After reading about how to manually analyze Quick Look data, we’re sharing with you a method to collect Quick Look data on a live macOS machine so you can test and validate cached data yourself!
Check out our walkthrough video and the steps following:
Arsenal Quick Look Cache Parsing Video
Steps taken in the Quick Look video
First, create test data by simply browsing files and folders on your system.
Next, you’ll need an account with admin privileges. Open up a Terminal window and elevate your privileges, then enter your password when prompted.
$ sudo bash
Navigate to the Quick Look directory for the user you want to examine. Starting from the root of your Mac, navigate under /var/folders.
# cd private/var/folders
If you list directories in this location, you’ll see what appear to be randomly named two character directories. These directories correspond to different users on the system.
To find the right user and cache, perform a search to find the Quick Look full paths for each user.
# find ./ -print | egrep '\.QuickLook\.'Using “find”, start at the current directory, print to standard output, and pipe the output to egrep to search for extended regular expressions. We’ll identify the “com.apple.QuickLook.thumbnailcache” folder by searching for .QuickLook. – enclosing our search term in single quotes, using the backslash \ to escape the period .
A listing of the Quick Look folders and their contents will be displayed. You’re looking for the user and corresponding SQLite cache for the user who you’ve populated with test data. Looking at metadata such as the timestamps for each “index.sqlite” cache file can help you find the right file to examine.
Hint: if you browsed files and folders then went straight into the terminal without changing users, you’re looking for the index.sqlite file with the most recent modified time!
Let’s say you’ve identified “.//00/1l_gj96d3hb3932c2ywgzv380000gp/C/com.apple.QuickLook.thumbnailcache/index.sqlite” to examine after examining its metadata.
# ls -la .//00/1l_gj96d3hb3932c2ywgzv380000gp/C/com.apple.QuickLook.thumbnailcache/index.sqlite
Grab the whole Quick Look parent folder to examine. Not only will this get the SQLite file containing metadata about files and folders you’ve browsed, it will capture the “thumbnails.data” file where we can later retrieve thumbnails!
# tar -cf ~/Desktop/00_archive.tar.//00/1l_gj96d3hb3932c2ywgzv380000gp/C/com.apple.QuickLook.thumbnailcache/index.sqlite
How to find the Quick Look files faster
Now that you’ve seen and understood how we stepped through finding our Quick Look data in the video walkthrough, how about a quicker way to find the SQLite database you’re looking for? Try this in the Terminal to find the “index.sqlite” files:
$ sudo -s find /var/folders -name "index.sqlite"
Or try this to find the files and display additional metadata all in one step:
$ sudo -s find /var/folders -name "index.sqlite" -exec ls -al {} +
Once you’ve identified your “index.sqlite” file, copy it out for further examination:
$ sudo cp /full/path/to/index.sqlite ~/Desktop/destination_name.sqlite
Now you can extract data that can be examined using the tools and techniques as seen in our Quick Look Cache Parsing post as well as the video above!
Thanks to Brian Gerdon for his assistance with testing and command line-fu.
Please support us, as we work to make maximum exploitation of electronic evidence more accessible, by learning more about the powerful and unique functionality our tools provide. You can learn more about our tools at https://ArsenalRecon.com/#products. Thank you!
