Difference between pages "Apple Safari" and "Linux Unified Key Setup (LUKS)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(History)
 
(How to detect =)
 
Line 1: Line 1:
{{Expand}}
+
{{expand}}
Apple Safari is the default [[Web Browser|web browser]] included with [[Mac OS X]].
+
  
== Locations ==
+
Linux Unified Key Setup (LUKS) is commonly used by Linux to encrypt storage media volumes. LUKS is implemented in the Linux kernel in dm-crypt (dm = Device Mapper) and the user-space component cryptsetup.
The Safari browser uses different locations to store different kind of information.
+
  
The user directory:
+
LUKS supports various encryption methods, like:
 +
* [[AES]]
 +
* [[Anubis]]
 +
* [[Blowfish|BlowFish]]
 +
* [[Cast5]]
 +
* [[Cast6]]
 +
* [[Serpent]]
 +
* [[Twofish|TwoFish]]
  
On MacOS-X
+
These encryption methods can be used in various chaining modes and with various initialization vector modes.
<pre>
+
/Users/$USER/Library/Safari/
+
</pre>
+
  
On Windows XP
+
== How to detect ===
<pre>
+
A LUKS encrypted volume starts with the "LUKS\xba\xbe" signature.
C:\Documents and Settings\%USERNAME%\Application Data\Apple Computer\Safari\
+
</pre>
+
  
On Windows 7
+
A hexdump of the start of the volume should look similar to:
 
<pre>
 
<pre>
C:\Users\{user}\AppData\Roaming\Apple Computer\Safari\
+
00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
 +
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 +
00000020  00 00 00 00 00 00 00 00  63 62 63 2d 65 73 73 69  |........cbc-essi|
 +
00000030  76 3a 73 68 61 32 35 36  00 00 00 00 00 00 00 00  |v:sha256........|
 +
00000040  00 00 00 00 00 00 00 00  72 69 70 65 6d 64 31 36  |........ripemd16|
 +
00000050  30 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |0...............|
 
</pre>
 
</pre>
 
The cache directory:
 
 
On MacOS-X
 
<pre>
 
/Users/$USER/Library/Caches/com.apple.Safari/
 
</pre>
 
 
On Windows XP
 
<pre>
 
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Apple Computer\Safari\
 
</pre>
 
 
On Windows 7
 
<pre>
 
C:\Users\{user}\AppData\Local\Apple Computer\Safari\
 
</pre>
 
 
== History ==
 
The browser history is stored in a [[Property list | binary plist file]] named '''History.plist''' in the user directory.
 
 
This file can be viewed directly in [[Mac OS X]] by opening file in the [[Property List Editor]] program.
 
 
For each web site, the program records the URL visited, the date and time of the last visit, and the number of times the site has been visited.
 
 
The date and time values are stored as a floating point value containing the number of seconds since Jan 1, 2001 00:00:00 UTC.
 
 
On a Windows PC History.plist file can be opened in [[Oxygen Forensic Plist Viewer]] software.
 
 
== Downloads ==
 
The downloads history is stored in a [[Property list | binary plist file]] named '''Downloads.plist''' in the user directory.
 
 
== Last Session ==
 
The browser last session information is stored in a [[Property list | binary plist file]] named '''LastSession.plist''' in the user directory.
 
 
== Cache ==
 
The Safari cache is stored in '''Cache.db''' in the cache directory.
 
 
This file uses the [[SQLite database format]].
 
  
 
== External Links ==
 
== External Links ==
 +
* [http://clemens.endorphin.org/nmihde/nmihde-A4-ds.pdf New Methods in Hard Disk Encryption], by Clemens Fruhwirth, July 18, 2005
 +
* [http://wiki.cryptsetup.googlecode.com/git/LUKS-standard/on-disk-format.pdf LUKS On-Disk Format Specification - Version 1.2.1], by Clemens Fruhwirth, October 16, 2011
 +
* [https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html LUKS Disk Encryption], by [[RedHat]]
 +
* [https://googledrive.com/host/0B3fBvzttpiiSNUVYSFF1TmRONmc/Linux%20Unified%20Key%20Setup%20(LUKS)%20Disk%20Encryption%20format.pdf LUKS Disk Encryption format specification], by the [[libluksde|libluksde project]], July 2013
 +
* [http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/ Practical malleability attack against CBC-Encrypted LUKS partitions], by Jakob Lell, December 22, 2013
  
* [http://www.apple.com/macosx/features/safari/ Official website]
 
* [http://www.appleexaminer.com/files/Safari_Cache.db_Revisited.pdf Safari Cache Revisited] by Sean Cavanaugh
 
* [http://www.appleexaminer.com/MacsAndOS/Analysis/HowTo/SafariBrowserAnalysis/SafariBrowserAnalysis.html Analyzing Apple Safari Artifacts], by Selena Ley
 
 
== Tools ==
 
* [http://jafat.sourceforge.net/ J.A.F.A.T. Archive of Forensics Analysis Tools] home of Safari Forensic Tools (SFT)
 
  
[[Category:Applications]]
+
[[Category:Disk encryption]]
[[Category:Web Browsers]]
+
[[Category:Linux]]

Revision as of 13:18, 23 December 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Linux Unified Key Setup (LUKS) is commonly used by Linux to encrypt storage media volumes. LUKS is implemented in the Linux kernel in dm-crypt (dm = Device Mapper) and the user-space component cryptsetup.

LUKS supports various encryption methods, like:

These encryption methods can be used in various chaining modes and with various initialization vector modes.

How to detect =

A LUKS encrypted volume starts with the "LUKS\xba\xbe" signature.

A hexdump of the start of the volume should look similar to:

00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  63 62 63 2d 65 73 73 69  |........cbc-essi|
00000030  76 3a 73 68 61 32 35 36  00 00 00 00 00 00 00 00  |v:sha256........|
00000040  00 00 00 00 00 00 00 00  72 69 70 65 6d 64 31 36  |........ripemd16|
00000050  30 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |0...............|

External Links