Collecting Quick Look Data From a Live macOS System

Brian Gerdon

June 5, 2018

After reading about how to manually analyze Quick Look data, we’re sharing with you a method to collect Quick Look data on a live macOS machine so you can test and validate cached data yourself!

Check out our walkthrough video and the steps following:

Arsenal Quick Look Cache Parsing Video

Steps taken in the Quick Look video

First, create test data by simply browsing files and folders on your system.

Next, you’ll need an account with admin privileges. Open up a Terminal window and elevate your privileges, then enter your password when prompted.

$ sudo bash

Navigate to the Quick Look directory for the user you want to examine. Starting from the root of your Mac, navigate under /var/folders.

# cd private/var/folders

If you list directories in this location, you’ll see what appear to be randomly named two character directories. These directories correspond to different users on the system.

To find the right user and cache, perform a search to find the Quick Look full paths for each user.

# find ./ -print | egrep '\.QuickLook\.'
Using “find”, start at the current directory, print to standard output, and pipe the output to egrep to search for extended regular expressions. We’ll identify the “com.apple.QuickLook.thumbnailcache” folder by searching for .QuickLook. – enclosing our search term in single quotes, using the backslash \ to escape the period .

A listing of the Quick Look folders and their contents will be displayed. You’re looking for the user and corresponding SQLite cache for the user who you’ve populated with test data. Looking at metadata such as the timestamps for each “index.sqlite” cache file can help you find the right file to examine.

Hint: if you browsed files and folders then went straight into the terminal without changing users, you’re looking for the index.sqlite file with the most recent modified time!

Let’s say you’ve identified “.//00/1l_gj96d3hb3932c2ywgzv380000gp/C/com.apple.QuickLook.thumbnailcache/index.sqlite” to examine after examining its metadata.

# ls -la .//00/1l_gj96d3hb3932c2ywgzv380000gp/C/com.apple.QuickLook.thumbnailcache/index.sqlite

Grab the whole Quick Look parent folder to examine. Not only will this get the SQLite file containing metadata about files and folders you’ve browsed, it will capture the “thumbnails.data” file where we can later retrieve thumbnails!

# tar -cf ~/Desktop/00_archive.tar.//00/1l_gj96d3hb3932c2ywgzv380000gp/C/com.apple.QuickLook.thumbnailcache/index.sqlite

How to find the Quick Look files faster

Now that you’ve seen and understood how we stepped through finding our Quick Look data in the video walkthrough, how about a quicker way to find the SQLite database you’re looking for? Try this in the Terminal to find the “index.sqlite” files:

$ sudo -s find /var/folders -name "index.sqlite"

Or try this to find the files and display additional metadata all in one step:

$ sudo -s find /var/folders -name "index.sqlite" -exec ls -al {} +

Once you’ve identified  your “index.sqlite” file, copy it out for further examination:

$ sudo cp /full/path/to/index.sqlite ~/Desktop/destination_name.sqlite

Now you can extract data that can be examined using the tools and techniques as seen in our Quick Look Cache Parsing post as well as the video above!

 

Thanks to Brian Gerdon for his assistance with testing and command line-fu.

 


 

Please support us, as we work to make maximum exploitation of electronic evidence more accessible, by learning more about the powerful and unique functionality our tools provide. You can learn more about our tools at https://ArsenalRecon.com/#products. Thank you!

0 Comments

Submit a Comment

Related Articles

New Versions of HiveRecon and HbinRecon Launched

HiveRecon extracts Registry hives from Windows hibernation and crash dump files, often extracting hives when other solutions have completely failed and extracting healthier (more intact) hives when other solutions have appeared to run successfully. HiveRecon also extracts volatile hives and can incorporate swap files from the same hibernation session to extract even healthier Registry hives than if using a hibernation file alone.

Free Arsenal Subscriptions for Colleges and Universities

Years ago when I was an adjunct professor teaching digital forensics at Bunker Hill Community College in Boston I very much appreciated both the free and discounted licenses provided by commercial software vendors. I am now working on having Arsenal formalize and publicize our practice of providing free software (beyond the “Free Mode” functionality offered in some of our tools) each semester to digital forensics programs at colleges and universities.

Sponsoring Arsenal Image Mounter

Colleagues in digital forensics, please ask yourselves – do you find Arsenal Image Mounter (“AIM”) useful? Could your consulting, training, or software/hardware organization use great karma and a boost in public relations?

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

Signup for the latest news on Registry, Hibernation Files, and other Digital Investigations related news.

Follow Us

22 Willow Street Chelsea, MA 02150

sales@ArsenalRecon.com

(617) ARSENAL

or (617) 277-3625

Site Map

\

Home

\

Products

\

Downloads

\

Pricing

\

Training

\

Testimonials

\

Insights

\

Contact

\

FAQ

Legal

\

Privacy Policy

\

Terms & Conditions

\

Cookie Policy

Follow Us

LinkedIn

Twitter

Facebook

Share This