Difference between pages "Bibliography" and "Apple Safari"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Disk Disposal and Data Recovery: Added SSD article)
 
 
Line 1: Line 1:
=Disk Disposal and Data Recovery=
+
{{Expand}}
* [http://forensic.belkasoft.com/download/info/SSD%20Forensics%202012.pdf Why SSD Drives Destroy Court Evidence, and What Can Be Done About It] by Oleg Afonin and Yuri Gubanov, 2012
+
Apple Safari is the default [[Web Browser|web browser]] included with [[Mac OS X]].
* [http://www.deepspar.com/pdf/DeepSparDiskImagingWhitepaper3.pdf Disk Imaging: A Vital Step in Data Recovery], DeepSpar Data Recovery Systems, November 2006. An in depth look at the many issues that cause data loss / irretrievable data in the data recovery imaging process and how to overcome them.
+
* [http://www.actionfront.com/ts_whitepaper.asp Drive-Independent Data Recovery: The Current State-of-the-Art], ActionFront Data Recovery Labs, August 2005.
+
* [[Recovering Overwritten Data#The Gutmann Paper|Secure Deletion of Data from Magnetic and Solid-State Memory]], Peter Gutmann, Proceedings of the Sixth Usenix Security Symposium, 1996. [http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html]
+
* [http://www-03.ibm.com/financing/pdf/us/recovery/igf4-a032.pdf Hard Drive Disposal: The Overlooked Confidentiality Exposure], FInancial Perspectives, IBM White Paper, November 2003.
+
  
<bibtex>
+
== Locations ==
@Article{garfinkel:remembrance,
+
The Safari browser uses different locations to store different kind of information.
  author =       "Simson Garfinkel and Abhi Shelat",
+
  author_a =       "Simson L. Garfinkel and Abhi Shelat",
+
  title =       "Remembrance of Data Passed",
+
  journal =     "{IEEE} Security and Privacy Magazine",
+
  publisher =    "IEEE",
+
  year      =        "2002",
+
  month    = Jan,
+
  url="http://www.simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf"
+
}
+
</bibtex>
+
  
=Evidence Gathering=
+
The user directory:
  
* [http://utdallas.edu/~sxs018540/index/docs/byteprints_itcc05.pdf Byteprints: A Tool to Gather Digital Evidence], Sriranjani Sitaraman, Srinivasan Krishnamurthy and S. Venkatesan, Proceedings of the International Conference on Information Technology (ITCC 2005), Las Vegas, Nevada, USA, April 4 - 6, 2005
+
On MacOS-X
 +
<pre>
 +
/Users/$USER/Library/Safari/
 +
</pre>
  
=Fake Information=
+
On Windows XP
 +
<pre>
 +
C:\Documents and Settings\%USERNAME%\Application Data\Apple Computer\Safari\
 +
</pre>
  
* [https://analysis.mitre.org/proceedings/Final_Papers_Files/84_Camera_Ready_Paper.pdf Automatic Detection of Fake File Systems], Neil C. Rowe, International Conference on Intelligence Analysis Methods and Tools, McLean, Virginia, May 2005.
+
On Windows 7
 +
<pre>
 +
C:\Users\{user}\AppData\Roaming\Apple Computer\Safari\
 +
</pre>
  
=Feature Extraction and Data Fusion=
+
The cache directory:
Computer Location Determination Through Geoparsing and Geocoding of
+
Extracted Features
+
http://www2.chadsteel.com:8080/Publications/drive_location2.doc
+
<bibtex>
+
@inproceedings{garfinkel:cda,
+
  title="Forensic feature extraction and cross-drive analysis",
+
  author="Simson Garfinkel",
+
  booktitle={Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS)},
+
  address = "Lafayette, Indiana",
+
  journal="Digital Investigation",
+
  year=2006,
+
  month=Aug,
+
  url="http://www.dfrws.org/2006/proceedings/10-Garfinkel.pdf",
+
  location="Lafayette, Indiana"
+
}
+
</bibtex>
+
  
=Text Mining=
+
On MacOS-X
 +
<pre>
 +
/Users/$USER/Library/Caches/com.apple.Safari/
 +
</pre>
  
'''Computer Forensic Text Analysis with Open Source Software,''' Christian Johansson, Masters Thesis, Blekinge Tekniska Hogskola, June 2003  http://www.fukt.bth.se/~uncle/papers/master/thesis.pdf
+
On Windows XP
 +
<pre>
 +
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Apple Computer\Safari\
 +
</pre>
  
