Sat, 27 June 2009
Sorry it took so long but the show notes for Episode 3 are ready. You can either read a shortened version below or download the PDF. The PDF has images that help explain some of the locations and other aspects of what was discussed.
Download Show Notes
Safari Internet Cache:
Original location for Safari 2 and early 3:
- Files were given Unique ID and extension of .cache
Version 3: switched to a sqlite database ﬁle and moved the cache to /var/folders
-If in Windows environment, ie. Encase, you will not see “/var/folders”, instead it will be:
-var/folders view on Mac is called “soft link” as Private is implied
Latest Safari Ver 3 & Version 4 moves the cache back to:
- The Cache.db ﬁle resides here. Probable change was security based as it placed te ﬁle back in the users folder.
Viewing Safari Cache:
SQLite DB Browser 1.3:
Database: can use SQLite DB browser 1.3 from Sourceforge
-Displays the .db tables
-Example: “Response Table”: has website URL and Date/Time Stamp in GMT
-Drop the Cache.db on Filejuicer and it will parse the data out
-Images, HTML, TXT, etc.
Incident Response/Trusted Utilities:
-Often times, whenever out on scene, it is an unknown environment
-Must consider all machines to be unknown and applications possibly
-Best way to prepare is to have our own trusted utilities disk
-Recommend a ﬂash drive, minimum 4 GB to use
-If PowerPC: recommend Firewire, if Intel: recommend USB
Trusted Utilities Drive:
1. Disk Initialization (formatting for you Microsofties): Use Disk Utility
to initialize the drive and wipe it prior to placing tools on it.
2. Put on utilities: i.e. Terminal, System Proﬁler, etc.
3. Rule of thumb: Command Line Tools/GUI Tools/Evidence Collection.
4. Name the Volume/Disk something you will recognize i.e.
“RyansTrusted Utilities" This eliminates confusion on Suspectʼs
5. Run Trusted Utilities: Date, System Proﬁler and export information to
6. Keep record of the commands run for later review and reporting, i.e.
use PDF printout from Mac builtin utilities.
7. Remember to direct your path to the Trusted Utilities Disk as you are
never sure what the suspect has done to their machine. Control your
PList(s) of the Week(PLOW):
-This PList originates information entered at Registration
-Can contain: First Name, Last Name, Local Phone #, Street Address 1
and 2, City, State, Zip, Area Code, Local Phone#, Company, Existing
-Covers the settings for the address book entries
-Print Dialog Setting
-Unique User ID # for each “address book entry”
-File saved as “UUID/ABPerson.abcdp
-Viewable with Plist Editor or by copying out and dropping in
UUID matches the Metadata UUID
-This is the image that represents the corresponding address book entry
To View in Address Book:
1. Create a clean User account.
2. Copy the suspect com.apple.AddressBook folder and drop into the
corresponding location in the new account. Also, copy and drop
3. Open Address Book and then you can view and print out the entries.
Host at Large Reggie “Good Stuff” Chapman:
Part One of his series on the Terminal & Commands
-Darwin: Open Source Unix Core of MacOSX
-Terminal located in /Applications/Utilities
-Drag and place on your dock for quick access
-Change the Terminal to ﬁt your settings, color, size
-Click on “Terminal --> Preferences” (LEOPARD)
-”Settings” box allows to change:
-Text, Window, Shell, Keyboard, and other Advanced Changes
-RYANʼs TEMPLATE OF CHOICE: OCEAN is a good setting for Court Presentation
Websites of the Week
-Site that has a blog theme
-People post ideas/ways to solve problems
-Has Forum to help research issues and ﬁnd answers
-Good App and Scripting resource
-Has the technical notes for Macs
-Tech Note 1150: HFS File System
-Free Utilities and information
Category:general -- posted at: 7:35am PST