WEBVTT 00:00:01.773 --> 00:00:05.013 align:middle line:84% For Lab 5.3, you are going to be provided 00:00:05.013 --> 00:00:09.513 align:middle line:84% with four different directories, two from Android, two from iOS 00:00:09.513 --> 00:00:11.553 align:middle line:90% with mobile browser data. 00:00:11.553 --> 00:00:17.143 align:middle line:84% You are going to manually dig through these files. 00:00:17.143 --> 00:00:24.093 align:middle line:84% When we look at Lab 5.3, you can see, 00:00:24.093 --> 00:00:27.843 align:middle line:84% we have Chrome for Android, Ghostery for iOS, 00:00:27.843 --> 00:00:30.873 align:middle line:84% Firefox for Android, and Puffin for iOS. 00:00:30.873 --> 00:00:33.663 align:middle line:84% Puffin is the bonus homework one. 00:00:33.663 --> 00:00:36.223 align:middle line:90% It's optional to do. 00:00:36.223 --> 00:00:38.993 align:middle line:84% I would load all of these like you did the previous lab. 00:00:38.993 --> 00:00:42.013 align:middle line:84% So what I did is I loaded them into Physical Analyzer 00:00:42.013 --> 00:00:45.475 align:middle line:90% as an SD card. 00:00:45.475 --> 00:00:46.933 align:middle line:84% You can see that nothing is parsed, 00:00:46.933 --> 00:00:48.475 align:middle line:84% but I have access to the directories. 00:00:48.475 --> 00:00:50.113 align:middle line:90% I can keyword search. 00:00:50.113 --> 00:00:56.383 align:middle line:84% I can also go straight to Analyzed Data, and Databases, 00:00:56.383 --> 00:00:59.573 align:middle line:84% and leverage the full-screen view. 00:00:59.573 --> 00:01:00.801 align:middle line:90% So I can do the row count. 00:01:00.801 --> 00:01:01.843 align:middle line:90% I can do anything I want. 00:01:01.843 --> 00:01:03.260 align:middle line:84% So I'm going to sort my row count. 00:01:06.163 --> 00:01:07.693 align:middle line:90% Go to the heaviest ones up top. 00:01:07.693 --> 00:01:09.193 align:middle line:84% And I want to point out to you, this 00:01:09.193 --> 00:01:11.053 align:middle line:90% is one of those Realm databases. 00:01:11.053 --> 00:01:13.011 align:middle line:84% And you can see, it's associated with Ghostery. 00:01:13.011 --> 00:01:14.470 align:middle line:84% So when you're looking at Ghostery, 00:01:14.470 --> 00:01:16.093 align:middle line:84% you will see some of the other things 00:01:16.093 --> 00:01:18.283 align:middle line:84% that we've discussed so far in this course. 00:01:20.923 --> 00:01:23.373 align:middle line:84% We are now going to review Lab 5.3. 00:01:23.373 --> 00:01:25.023 align:middle line:84% As always, if you're not ready, simply 00:01:25.023 --> 00:01:26.973 align:middle line:84% press Pause and resume when you would 00:01:26.973 --> 00:01:28.773 align:middle line:90% like to see the walkthrough. 00:01:28.773 --> 00:01:32.913 align:middle line:84% The first question is about Firefox. 00:01:32.913 --> 00:01:37.923 align:middle line:84% So it's telling us to, within Firefox, look for history. 00:01:37.923 --> 00:01:42.553 align:middle line:84% So I'm going to, in here, sort by Firefox. 00:01:45.673 --> 00:01:48.103 align:middle line:84% So now, I have just Mozilla Firefox. 00:01:48.103 --> 00:01:52.431 align:middle line:84% And within this, you can see cookies.sqlite 00:01:52.431 --> 00:01:53.473 align:middle line:90% seems to be the heaviest. 00:01:53.473 --> 00:01:56.573 align:middle line:84% But browser.db, I'm going to start there. 00:01:56.573 --> 00:01:59.443 align:middle line:84% So in browser.db, we have a lot of files here. 00:01:59.443 --> 00:02:03.553 align:middle line:84% I'm actually going to pop this out to db viewer, 00:02:03.553 --> 00:02:06.003 align:middle line:84% so it's a little bit bigger for us. 00:02:06.003 --> 00:02:07.953 align:middle line:84% And what we want to do is start with history. 