Difference between pages "Fiwalk" and "Apple Safari"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
{{Infobox_Software |
+
{{Expand}}
  name = fiwalk |
+
Apple Safari is the default [[Web Browser|web browser]] included with [[Mac OS X]].
  maintainer = [[Simson Garfinkel]] |
+
  os = {{Linux}}, {{MacOS}}, {{FreeBSD}} |
+
  genre = [[Carving]] |
+
  license = {{Public Domain}} |
+
  website = https://github.com/kfairbanks/sleuthkit
+
}}
+
  
fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.
+
== Locations ==
 +
The Safari browser uses different locations to store different kind of information.
  
==Temporary Distribution Point==
+
The user directory:
fiwalk has been integrated with SleuthKit and can be downloaded from github at https://github.com/kfairbanks/sleuthkit.  A future release of SleuthKit will contain fiwalk.
+
  
==Legacy Distribution==
+
On MacOS-X
'''fiwalk''' is a program that processes a disk image using the SleuthKit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format.
+
<pre>
 +
/Users/$USER/Library/Safari/
 +
</pre>
  
The fiwalk source code comes with fiwalk.py, a Python module that makes it easy to create digital forensics programs. Also included are several demonstration programs that use fiwalk.py:
+
On Windows XP
;iblkfind.py
+
<pre>
:Given a disk block in a disk image, this program tells you which file(s) map that sector.
+
C:\Documents and Settings\%USERNAME%\Application Data\Apple Computer\Safari\
;icarvingtruth.py
+
</pre>
:Given two or more images of the same disk at different points in time, this program files that are present in the earlier images that can only be recovered from the later images using file carving techniques.
+
;idifference.py
+
:Given two or more images of the same disk at different points in time, this program tells you what changes took place between each one.
+
;iextract.py
+
:Allows the extraction of files that match a particular pattern.
+
;igrep.py
+
:Searches every file in a disk image for a particular string. When found, prints, the file and the offset within the file that the string was found.
+
;ihistogram.py
+
:Prints a histogram of file types found in the disk image.
+
;imap.py
+
:Displays a “map” of where files are present in the disk image.
+
;imicrosoft_redact.py
+
:Modifies a disk image of a bootable Microsoft operating system so that the image can no longer be boot and so that any Microsoft copyrighted file in the \Windows directory cannot be executed. This allows the disk image of a Microsoft operating system to be distributed without implicitly violating Microsoft’s copyright.
+
;iredact.py
+
:An experimental disk redaction program which allows the removal of specific files matching specific criteria.
+
;iverify.py
+
:Given a disk image and a previously created XML file, verifies that each file in the DFXML file is still present in the disk image.
+
;sanitize_xml.py
+
:Given a DFXML file, sanitize file names so that no personally identifiable information is leaked if the DFXML file is distributed.
+
  
 +
On Windows 7
 +
<pre>
 +
C:\Users\{user}\AppData\Roaming\Apple Computer\Safari\
 +
</pre>
  
==XML Example==
+
The cache directory:
 +
 
 +
On MacOS-X
 
<pre>
 
<pre>
<?xml version='1.0' encoding='ISO-8859-1'?>
+
/Users/$USER/Library/Caches/com.apple.Safari/
<fiwalk xmloutputversion='0.2'>
+
  <metadata
+
  xmlns='http://example.org/myapp/'
+
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
+
    <dc:type>Disk Image</dc:type>
+
  </metadata>
+
  <creator>
+
    <program>fiwalk</program>
+
    <version>0.5.7</version>
+
    <os>Darwin</os>
+
    <library name="tsk" version="3.0.1"></library>
+
    <library name="afflib" version="3.5.2"></library>
+
    <command_line>fiwalk -x /dev/disk2</command_line>
+
  </creator>
+
  <source>
+
    <imagefile>/dev/disk2</imagefile>
+
  </source>
+
<!-- fs start: 512 -->
+
  <volume offset='512'>
+
    <Partition_Offset>512</Partition_Offset>
+
    <block_size>512</block_size>
+
    <ftype>2</ftype>
+
    <ftype_str>fat12</ftype_str>
+
    <block_count>5062</block_count>
+
    <first_block>0</first_block>
+
    <last_block>5061</last_block>
+
    <fileobject>
+
      <filename>README.txt</filename>
+
      <id>2</id>
+
      <filesize>43</filesize>
+
      <partition>1</partition>
+
      <alloc>1</alloc>
+
      <used>1</used>
+
      <inode>6</inode>
+
      <type>1</type>
+
      <mode>511</mode>
+
      <nlink>1</nlink>
+
      <uid>0</uid>
+
      <gid>0</gid>
+
      <mtime>1258916904</mtime>
+
      <atime>1258876800</atime>
+
      <crtime>1258916900</crtime>
+
      <byte_runs>
+
      <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
+
      </byte_runs>
+
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
+
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
+
    </fileobject>
+
  </volume>
+
<!-- end of volume -->
+
<!-- clock: 0 -->
+
  <runstats>
+
    <user_seconds>0</user_seconds>
+
    <system_seconds>0</system_seconds>
+
    <maxrss>1814528</maxrss>
+
    <reclaims>546</reclaims>
+
    <faults>1</faults>
+
    <swaps>0</swaps>
+
    <inputs>56</inputs>
+
    <outputs>0</outputs>
+
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
+
  </runstats>
+
</fiwalk>
+
 
