Difference between pages "Apple Safari" and "Tools:File Analysis"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m (another one)
 
Line 1: Line 1:
{{Expand}}
+
== Image Analysis ==
Apple Safari is the default [[Web Browser|web browser]] included with [[Mac OS X]]. The support files for this browser are stored in the user's home directory in <tt>/Users/[username]/Library/Safari/</tt>.
+
; [[SurfRecon LE rapid image analysis tool]] by SurfRecon, Inc.
 +
: http://www.surfrecon.com
  
== History ==
+
== Closed Source Tools ==
The Safari browser history is stored in an plist file named '''History.plist''' in the user directory.
+
  
On MacOS-X
+
; [[Rifiuti]]
<pre>
+
: Examines the INFO2 file in the Recycle Bin.
/Users/$USER/Library/Safari/History.plist
+
: http://www.foundstone.com/us/resources/proddesc/rifiuti.htm
</pre>
+
  
== History ==
+
; [[Pasco]]
The Safari cache is stored in '''Cache.db'''. This file uses the [[SQLite database format]].
+
: Parses ''index.dat'' files.
 +
: http://www.foundstone.com/us/resources/proddesc/pasco.htm
  
On MacOS-X
+
; [[Galleta]]
<pre>
+
: Parses cookie files.
/Users/$USER/Library/Caches/com.apple.Safari/Cache.db
+
: http://www.foundstone.com/us/resources/proddesc/galleta.htm
</pre>
+
  
== Also See ==
+
== Open Source Tools ==
[[Apple Safari History File Format]]
+
  
== External Links ==
+
; [[file]]
 +
: The file command determines the file type of a given file, depending on its contents and not on e.g. its extension or filename. In order to do that, it uses a magic configuration file that identifies filetypes.
  
* [http://www.apple.com/macosx/features/safari/ Official website]
+
; [[ldd]]
* [http://www.appleexaminer.com/files/Safari_Cache.db_Revisited.pdf Safari Cache Revisited] by Sean Cavanaugh
+
: List dynamic dependencies of executable files.
  
[[Category:Applications]]
+
; [[truss]]
[[Category:Web Browsers]]
+
: Solaris tool used to trace the system/library calls (not user calls) and signals made/received by a new or existing process. It sends the output to stderr.
[[Category:Mac OS X]]
+
: http://docs.sun.com/app/docs/doc/819-2239/truss-1?l=en&a=view&q=truss
 +
 
 +
; [[ltrace]]
 +
: Library call tracer.
 +
: http://linux.die.net/man/1/ltrace
 +
 
 +
; [[strace]]
 +
: System Call Tracer.
 +
: http://sourceforge.net/projects/strace/
 +
 
 +
; [[xtrace]]
 +
: eXtended trace utility, similar to strace, ptrace, truss, but with extended functionality and unique features, such as dumping function calls (dynamically or statically linked), dumping call stack and more.
 +
: http://sourceforge.net/projects/xtrace/
 +
 
 +
; [[ktrace]]
 +
: Enables kernel process tracing on OpenBSD.
 +
: http://www.openbsd.org/cgi-bin/man.cgi?query=ktrace&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
 +
 
 +
; [[Valgrind]]
 +
: Executes a program under emulation, performing analysis according to one of the many plug-in modules as desired. You can write your own plug-in module as desired.
 +
: http://valgrind.org/
 +
 
 +
; [[DTrace]]
 +
: Comprehensive dynamic tracing framework for Solaris (also ported to MacOS X - XRays and FreeBSD). DTrace provides a powerful infrastructure to permit investigation of the behavior of the operating system and user programs.
 +
: http://www.sun.com/bigadmin/content/dtrace/
 +
 
 +
; [[strings]]
 +
: Strings will print the strings of printable characters in files. It allows choosing different charactersets (ASCII, UNICODE). It is a quick way to browse through files/partitions/... in order to look for words, filenames, keywords etc.
 +
 
 +
; The [[Open Computer Forensics Architecture]]
 +
: http://ocfa.sourceforge.net/
 +
 
 +
; dumpster_dive.pl
 +
: MS Windows Recycle Bin INFO2 parser
 +
: http://jafat.sourceforge.net/files.html
 +
 
 +
; cookie_cruncher.pl
 +
: MS IE cookie file parser
 +
: http://jafat.sourceforge.net/files.html
 +
 
 +
; [[yim2text]]
 +
: Extracts the 'encrypted' info in Yahoo Instant Messenger log files.
 +
: http://www.1vs0.com/tools.html
 +
 