00:02:07.953 --> 00:02:12.173 align:middle line:84% Now, right away, this should look strange to you. 00:02:12.173 --> 00:02:18.323 align:middle line:84% We have blank titles, blank URL, visits zeroed out, 00:02:18.323 --> 00:02:20.558 align:middle line:84% as we keep going across, a datetime stamp 00:02:20.558 --> 00:02:22.053 align:middle line:90% that's that zeroed out. 00:02:22.053 --> 00:02:25.553 align:middle line:84% So what I'm going to do is I'm going to select milliseconds. 00:02:25.553 --> 00:02:27.473 align:middle line:84% And do you see how it says 1/1/1970? 00:02:27.473 --> 00:02:29.763 align:middle line:90% That's not good. 00:02:29.763 --> 00:02:31.393 align:middle line:90% We go across again. 00:02:31.393 --> 00:02:44.418 align:middle line:84% We have date_local, created, and then modified. 00:02:47.913 --> 00:02:49.558 align:middle line:84% Now, because some of these look weird, 00:02:49.558 --> 00:02:50.933 align:middle line:84% I'm actually going to clear them, 00:02:50.933 --> 00:02:55.303 align:middle line:84% so it jumps out at you on what is actually occurring here. 00:02:55.303 --> 00:02:57.243 align:middle line:90% So I'm keeping it clear. 00:02:57.243 --> 00:02:58.513 align:middle line:90% And then, we have a deleted. 00:02:58.513 --> 00:03:00.003 align:middle line:90% So this is interesting. 00:03:00.003 --> 00:03:03.523 align:middle line:84% Here, we can see, in Firefox, when an item is deleted, 00:03:03.523 --> 00:03:06.723 align:middle line:84% there is a column called deleted, and it is marked 1. 00:03:06.723 --> 00:03:14.423 align:middle line:84% We could also say that on 4/18/2017 around 11:53 00:03:14.423 --> 00:03:17.043 align:middle line:84% that the user cleared their history. 00:03:17.043 --> 00:03:18.513 align:middle line:90% The title is zeroed out. 00:03:18.513 --> 00:03:20.253 align:middle line:90% The visits are zeroed out. 00:03:22.823 --> 00:03:24.708 align:middle line:90% And the URL is zeroed out. 00:03:24.708 --> 00:03:26.083 align:middle line:84% Now, if you click on the pickaxe, 00:03:26.083 --> 00:03:27.313 align:middle line:90% can we get anything back? 00:03:27.313 --> 00:03:29.123 align:middle line:90% And we do. 00:03:29.123 --> 00:03:31.853 align:middle line:84% So here, we can see we have the Brothers Take 00:03:31.853 --> 00:03:38.343 align:middle line:84% New Orleans, HGTV, Bravo TV, living room transformation. 00:03:38.343 --> 00:03:40.853 align:middle line:84% So we do recover deleted artifacts. 00:03:45.703 --> 00:03:47.203 align:middle line:84% We have already answered Question 2, 00:03:47.203 --> 00:03:48.911 align:middle line:84% which is, based upon that first one, what 00:03:48.911 --> 00:03:50.213 align:middle line:90% are three things that change? 00:03:50.213 --> 00:03:51.598 align:middle line:90% So we have covered that. 00:03:54.163 --> 00:04:00.483 align:middle line:84% So now, we want to review tabs and search history. 00:04:00.483 --> 00:04:03.923 align:middle line:90% So let's go into search history. 00:04:03.923 --> 00:04:08.753 align:middle line:84% And here, we can see Disney princesses, Bravo, and HGTV. 00:04:08.753 --> 00:04:12.243 align:middle line:84% We have a date, and then we have the visits. 00:04:12.243 --> 00:04:18.293 align:middle line:84% And under tabs, we have Brothers Take New Orleans, 00:04:18.293 --> 00:04:21.203 align:middle line:90% Bravo TV, Disney princesses. 00:04:21.203 --> 00:04:22.883 align:middle line:84% So what this is showing you here, 00:04:22.883 --> 00:04:24.623 align:middle line:84% that even though the history is cleared, 00:04:24.623 --> 00:04:26.831 align:middle line:84% the tabs still contained it, and search history still 00:04:26.831 --> 00:04:28.696 align:middle line:90% contained it. 00:04:28.696 --> 00:04:30.613 align:middle line:84% Now, let's look for deletion in some of these. 00:04:30.613 --> 00:04:35.613 align:middle line:84% So if I click on the pickaxe, we don't get any there. 00:04:35.613 --> 00:04:37.233 align:middle line:90% We don't get any there. 00:04:37.233 --> 00:04:40.353 align:middle line:84% But you may be able to recover more in different tools. 