=Signed Evidence=
+
On Windows 7
<bibtex>
+
<pre>
@article{duerr-2004,
+
C:\Users\{user}\AppData\Local\Apple Computer\Safari\
  title="Information Assurance Applied to Authentication of Digital Evidence",
+
</pre>
  author="Thomas E. Duerr and Nicholas D. Beser and Gregory P. Staisiunas",
+
  year=2004,
+
  journal="Forensic Science Communications",
+
  volume=6,
+
  number=4,
+
  url="http://www.fbi.gov/hq/lab/fsc/backissu/oct2004/research/2004_10_research01.htm"
+
}
+
</bibtex>
+
  
 +
== History ==
 +
The browser history is stored in a [[Property list | binary plist file]] named '''History.plist''' in the user directory.
  
<bibtex>
+
This file can be viewed directly in [[Mac OS X]] by opening file in the [[Property List Editor]] program.
@article{OppligerR03,
+
  author    = {Rolf Oppliger and Ruedi Rytz},
+
  title    = {Digital Evidence: Dream and Reality},
+
  journal  = {IEEE Security {\&} Privacy},
+
  volume    = {1},
+
  number    = {5},
+
  year      = {2003},
+
  pages    = {44-48},
+
  url      = {http://doi.ieeecomputersociety.org/10.1109/MSECP.2003.1236234},
+
  abstract="Digital evidence is inherently weak. New evidence-gathering technologies-digital black boxes-must be developed and deployed to support investigations of irreproducible events such as digitally signing a document."
+
}
+
</bibtex>
+
  
=Theory=
+
For each web site, the program records the URL visited, the date and time of the last visit, and the number of times the site has been visited.
'''A Hypothesis-Based Approach to Digital Forensic Investigations,''' Brian D. Carrier, Ph.D. Dissertation
+
Purdue University, May 2006 https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2006-06.pdf
+
  
=Other Papers=
+
The date and time values are stored as a floating point value containing the number of seconds since Jan 1, 2001 00:00:00 UTC.
  
* [http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782 A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?], Peter P. Swire, Moritz College of Law of the Ohio State University, Journal on Telecommunications and High Technology Law, Vol. 2, 2004.
+
On a Windows PC History.plist file can be opened in [[Oxygen Forensic Plist Viewer]] software.
  
[[Category:Bibliographies]]
+
The downloads history can also be found in the user directory in a binary plist file named '''Downloads.plist'''.
 +
 
 +
== Cache ==
 +
The Safari cache is stored in '''Cache.db''' in the cache directory.
 +
 
 +
This file uses the [[SQLite database format]].
 +
 
 +
== External Links ==
 +
 
 +
* [http://www.apple.com/macosx/features/safari/ Official website]
 +
* [http://www.appleexaminer.com/files/Safari_Cache.db_Revisited.pdf Safari Cache Revisited] by Sean Cavanaugh
 +
 
 +
== Tools ==
 +
* [http://jafat.sourceforge.net/ J.A.F.A.T. Archive of Forensics Analysis Tools] home of Safari Forensic Tools (SFT)
 +
 
 +
[[Category:Applications]]
 +
[[Category:Web Browsers]]

Revision as of 05:03, 22 September 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Apple Safari is the default web browser included with Mac OS X.

Locations

The Safari browser uses different locations to store different kind of information.

The user directory:

On MacOS-X

/Users/$USER/Library/Safari/

On Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Apple Computer\Safari\

On Windows 7

C:\Users\{user}\AppData\Roaming\Apple Computer\Safari\

The cache directory:

On MacOS-X

/Users/$USER/Library/Caches/com.apple.Safari/

On Windows XP

C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Apple Computer\Safari\

On Windows 7

C:\Users\{user}\AppData\Local\Apple Computer\Safari\

History

The browser history is stored in a binary plist file named History.plist in the user directory.

This file can be viewed directly in Mac OS X by opening file in the Property List Editor program.

For each web site, the program records the URL visited, the date and time of the last visit, and the number of times the site has been visited.

The date and time values are stored as a floating point value containing the number of seconds since Jan 1, 2001 00:00:00 UTC.

On a Windows PC History.plist file can be opened in Oxygen Forensic Plist Viewer software.

The downloads history can also be found in the user directory in a binary plist file named Downloads.plist.

Cache

The Safari cache is stored in Cache.db in the cache directory.

This file uses the SQLite database format.

External Links

Tools