Thumbnail images can be extracted from a variety of sources in a given piece of evidence under investigation (e.g., cached browser images, thumbs.db files, embedded JPEGs, etc.). In OS X, there is a relatively under-exploited source of thumbnails generated from Quick Look technology. In this post, we’ll explore how this particular artifact can be exposed and understood in your next OS X investigation.
To preface this post, many artifacts created in OS X are most easily reviewed and understood on a Mac natively. However, many investigators lack access to a Mac for forensic investigation. If you haven’t used EnCase for OS X investigations, you may not be aware EnCase has been continuously adding support for investigation of OS X systems, including the comprehensive support for HFS+ extended attributes, Plist parsing, an automated OS X artifact processing module, as well as most recently, native support for decryption of OS X keychains. With each release of EnCase, there are fewer techniques that remain best-suited or unique to a native OS X toolset. That being said… let’s get on with it!
Quick Look is a technology that was introduced by Apple in Mac OS 10.5. It enables applications such as Spotlight (the Mac OS X search application) and Finder (the Mac OS X equivalent of the Windows Explorer program) to display thumbnail images and full-size previews of supported documents.
The Quick Look function within Mac OS X caches thumbnail images so as to avoid unnecessary, repetitive processing, thereby increasing performance. Examination of a Mac OS X user’s Quick Look thumbnail cache can provide evidence of guilty knowledge; it may also reveal the presence of documents that would otherwise be inaccessible or go unnoticed by the examiner.
Forensic Significance
The evidential significance of thumbnail images in general requires little comment but, that said, the following points are of particular note when dealing with the thumbnails created by Quick Look:
- The Quick Look function differs from the thumbnail-creation-mechanism used by Windows in that it supports documents other than just pictures.
- Quick Look is extensible and supports the use of Quick Look generators (applications that generate thumbnails and document previews) developed by third-party developers. Microsoft, for instance, package its own Quick Look generators together with the Microsoft Office for Mac suite of applications.
- Quick Look thumbnails are not only stored for documents on internal disks; they are also stored for documents located on removable disks, including those that have been encrypted.
- Quick Look thumbnails are tracked using a SQLite database, which stores a last-hit-date and hit-count for each one.
- A document may have multiple thumbnails, each one having different dimensions. These dimensions can range from very large to very small.
- The largest Quick Look thumbnails appear to be generated by the Cover Flow view of the Finder program.
- The Quick Look thumbnail cache for each user is stored in a folder to which only the root user has access.
- It is possible to clear the Quick Look thumbnail cache using the qlmanage –r cache command but this command has to be executed via a Terminal window and is beyond the ability/knowledge of many Mac users.
- Full-size previews of documents are not cached – they are generated dynamically by Quick Look as and when required.
Location of the Quick Look Thumbnail Cache
The Quick Look thumbnail cache for each user is buried deep in a random sub-folder of the /var/folders folder. It is itself a folder.
Finding your own cache-folder may involve a little trial and error but, as an example, the path to my cache-folder is as shown in the following screenshot –
Note that access to the folder shown in the above screenshot had to be obtained using a root shell obtained by issuing the sudo –s command in a Terminal window.
Notwithstanding the fact that the path to a user’s Quick Look thumbnail-cache will be random, it will always have the name com.apple.QuickLook.thumbnailcache.
The two most important files in a thumbnail-cache folder are as follows –
- index.sqlite
- thumbnails.data
The files table contains the name, path, file-identifier, and volume-identifier of each file tracked by the database.
The thumbnails table contains information about each thumbnail, including the file to which it relates (as stored in the files table) and the offset of its data, which is stored as a raw bitmap in the thumbnails.data file.
Parsing a User’s Quick Look Thumbnail Cache
The examiner can use the recently released Mac OS X QuickLook Thumbcache Parser, available on EnCase App Central. Later this year, this ability will be folded into the “Create Thumbnails” Evidence Processor module for “set it and forget it” operation. Until then, the parse app is available at no cost for your use.
The following screenshot shows a preview of the Quick Look parsing functionality in a preview version of EnCase. The Quick Look metadata for each thumbnail is visible in the Attributes tab:
Here’s a screenshot of how to operate the Mac OS X QuickLook Thumbcache Parser:
The script extracts the Quick Look thumbnails from each cache into to a sub-folder of the nominated export folder:
Each extracted thumbnail is given a name matching the following template:
. . .png
It should be noted that spreadsheet created by the script will only contain metadata relating to thumbnails that have been extracted. Records for which no thumbnail data is present will be excluded, but can be parsed using a suitable SQLite viewer/editor application.
Additional Resources
If you find this analysis useful or have questions, please let us know in the comments below or reach out on Twitter @EnCase. All of this information is available courtesy of Guidance Software Training, trusted sources for techniques, best practices and mentorship for digital investigators for over 15 years.
Here are a few related resources that may help you keep your tools sharpened in your next OS X investigation:
- OS X: Delving A Little Deeper: Learn more about these techniques at in the Digital Forensics Lab track at CEIC 2014
- EnCase Examinations of the Macintosh Operating Systems: Official Guidance Software Training course
- EnCase 7.09.04: Extracting Passwords from OS X Keychains
- Examining Mac OS X User and System Keychains
No comments :
Post a Comment