00:04:40.353 --> 00:04:42.453 align:middle line:84% You may find that they're just replicates 00:04:42.453 --> 00:04:48.853 align:middle line:84% or duplicates of what already exists in that database. 00:04:48.853 --> 00:04:51.523 align:middle line:84% If you exported out these databases, 00:04:51.523 --> 00:04:54.523 align:middle line:84% you could manually go through and convert 00:04:54.523 --> 00:04:55.963 align:middle line:90% the datetime stamps. 00:04:55.963 --> 00:04:58.603 align:middle line:84% You could also take this from your course notebook, 00:04:58.603 --> 00:04:59.906 align:middle line:90% and it will do it for you. 00:04:59.906 --> 00:05:02.323 align:middle line:84% But honestly, the easiest way to convert these timestamps, 00:05:02.323 --> 00:05:08.783 align:middle line:84% again, is clicking on the table and going with suggested. 00:05:08.783 --> 00:05:10.343 align:middle line:90% Let's move on to Chrome. 00:05:10.343 --> 00:05:15.863 align:middle line:84% And Chrome is a very hefty application. 00:05:15.863 --> 00:05:17.233 align:middle line:90% So I'm going to sort by Chrome. 00:05:25.313 --> 00:05:30.563 align:middle line:84% And we want to know, can you determine the account 00:05:30.563 --> 00:05:33.303 align:middle line:90% that was syncing for this? 00:05:33.303 --> 00:05:37.403 align:middle line:84% So what you may actually have to do is go into the file system, 00:05:37.403 --> 00:05:40.683 align:middle line:84% go into Chrome, and look for any preference files. 00:05:40.683 --> 00:05:45.273 align:middle line:84% So as we go through, let's start with shared preferences. 00:05:45.273 --> 00:05:47.533 align:middle line:84% That seems like a great place to start. 00:05:47.533 --> 00:05:48.873 align:middle line:90% We go in here. 00:05:48.873 --> 00:05:52.023 align:middle line:84% Let's look at Chrome preferences. 00:05:52.023 --> 00:05:54.873 align:middle line:84% So in Chrome preferences, we start 00:05:54.873 --> 00:05:56.748 align:middle line:84% to see things that are saying true and false. 00:06:01.323 --> 00:06:10.953 align:middle line:84% We can see sync_account_name, mraceventura1980. 00:06:10.953 --> 00:06:14.463 align:middle line:84% And then you will start to see all the syncing that's true. 00:06:14.463 --> 00:06:17.813 align:middle line:84% So here, you can see sync_acct_type is Google, what 00:06:17.813 --> 00:06:19.853 align:middle line:90% is skipped, and what is set. 00:06:19.853 --> 00:06:22.703 align:middle line:84% So we know mraceventura1980@gmail.com 00:06:22.703 --> 00:06:26.563 align:middle line:90% is our account of interest. 00:06:26.563 --> 00:06:30.583 align:middle line:84% Now, this next one is super important. 00:06:30.583 --> 00:06:35.133 align:middle line:84% So browser data was generated from a Galaxy S6 00:06:35.133 --> 00:06:36.463 align:middle line:90% on this device. 00:06:36.463 --> 00:06:40.673 align:middle line:90% Can you find other devices? 00:06:40.673 --> 00:06:42.643 align:middle line:84% So let's go back into these databases. 00:06:45.703 --> 00:06:47.893 align:middle line:84% We have something called SyncData.sqlite. 00:06:47.893 --> 00:06:50.173 align:middle line:84% That sounds like a fantastic one to check. 00:06:50.173 --> 00:06:52.393 align:middle line:84% And in here, we have this table called metas. 00:06:52.393 --> 00:06:54.500 align:middle line:84% Now, I'm going to pop this one out again, 00:06:54.500 --> 00:06:55.708 align:middle line:90% just so I can make it larger. 00:06:58.223 --> 00:07:02.363 align:middle line:84% And in metas, we have lots of timestamps in here. 00:07:02.363 --> 00:07:10.713 align:middle line:84% I'm going to scroll across and start looking for things. 00:07:10.713 --> 00:07:12.273 align:middle line:90% Now, this is interesting. 