Lodrina Cherne
June 5, 2018
After reading about how to manually analyze Quick Look data, we’re sharing with you a method to collect Quick Look data on a live macOS machine so you can test and validate cached data yourself!
Check out our walkthrough video and the steps following:
Arsenal Quick Look Cache Parsing Video
Steps taken in the Quick Look video
First, create test data by simply browsing files and folders on your system.
Next, you’ll need an account with admin privileges. Open up a Terminal window and elevate your privileges, then enter your password when prompted.
$ sudo bash
Navigate to the Quick Look directory for the user you want to examine. Starting from the root of your Mac, navigate under /var/folders.
# cd private/var/folders
If you list directories in this location, you’ll see what appear to be randomly named two character directories. These directories correspond to different users on the system.
To find the right user and cache, perform a search to find the Quick Look full paths for each user.
# find ./ -print | egrep '\.QuickLook\.'Using “find”, start at the current directory, print to standard output, and pipe the output to egrep to search for extended regular expressions. We’ll identify the “com.apple.QuickLook.thumbnailcache” folder by searching for .QuickLook. – enclosing our search term in single quotes, using the backslash \ to escape the period .
A listing of the Quick Look folders and their contents will be displayed. You’re looking for the user and corresponding SQLite cache for the user who you’ve populated with test data. Looking at metadata such as the timestamps for each “index.sqlite” cache file can help you find the right file to examine.
Hint: if you browsed files and folders then went straight into the terminal without changing users, you’re looking for the index.sqlite file with the most recent modified time!
Let’s say you’ve identified “.//00/1l_gj96d3hb3932c2ywgzv380000gp/C/com.apple.QuickLook.thumbnailcache/index.sqlite” to examine after examining its metadata.
# ls -la .//00/1l_gj96d3hb3932c2ywgzv380000gp/C/com.apple.QuickLook.thumbnailcache/index.sqlite
Grab the whole Quick Look parent folder to examine. Not only will this get the SQLite file containing metadata about files and folders you’ve browsed, it will capture the “thumbnails.data” file where we can later retrieve thumbnails!
# tar -cf ~/Desktop/00_archive.tar.//00/1l_gj96d3hb3932c2ywgzv380000gp/C/com.apple.QuickLook.thumbnailcache/index.sqlite
How to find the Quick Look files faster
Now that you’ve seen and understood how we stepped through finding our Quick Look data in the video walkthrough, how about a quicker way to find the SQLite database you’re looking for? Try this in the Terminal to find the “index.sqlite” files:
$ sudo -s find /var/folders -name "index.sqlite"
Or try this to find the files and display additional metadata all in one step:
$ sudo -s find /var/folders -name "index.sqlite" -exec ls -al {} +
Once you’ve identified your “index.sqlite” file, copy it out for further examination:
$ sudo cp /full/path/to/index.sqlite ~/Desktop/destination_name.sqlite
Now you can extract data that can be examined using the tools and techniques as seen in our Quick Look Cache Parsing post as well as the video above!
Thanks to Brian Gerdon for his assistance with testing and command line-fu.
Please support us, as we work to make maximum exploitation of electronic evidence more accessible, by learning more about the powerful and unique functionality our tools provide. You can learn more about our tools at https://ArsenalRecon.com/#products. Thank you!
Related Articles
Arsenal Educational Program Extended to Law Enforcement and Military Training
We have an exciting 2021 in store for Arsenal customers. To kick things off, we are extending our educational program (basically, free licenses!) to cover law enforcement and military training.
Arsenal Image Mounter and Virtual Machine Inception
While we recommend that Hyper-V and AIM be run on “bare metal” (particularly when launching virtual machines), we have recently heard from our customers that they have successfully run both Hyper-V and AIM within VMware.
Arsenal Image Mounter (AIM) Walkthrough
This article will briefly summarize the features of AIM’s Free and Professional Modes, explain the requirements for running AIM, and demonstrate how to launch virtual machines and mount Volume Shadow Copies (VSCs) from AIM-mounted disk images.
Arm Yourself!
Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.

Chelsea, Massachusetts
sales@ArsenalRecon.com
(617) ARSENAL
or (617) 277-3625
Site Map
Home
Products
Pricing
Training
Testimonials
Insights
Contact
FAQ
Legal
Privacy Policy
Terms & Conditions
Cookie Policy
Follow Us