 +
; [[Hachoir]]
 +
: Determines the file type using file header/footer (hachoir-metadata --type), able to list strings in Unicode (hachoir-grep), etc. Support more than 60 file formats.
 +
 
 +
; [[Cygwin]]
 +
: http://www.cygwin.com/
 +
: Linux like environment for Windows.
 +
 
 +
; [[UnxUtils]]
 +
: http://unxutils.sourceforge.net/
 +
: Common unix utilities compiled for a Windows environment.
 +
 
 +
; [[GnuWin32]]
 +
: http://gnuwin32.sourceforge.net/
 +
: Common GNU utilities compiled for a Windows Environment.
 +
 
 +
; [[SUA]]
 +
: http://www.microsoft.com/windowsserver2003/R2/unixcomponents/webinstall.mspx
 +
: Microsoft Subsystem for UNIX-based Applications.
 +
 
 +
== File Sharing Analysis Tools ==
 +
; [[P2PMarshal|P2P Marshal]]
 +
: Tools to discover and analyze peer-to-peer files for Windows.
 +
 
 +
== [[NDA]] and [[scoped distribution]] tools ==

Revision as of 03:00, 18 September 2008

Image Analysis

SurfRecon LE rapid image analysis tool by SurfRecon, Inc.
http://www.surfrecon.com

Closed Source Tools

Rifiuti
Examines the INFO2 file in the Recycle Bin.
http://www.foundstone.com/us/resources/proddesc/rifiuti.htm
Pasco
Parses index.dat files.
http://www.foundstone.com/us/resources/proddesc/pasco.htm
Galleta
Parses cookie files.
http://www.foundstone.com/us/resources/proddesc/galleta.htm

Open Source Tools

file
The file command determines the file type of a given file, depending on its contents and not on e.g. its extension or filename. In order to do that, it uses a magic configuration file that identifies filetypes.
ldd
List dynamic dependencies of executable files.
truss
Solaris tool used to trace the system/library calls (not user calls) and signals made/received by a new or existing process. It sends the output to stderr.
http://docs.sun.com/app/docs/doc/819-2239/truss-1?l=en&a=view&q=truss
ltrace
Library call tracer.
http://linux.die.net/man/1/ltrace
strace
System Call Tracer.
http://sourceforge.net/projects/strace/
xtrace
eXtended trace utility, similar to strace, ptrace, truss, but with extended functionality and unique features, such as dumping function calls (dynamically or statically linked), dumping call stack and more.
http://sourceforge.net/projects/xtrace/
ktrace
Enables kernel process tracing on OpenBSD.
http://www.openbsd.org/cgi-bin/man.cgi?query=ktrace&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
Valgrind
Executes a program under emulation, performing analysis according to one of the many plug-in modules as desired. You can write your own plug-in module as desired.
http://valgrind.org/
DTrace
Comprehensive dynamic tracing framework for Solaris (also ported to MacOS X - XRays and FreeBSD). DTrace provides a powerful infrastructure to permit investigation of the behavior of the operating system and user programs.
http://www.sun.com/bigadmin/content/dtrace/
strings
Strings will print the strings of printable characters in files. It allows choosing different charactersets (ASCII, UNICODE). It is a quick way to browse through files/partitions/... in order to look for words, filenames, keywords etc.
The Open Computer Forensics Architecture
http://ocfa.sourceforge.net/
dumpster_dive.pl
MS Windows Recycle Bin INFO2 parser
http://jafat.sourceforge.net/files.html
cookie_cruncher.pl
MS IE cookie file parser
http://jafat.sourceforge.net/files.html
yim2text
Extracts the 'encrypted' info in Yahoo Instant Messenger log files.
http://www.1vs0.com/tools.html
Hachoir
Determines the file type using file header/footer (hachoir-metadata --type), able to list strings in Unicode (hachoir-grep), etc. Support more than 60 file formats.
Cygwin
http://www.cygwin.com/
Linux like environment for Windows.
UnxUtils
http://unxutils.sourceforge.net/
Common unix utilities compiled for a Windows environment.
GnuWin32
http://gnuwin32.sourceforge.net/
Common GNU utilities compiled for a Windows Environment.
SUA
http://www.microsoft.com/windowsserver2003/R2/unixcomponents/webinstall.mspx
Microsoft Subsystem for UNIX-based Applications.

File Sharing Analysis Tools

P2P Marshal
Tools to discover and analyze peer-to-peer files for Windows.

NDA and scoped distribution tools