SANS Digital Forensics and Incident Response Blog: Author - johnmccash

Safari Browser Forensics

Since Apple started installing Safari for Windows by default when you update iTunes, I imagine there's going to be considerably more interest in performing forensic analysis of Safari browser artifacts than there has been previously.

Safari for Windows

Safari Forensics

In searching for some tools to help with analysis of Safari artifacts on a case I recently worked, I came across SFT 1.1.1. SFT was first released about a year and a half ago, and was updated several times over the following six months. There are no recent updates. Except for one issue noted below, it seems to work OK. SFT 1.1.1 contains the


Indirect iPhone Forensics

In a case I recently worked, I came across relevant SMS messages which had been sent and received using an iPhone. Interestingly, I wasn't actually examining the iPhone, but only the subject's MacBook Pro. What I discovered and subsequently researched, is that virtually all of the iPhone's current data contents, as well as quite a bit of archival data, appear to be extractable from the .mdbackup files that are stored on the PC or Mac to which the iPhone is synched.

On Windows, .mdbackup files are stored in their user's profile folder, under ''Application Data\\Apple Computer\\MobileSync\\Backup'. On the Mac, they're stored in the user's home directory, under ''Library/Application Support/MobileSync/Backup'. While I've only worked with the one instance on a Mac, I believe that the file format is identical between both platforms. The .mdbackup file contains, presumably among other things, one or more sqlite database files. These can be

... Continue reading Indirect iPhone Forensics

Forensic Gmail Artifact Analysis

I don't know if you've had the pleasure of trying to extract GMail message content from a drive image, but there aren't a lot of references out there. Those that I found helpful, I've listed below.

Gmail uses JavaScript to manage the user experience on the front end, and passes content back and forth between the client and server using ''datapack' files, which are formatted using JavaScript Object Notation (JSON). See Google for details on JSON, but basically a complete datapack file looks something like the following (indentation & newlines added):