This week I got some huge news! This blog was nominated for a 4:cast award for Blog of the Year! I'm incredibly honored for this nomination! It also spurred me to remember I had a bunch of posts I wanted to work on but the last few weeks have been packed with teaching and work. Today I'm going to talk about a methodology for how to track files that have been downloaded from the Safari browser on iOS or macOS.
Safari is an interesting beast when it comes to its storage. Apple lauds the browser as "Safe and Secure" and this default browser on the macOS and iOS ecosystem can cause examiners some headaches due to how long it chooses to keep its data. For more information on preferences for macOS and how this is controlled, see this post I did previously,
While the methods to track data in macOS and iOS are similar, there will be a slight difference depending on what you're working with and looking for. Let's start with macOS.
Using the "com.apple.LaunchServices.QuarantineEventsV2" database found within ~/Library/Preferences, information can be tracked to find what files landed on the system that were scanned by GateKeeper. Examiners should look for the package name containing "com.apple.Safari" because depending on HOW the file was downloaded the data under application name may reference either "Safari" or others including "com.apple.Safari.SandboxBroker.xpc." The information can store the original download URL as well as the displayed URL and when it was "Quarantined" which will be extremely close to the finished date of the download.
File System Events
For a file that is downloaded within private browsing, spotlight metadata may not show as much. However, we can still track the information that shows that this file, "Important Document.zip" was downloaded from the Safari browser and it has a GUID. This can be matched to the Quarantine Events artifact to see its match (if it is still there)!
- Check the Safari Preferences to see where the downloads are default going to.
- Use File System events looking for ".download" records to find data relating to files downloaded from Safari.
- Use quarantine events to find that files are downloaded using Safari
- Use extended attributes metadata to look for the com.apple.quarantine events with Safari.
The same information is stored but note the Saved to Path. This is the default storage location that will send the data to the "iCloud Drive" area of iOS. Which, honestly, is interesting. It takes your download and then tries to send it back to its own cloud storage.
File System Events:
- /private/var/mobile/Library/Mobile Documents/com~apple~CloudDocs/Downloads
- /private/var/mobile/Containers/Shared/AppGroup/B00E5705-4543-4123-9309-0F6D70BE27C6/File Provider Storage/Downloads