Ryan has been doing some good things at MOSXF.com, check out the metadata extractor. The site is usually updated at least once a week with new info.

We release a new podcast episode in mid March. We hope to have another recorded this week and released by the weekend. I am working on a video series that will show some of the topics that we cover on the podcast. I also hope to have the SQLite Manager video updated and posted soon.

Be safe,
Dave

The Safari cache.db location varies with the different versions of Safari. The current version, 4.0.4, stores the file in the following location:

~/Library/Caches/com.apple.Safari/cache.db

Click here to view the embedded video.

SQLite Manger is a database management tool that allows us to open and view the many SQLite .db files that are on a Mac and the iPhone. The thing I like best, so far, is that I am able to see the actual image located in the blob data from a Safari cache.db file and the originating url information in one place.

I know we can use different software suites to do this but some of those may be out of our budget. Tools like SQLite Manager and SQLite Database Browswer 1.3 are examples of free or low cost tools that we can keep in our Mac forensics toolbox and not have to shell out a lot of money.

SQLite Manager by SQLabs

The discount code:

Be safe,
Dave

We are lucky to have Ben Charnota of BlackBag Technologies talking about their new software write block solution, Soft Block. Soft Block is a fire and forget write block solution for Macintosh computers. Once started, it runs quietly in the background until an external media is inserted into the computer. Soft Block then prompts you to mount the device Read Only or Read/Write. I have been running the demo version of the software on my MacBook Pro for a couple of weeks and forget it is there until I plug in a drive. The Soft Block prompt isn’t bothersome, it only takes a second to deal with and you are on your way. The nice thing about Soft Block is that, coupled with your laptop, you are ready to respond to the field with your preview system and a write blocker in one unit.

I will be doing a more in depth review of Soft Block and will post it on our sister site, MacOSXForensics.com.

Chris talks about the com.apple.recentitems.plist in this episode’s Plist of the Week (PLoW).  By default, each section, Applications, Documents, Hosts, & Servers, will have 10 entries. This can be modified in the System Preferences > Appearances section or by using Plist Editor to change the values. This is usually one of the first plists we look at during an examination. The Recent Items plist will show the last items, which were accessed by the user, such as programs, images, movies and documents. It is a good indication of what he/she was up to prior to the seizure or imaging of the computer and could be the smoking gun. I like to restore the drive, as part of my analysis, and then take a screenshot of the Recent Items menu, as the user would see them. As they say, a picture is worth a thousand words.

We take a good part of this show to talk about the basics of how we prep a Mac to become an analysis system. The first thing that should always be done is the installation of the Apple Developer Tools. The Developer Tools provides us with several programs and commands that will be of great use to us when we start our examinations. The most useful is the Plist Editor, which allows us to see a plist in an easy to read format. The newer versions of the Plist Editor allows us to print the plist while older versions had the ability to do a data dump, which allowed us to copy the code for review. Essentially, if you aren’t using Plist Editor or the third party, Plist Editor Pro, you are doing yourself a disservice. Another good tool that comes with the Tools is the GetFileInfo command. A Terminal command, GetFileInfo provides a number of arguments, which will allow you to retrieve file data such as creation/modification dates, creator code, file type code and file attributes.

Be Safe,

Dave