://prezi.com/goocmfeuiqdf/tracking-stuxnets-footprint-through-memory/ Tracking Stuxnet's Footprint Through Memory], Michael Ligh, Open Memory Forensics Workshop
+
; 2010
+
* [http://dfrws.org/2010/proceedings/2010-307.pdf Extracting Windows Command Line Details from Physical Memory], Richard Stevens and Eoghan Casey, DFRWS
+
; 2009
+
* [http://www.cc.gatech.edu/~brendan/ccs09_siggen.pdf Robust Signatures for Kernel Data Structures] B. Dolan-Gavitt, et al., ACM Conference on Computer and Communications Security
+
* [http://www.shakacon.org/talks/NFI-Shakacon-win32dd0.3.pdf Win32dd : Challenges of Windows physical memory acquisition and exploitation], Matthieu Suiche, Netherlands Forensics Institute, Shakacon - June 2009
+
; 2008
+
* [http://citp.princeton.edu/memory/ Lest We Remember: Cold Boot Attacks on Encryption Keys] ([http://citp.princeton.edu.nyud.net/pub/coldboot.pdf PDF]), Usenix Security 2008 (Best student paper)
+
* [http://blogs.technet.com/markrussinovich/archive/2008/07/21/3092070.aspx Pushing the Limits of Windows: Physical Memory], Mark Russinovich, Technet Blogs, July 21, 2008
+
* [http://www.dfrws.org/2008/proceedings/p58-schuster.pdf The impact of Microsoft Windows pool allocation strategies on memory forensics], Andreas Schuster, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p58-schuster_pres.pdf [slides]]
+
* [http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Burdach/bh-fed-06-burdach-up.pdf Finding Digital Evidence In Physical Memory], Mariusz Burdach, Black Hat Federal, 2008
+
* [http://www.dfrws.org/2008/proceedings/p52-vanBaar.pdf Forensic Memory Analysis: Files mapped in memory], Ruud van Baar, DFRWS 2008, [http://www.dfrws.org/2008/proceedings/p52-vanBaar_pres.pdf [slides]]
+
* [http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
+
  
; 2007
+
The date and time values are stored as a floating point value containing the number of seconds since Jan 1, 2001 00:00:00 UTC.
* [http://www.first.org/conference/2007/papers/rutkowska-joanna-slides.pdf Beyond The CPU: Defeating Hardware Based RAM Acquisition (part I: AMD case)], Joanna Rutkowska COSEINC Advanced Malware Labs
+
* [http://www.dfrws.org/2007/proceedings/p114-arasteh.pdf Forensic Memory Analysis: From Stack and Code to Execution History], Ali Reza Arasteh and Mourad Debbabi, DFRWS 2007
+
* [http://www.dfrws.org/2007/proceedings/p126-schatz.pdf BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software], Bradley Schatz, DFRWS 2007
+
* [http://www.dfrws.org/2007/proceedings/p62-dolan-gavitt.pdf The VAD Tree: A Process-Eye View of Physical Memory], Brendan F Dolan-Gavitt, DFRWS 2007
+
* [http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf FireWire Memory Dump of a Windows XP Computer: A Forensic Approach], Antonio Martin, 2007
+
  
; 2006
+
On a Windows PC History.plist file can be opened in [[Oxygen Forensic Plist Viewer]] software.
* [http://www.dfrws.org/2006/proceedings/2-Schuster.pdf Searching for Processes and Threads in Microsoft Windows Memory Dumps], Andreas Schuster, Deutsche Telekom AG, Germany, DFRWS 2006
+
 
* Using every part of the buffalo in Windows memory an, Jesse D. Kornblum, DFRWS 2006
+
The downloads history can also be found in the user directory in a binary plist file named '''Downloads.plist'''.
 +
 
 +
== Cache ==
 +
The Safari cache is stored in '''Cache.db''' in the cache directory.
 +
 
 +
This file uses the [[SQLite database format]].
  
 
== External Links ==
 
== External Links ==
; Jesse Kornblum Memory Analysis discussion on Cyberspeak
 
: http://cyberspeak.libsyn.com/index.php?post_id=98104
 
; Memory Analysis Bibliography
 
: http://www.4tphi.net/fatkit/#links
 
  
[[Category:Bibliographies]]
+
* [http://www.apple.com/macosx/features/safari/ Official website]
[[Category:Memory Analysis]]
+
* [http://www.appleexaminer.com/files/Safari_Cache.db_Revisited.pdf Safari Cache Revisited] by Sean Cavanaugh
 +
 
 +
== Tools ==
 +
* [http://jafat.sourceforge.net/ J.A.F.A.T. Archive of Forensics Analysis Tools] home of Safari Forensic Tools (SFT)
 +
 
 +
[[Category:Applications]]
 +
[[Category:Web Browsers]]

Revision as of 06:03, 22 September 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Apple Safari is the default web browser included with Mac OS X.

Locations

The Safari browser uses different locations to store different kind of information.

The user directory:

On MacOS-X

/Users/$USER/Library/Safari/

On Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Apple Computer\Safari\

On Windows 7

C:\Users\{user}\AppData\Roaming\Apple Computer\Safari\

The cache directory:

On MacOS-X

/Users/$USER/Library/Caches/com.apple.Safari/

On Windows XP

C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Apple Computer\Safari\

On Windows 7

C:\Users\{user}\AppData\Local\Apple Computer\Safari\

History

The browser history is stored in a binary plist file named History.plist in the user directory.

This file can be viewed directly in Mac OS X by opening file in the Property List Editor program.

For each web site, the program records the URL visited, the date and time of the last visit, and the number of times the site has been visited.

The date and time values are stored as a floating point value containing the number of seconds since Jan 1, 2001 00:00:00 UTC.

On a Windows PC History.plist file can be opened in Oxygen Forensic Plist Viewer software.

The downloads history can also be found in the user directory in a binary plist file named Downloads.plist.

Cache

The Safari cache is stored in Cache.db in the cache directory.

This file uses the SQLite database format.

External Links

Tools