Applications can use the NSURL cache to store specific data that is useful to the operation of the application in a Cache.db file on disk. The data contained within this file could potentially be useful to investigators or incident responders, such as URLs that were accessed, as well as data requested or returned.
name: MacOS.Applications.Cache
description: |
Applications can use the NSURL cache to store specific data that is useful to the operation of the application in a `Cache.db` file on disk. The data contained within this file could potentially be useful to investigators or incident responders, such as URLs that were accessed, as well as data requested or returned.
reference:
- https://developer.apple.com/documentation/foundation/nsurl
type: CLIENT
author: Wes Lambert - @therealwlambert
parameters:
- name: CacheGlob
default: /Users/*/Library/Caches/*/Cache.db
precondition:
SELECT OS From info() where OS = 'darwin'
sources:
- query: |
LET CacheList = SELECT FullPath
FROM glob(globs=split(string=CacheGlob, sep=","))
LET CacheQuery = SELECT *
FROM sqlite(file=FullPath, query="SELECT cfurl_cache_response.entry_ID AS entry_ID, version, hash_value, storage_policy, request_key, time_stamp, partition, request_object, response_object FROM cfurl_cache_response INNER JOIN cfurl_cache_blob_data ON cfurl_cache_response.entry_ID = cfurl_cache_blob_data.entry_ID INNER JOIN cfurl_cache_receiver_data ON cfurl_cache_response.entry_ID = cfurl_cache_receiver_data.entry_ID")
SELECT * FROM foreach(
row=CacheList,
query={
SELECT
time_stamp AS Timestamp,
basename(path=dirname(path=FullPath)) AS Application,
entry_ID AS EntryID,
version AS Version,
hash_value AS Hash,
storage_policy AS StoragePolicy,
request_key AS URL,
plist(file=request_object, accessor="data") AS Request,
plist(file=response_object, accessor="data") AS Response,
partition AS Partition,
FullPath
FROM CacheQuery
}
)