00:07:12.273 --> 00:07:16.323 align:middle line:84% Here, we see server_non_unique_name and 00:07:16.323 --> 00:07:17.463 align:middle line:90% non_unique_name. 00:07:17.463 --> 00:07:21.873 align:middle line:84% In both of these, we see SM-G920F. 00:07:21.873 --> 00:07:25.083 align:middle line:84% What you want to do is see if you find any other devices, 00:07:25.083 --> 00:07:29.003 align:middle line:90% such as LC-MacBook-Pro. 00:07:29.003 --> 00:07:31.478 align:middle line:84% So the user has a Mac that they're syncing data from. 00:07:31.478 --> 00:07:33.353 align:middle line:84% And as you scroll down, it looks like there's 00:07:33.353 --> 00:07:35.603 align:middle line:90% a lot of syncing from the Mac. 00:07:35.603 --> 00:07:37.823 align:middle line:84% The commercial tools do a fantastic job 00:07:37.823 --> 00:07:39.293 align:middle line:90% at parsing this for you. 00:07:39.293 --> 00:07:44.133 align:middle line:84% You will see that it will say from device in the results. 00:07:44.133 --> 00:07:46.096 align:middle line:84% So it's not something you typically have to do, 00:07:46.096 --> 00:07:48.263 align:middle line:84% but it's important to note that the database exists. 00:07:51.783 --> 00:07:57.403 align:middle line:84% Were any downloads initiated from the Chrome browser? 00:07:57.403 --> 00:08:00.633 align:middle line:84% So what we want to look at is, IS there a location 00:08:00.633 --> 00:08:02.683 align:middle line:90% where it's going to be stored? 00:08:02.683 --> 00:08:09.563 align:middle line:84% So if we look at the files here, is there a place 00:08:09.563 --> 00:08:12.693 align:middle line:90% where any downloads exist? 00:08:16.883 --> 00:08:19.213 align:middle line:84% So at Chrome, I want to go into Default user. 00:08:21.993 --> 00:08:23.283 align:middle line:90% And we have download. service. 00:08:23.283 --> 00:08:25.583 align:middle line:90% Let's check this out. 00:08:25.583 --> 00:08:31.831 align:middle line:84% Under Download Service, it doesn't look too exciting. 00:08:31.831 --> 00:08:34.373 align:middle line:84% And then this is where this gets like a little bit confusing. 00:08:34.373 --> 00:08:35.873 align:middle line:84% So in here, we have something called 00:08:35.873 --> 00:08:38.713 align:middle line:90% Offline Pages and archives. 00:08:38.713 --> 00:08:42.223 align:middle line:84% And in here, it looks like we have two things. 00:08:42.223 --> 00:08:43.753 align:middle line:84% Here, we can see saved from Blink. 00:08:43.753 --> 00:08:46.123 align:middle line:84% It's a snapshot content of YouTube, Taylor Swift, 00:08:46.123 --> 00:08:46.843 align:middle line:90% "Delicate." 00:08:50.833 --> 00:08:55.303 align:middle line:84% Here, we can see Today Show, how supermodel Karlie Kloss helps 00:08:55.303 --> 00:08:58.153 align:middle line:84% young girls interested in computing. 00:08:58.153 --> 00:08:59.263 align:middle line:90% And then we keep going. 00:08:59.263 --> 00:09:01.933 align:middle line:90% We have Sessions. 00:09:01.933 --> 00:09:02.833 align:middle line:90% We have Sync Data. 00:09:12.663 --> 00:09:22.933 align:middle line:84% We have-- let me zoom in a little bit. 00:09:22.933 --> 00:09:25.263 align:middle line:90% Let's look at Session Storage. 00:09:25.263 --> 00:09:27.491 align:middle line:90% That just looks like log files. 00:09:27.491 --> 00:09:29.783 align:middle line:84% But I think you get the concept of what you have to do. 00:09:29.783 --> 00:09:31.866 align:middle line:84% And that's why this one is extremely overwhelming, 00:09:31.866 --> 00:09:35.153 align:middle line:84% because there's a lot of information in it. 00:09:35.153 --> 00:09:36.953 align:middle line:90% We want to find offline pages. 00:09:36.953 --> 00:09:42.363 align:middle line:84% We want to see any type of download activity. 00:09:42.363 --> 00:09:44.523 align:middle line:84% Now, is there a database that's going 00:09:44.523 --> 00:09:47.423 align:middle line:84% to be tracking downloads or offline pages? 00:09:47.423 --> 00:09:49.423 align:middle line:84% Yeah, we definitely should be able to find this. 00:09:49.423 --> 00:09:56.343 align:middle line:84% So if we go into our databases again for Chrome, 00:09:56.343 --> 00:09:58.371 align:middle line:84% and we start looking at some of these, 00:09:58.371 --> 00:09:59.913 align:middle line:84% you can see this top one right here-- 00:09:59.913 --> 00:10:01.713 align:middle line:90% Downloads, that I just picked. 