Collecting Quick Look Data From a Live macOS System

Brian Gerdon

June 5, 2018

After reading about how to manually analyze Quick Look data, we’re sharing with you a method to collect Quick Look data on a live macOS machine so you can test and validate cached data yourself!

Check out our walkthrough video and the steps following:

Arsenal Quick Look Cache Parsing Video

Steps taken in the Quick Look video

First, create test data by simply browsing files and folders on your system.

Next, you’ll need an account with admin privileges. Open up a Terminal window and elevate your privileges, then enter your password when prompted.

$ sudo bash

Navigate to the Quick Look directory for the user you want to examine. Starting from the root of your Mac, navigate under /var/folders.

# cd private/var/folders

If you list directories in this location, you’ll see what appear to be randomly named two character directories. These directories correspond to different users on the system.

To find the right user and cache, perform a search to find the Quick Look full paths for each user.

# find ./ -print | egrep '\.QuickLook\.'
Using “find”, start at the current directory, print to standard output, and pipe the output to egrep to search for extended regular expressions. We’ll identify the “com.apple.QuickLook.thumbnailcache” folder by searching for .QuickLook. – enclosing our search term in single quotes, using the backslash \ to escape the period .

A listing of the Quick Look folders and their contents will be displayed. You’re looking for the user and corresponding SQLite cache for the user who you’ve populated with test data. Looking at metadata such as the timestamps for each “index.sqlite” cache file can help you find the right file to examine.

Hint: if you browsed files and folders then went straight into the terminal without changing users, you’re looking for the index.sqlite file with the most recent modified time!

Let’s say you’ve identified “.//00/1l_gj96d3hb3932c2ywgzv380000gp/C/com.apple.QuickLook.thumbnailcache/index.sqlite” to examine after examining its metadata.

# ls -la .//00/1l_gj96d3hb3932c2ywgzv380000gp/C/com.apple.QuickLook.thumbnailcache/index.sqlite

Grab the whole Quick Look parent folder to examine. Not only will this get the SQLite file containing metadata about files and folders you’ve browsed, it will capture the “thumbnails.data” file where we can later retrieve thumbnails!

# tar -cf ~/Desktop/00_archive.tar.//00/1l_gj96d3hb3932c2ywgzv380000gp/C/com.apple.QuickLook.thumbnailcache/index.sqlite

How to find the Quick Look files faster

Now that you’ve seen and understood how we stepped through finding our Quick Look data in the video walkthrough, how about a quicker way to find the SQLite database you’re looking for? Try this in the Terminal to find the “index.sqlite” files:

$ sudo -s find /var/folders -name "index.sqlite"

Or try this to find the files and display additional metadata all in one step:

$ sudo -s find /var/folders -name "index.sqlite" -exec ls -al {} +

Once you’ve identified  your “index.sqlite” file, copy it out for further examination:

$ sudo cp /full/path/to/index.sqlite ~/Desktop/destination_name.sqlite

Now you can extract data that can be examined using the tools and techniques as seen in our Quick Look Cache Parsing post as well as the video above!

 

Thanks to Brian Gerdon for his assistance with testing and command line-fu.

 


 

Please support us, as we work to make maximum exploitation of electronic evidence more accessible, by learning more about the powerful and unique functionality our tools provide. You can learn more about our tools at https://ArsenalRecon.com/#products. Thank you!

0 Comments

Submit a Comment

Related Articles

BitLocker for DFIR – Part II

BitLocker for DFIR – Part II

In “BitLocker for DFIR – Part I” we provided a quick summary of BitLocker, details regarding the various “states” of BitLocker volumes that we see most often in our casework, and some thoughts on things that are particularly relevant to digital forensics and incident response practitioners. We will now discuss launching virtual machines from BitLockered disk images.

BitLocker for DFIR – Part I

BitLocker for DFIR – Part I

BitLocker is a Full Volume Encryption (FVE) technology introduced by Microsoft in the Ultimate and Enterprise versions of Windows Vista. BitLocker has come a very long way since Vista, becoming quite flexible (some of our colleagues might prefer the word complicated) and secure if used properly.

The Office Document Cache and Introducing ODC Recon – Part I

The Office Document Cache and Introducing ODC Recon – Part I

Microsoft’s “Office Document Cache” (hereafter, ODC) is complex, infuriating, and misunderstood. For years there have been digital forensics practitioners who knew how valuable information within ODCs was (especially within FSD files), but they were essentially left with scraps after throwing existing tools and techniques against them. After many of the proverbial late nights and early mornings, Arsenal has now drastically improved the situation for our colleagues in digital forensics.

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

Signup for the latest news on Registry, Hibernation Files, and other Digital Investigations related news.

Follow Us

Chelsea, Massachusetts

sales@ArsenalRecon.com

(617) ARSENAL

or (617) 277-3625

Site Map

\

Home

\

Products

\

Pricing

\

Training

\

Testimonials

\

Insights

\

Contact

\

FAQ

Legal

\

Privacy Policy

\

Terms & Conditions

\

Cookie Policy

Follow Us

LinkedIn

Twitter

Facebook