</pre>
 
</pre>
  
==Availability==
+
On Windows XP
fiwalk can be downloaded from http://afflib.org/fiwalk
+
<pre>
 +
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Apple Computer\Safari\
 +
</pre>
 +
 
 +
On Windows 7
 +
<pre>
 +
C:\Users\{user}\AppData\Local\Apple Computer\Safari\
 +
</pre>
 +
 
 +
== History ==
 +
The browser history is stored in a [[Property list | binary plist file]] named '''History.plist''' in the user directory.
 +
 
 +
This file can be viewed directly in [[Mac OS X]] by opening file in the [[Property List Editor]] program.
 +
 
 +
For each web site, the program records the URL visited, the date and time of the last visit, and the number of times the site has been visited.
 +
 
 +
The date and time values are stored as a floating point value containing the number of seconds since Jan 1, 2001 00:00:00 UTC.
 +
 
 +
On a Windows PC History.plist file can be opened in [[Oxygen Forensic Plist Viewer]] software.
 +
 
 +
The downloads history can also be found in the user directory in a binary plist file named '''Downloads.plist'''.
 +
 
 +
== Cache ==
 +
The Safari cache is stored in '''Cache.db''' in the cache directory.
 +
 
 +
This file uses the [[SQLite database format]].
 +
 
 +
== External Links ==
 +
 
 +
* [http://www.apple.com/macosx/features/safari/ Official website]
 +
* [http://www.appleexaminer.com/files/Safari_Cache.db_Revisited.pdf Safari Cache Revisited] by Sean Cavanaugh
  
==See Also==
+
== Tools ==
* [[fileobject]]
+
* [http://jafat.sourceforge.net/ J.A.F.A.T. Archive of Forensics Analysis Tools] home of Safari Forensic Tools (SFT)
* [http://domex.nps.edu/deep/Fiwalk.html fiwalk on the DEEP website]
+
  
[[Category:Digital Forensics XML]]
+
[[Category:Applications]]
 +
[[Category:Web Browsers]]

Revision as of 06:03, 22 September 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Apple Safari is the default web browser included with Mac OS X.

Locations

The Safari browser uses different locations to store different kind of information.

The user directory:

On MacOS-X

/Users/$USER/Library/Safari/

On Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Apple Computer\Safari\

On Windows 7

C:\Users\{user}\AppData\Roaming\Apple Computer\Safari\

The cache directory:

On MacOS-X

/Users/$USER/Library/Caches/com.apple.Safari/

On Windows XP

C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Apple Computer\Safari\

On Windows 7

C:\Users\{user}\AppData\Local\Apple Computer\Safari\

History

The browser history is stored in a binary plist file named History.plist in the user directory.

This file can be viewed directly in Mac OS X by opening file in the Property List Editor program.

For each web site, the program records the URL visited, the date and time of the last visit, and the number of times the site has been visited.

The date and time values are stored as a floating point value containing the number of seconds since Jan 1, 2001 00:00:00 UTC.

On a Windows PC History.plist file can be opened in Oxygen Forensic Plist Viewer software.

The downloads history can also be found in the user directory in a binary plist file named Downloads.plist.

Cache

The Safari cache is stored in Cache.db in the cache directory.

This file uses the SQLite database format.

External Links

Tools