00:10:01.713 --> 00:10:03.933 align:middle line:84% We can see that a PDF was downloaded. 00:10:06.116 --> 00:10:07.533 align:middle line:84% You want to look for anything that 00:10:07.533 --> 00:10:09.753 align:middle line:90% says offline pages, downloads. 00:10:09.753 --> 00:10:12.033 align:middle line:84% Anything like that that is of interest 00:10:12.033 --> 00:10:13.443 align:middle line:90% will be helpful for you. 00:10:18.643 --> 00:10:21.783 align:middle line:84% For tabs, how many tabs were open? 00:10:21.783 --> 00:10:23.088 align:middle line:90% We are going to go into Chrome. 00:10:26.973 --> 00:10:32.803 align:middle line:84% I'm going to minimize Default. And we 00:10:32.803 --> 00:10:38.673 align:middle line:84% are going to find app_tabs, its own directory. 00:10:38.673 --> 00:10:41.423 align:middle line:84% And here, you can see these ones called cryptonito. 00:10:41.423 --> 00:10:43.793 align:middle line:84% Cryptonito, these are going to be encrypted. 00:10:43.793 --> 00:10:45.581 align:middle line:90% This is in private browsing. 00:10:45.581 --> 00:10:47.373 align:middle line:84% But for the other ones, as you click on it, 00:10:47.373 --> 00:10:51.293 align:middle line:84% you can see that it was a Chrome new tab, amazon.com, 00:10:51.293 --> 00:10:53.653 align:middle line:90% online shopping. 00:10:53.653 --> 00:10:59.113 align:middle line:84% And it tells you from amazon.com what the user searched for. 00:10:59.113 --> 00:11:01.001 align:middle line:84% All of these will have that for you. 00:11:01.001 --> 00:11:03.418 align:middle line:84% But any time you see cryptonito, it's in private browsing. 00:11:06.033 --> 00:11:08.783 align:middle line:90% Ghostery is up next. 00:11:08.783 --> 00:11:15.745 align:middle line:84% So I'm going to close all my tabs except Databases. 00:11:15.745 --> 00:11:17.078 align:middle line:90% I'm going to change to Ghostery. 00:11:24.773 --> 00:11:28.573 align:middle line:84% And we have just a few databases. 00:11:28.573 --> 00:11:34.903 align:middle line:84% So the first question is about private browsing 00:11:34.903 --> 00:11:37.183 align:middle line:90% or in Ghost mode. 00:11:37.183 --> 00:11:40.561 align:middle line:84% So can you find file names and paths to the files? 00:11:40.561 --> 00:11:42.103 align:middle line:84% And how many records are there total? 00:11:42.103 --> 00:11:46.633 align:middle line:84% So let's start with browser.db and see what we have here. 00:11:46.633 --> 00:11:53.763 align:middle line:84% So in browser.db, we have 13 items for history, 00:11:53.763 --> 00:11:55.123 align:middle line:90% and they're listed here. 00:11:55.123 --> 00:11:59.333 align:middle line:84% And we can see some DuckDuckGo within here as well. 00:11:59.333 --> 00:12:01.513 align:middle line:84% Now, we want to see if the user downloaded anything. 00:12:01.513 --> 00:12:03.373 align:middle line:84% So let's see where downloads are stored. 00:12:03.373 --> 00:12:06.165 align:middle line:84% What I would typically do is start with the database 00:12:06.165 --> 00:12:07.873 align:middle line:84% and see if you find anything of interest. 00:12:11.025 --> 00:12:12.733 align:middle line:84% We do see tabs in here, so we may as well 00:12:12.733 --> 00:12:13.843 align:middle line:90% discuss that right now. 00:12:13.843 --> 00:12:16.713 align:middle line:90% There, we have tabs. 00:12:16.713 --> 00:12:18.453 align:middle line:90% Let's look at ghostery.sqlite. 00:12:27.243 --> 00:12:29.403 align:middle line:84% We have the default realm, which doesn't 00:12:29.403 --> 00:12:31.503 align:middle line:84% seem to be very interesting, something 00:12:31.503 --> 00:12:35.733 align:middle line:90% called ReadingList, and index3. 00:12:35.733 --> 00:12:39.033 align:middle line:84% So where are we going to find potential downloads? 00:12:39.033 --> 00:12:41.972 align:middle line:90% Let's go to the file. 00:12:41.972 --> 00:12:43.308 align:middle line:90% So I'm going to minimize Chrome. 00:12:50.896 --> 00:12:52.063 align:middle line:90% And here, we have Downloads. 00:12:52.063 --> 00:12:56.938 align:middle line:84% Two files-- AccessData FTK Imager and Android-Usagestats. 00:13:00.292 --> 00:13:02.632 align:middle line:84% Each application is going to be different on how 00:13:02.632 --> 00:13:05.722 align:middle line:84% it's storing its downloads, bookmarks, private browsing, 00:13:05.722 --> 00:13:07.413 align:middle line:90% and all the things. 00:13:07.413 --> 00:13:11.113 align:middle line:84% So the next one is review the bookmarks. 00:13:11.113 --> 00:13:13.003 align:middle line:84% When we review the bookmarks, are there 00:13:13.003 --> 00:13:19.813 align:middle line:84% any sites that are just lacking from browser history? 00:13:19.813 --> 00:13:23.472 align:middle line:84% And what you would have to do is compare back and forth 00:13:23.472 --> 00:13:26.923 align:middle line:84% and say, OK, does this have anything that is missing? 00:13:26.923 --> 00:13:28.583 align:middle line:84% Because if it does, chances are good 00:13:28.583 --> 00:13:29.916 align:middle line:90% it was done in private browsing. 00:13:32.243 --> 00:13:38.962 align:middle line:84% So as we look through, I'm looking for bookmarks. 00:13:38.962 --> 00:13:41.753 align:middle line:84% And I can see Available Horses Thoroughbred Placement 00:13:41.753 --> 00:13:45.382 align:middle line:84% Resources, The Mid-Atlantic Great Dane Rescue. 00:13:45.382 --> 00:13:49.632 align:middle line:84% Now, what we want to do is compare that to history 00:13:49.632 --> 00:13:50.953 align:middle line:90% and see if we see it. 00:13:50.953 --> 00:13:59.183 align:middle line:84% So I'm going to pop this out, switch to history, 00:13:59.183 --> 00:14:01.462 align:middle line:90% and you don't see them. 00:14:01.462 --> 00:14:04.813 align:middle line:84% So the user was most likely in private browsing 00:14:04.813 --> 00:14:08.892 align:middle line:84% or in Ghost mode, whatever you want to call it, 00:14:08.892 --> 00:14:10.138 align:middle line:90% and they bookmarked items. 00:14:17.722 --> 00:14:21.003 align:middle line:84% And then the final question is essentially where we just were. 00:14:21.003 --> 00:14:25.646 align:middle line:84% So if we go back to bookmarks, these two items right here, 00:14:25.646 --> 00:14:27.063 align:middle line:84% no matter where you search, you're 00:14:27.063 --> 00:14:29.292 align:middle line:84% not going to find anything else for them. 00:14:29.292 --> 00:14:32.703 align:middle line:84% These were done in private, incognito, in Ghost mode. 00:14:32.703 --> 00:14:34.483 align:middle line:90% But they still exist here. 00:14:34.483 --> 00:14:38.193 align:middle line:84% So if you can not associate a bookmark to history, 00:14:38.193 --> 00:14:40.802 align:middle line:84% chances are good it did not happen on that device, 00:14:40.802 --> 00:14:44.523 align:middle line:84% or it was done in private browsing. 00:14:44.523 --> 00:14:46.802 align:middle line:84% OK, I'm going to cover the bonus one with you 00:14:46.802 --> 00:14:49.173 align:middle line:84% because it's important, and you may see it again. 00:14:49.173 --> 00:14:51.333 align:middle line:90% So puffin is interesting. 00:14:51.333 --> 00:14:54.243 align:middle line:84% If we go out to Puffin, and I think it's super easy to work. 00:14:54.243 --> 00:14:57.103 align:middle line:84% I'm going to just walk you through this directory. 00:14:57.103 --> 00:15:01.673 align:middle line:84% So under Documents, we have DownloadRecords.sqlite. 00:15:01.673 --> 00:15:03.892 align:middle line:84% So if you look at DownloadRecords.sqlite, 00:15:03.892 --> 00:15:07.552 align:middle line:84% it is going to tell you exactly what was downloaded. 00:15:07.552 --> 00:15:09.753 align:middle line:84% The downloads hit a Downloads directory. 00:15:09.753 --> 00:15:13.113 align:middle line:84% So we can see FTK Imager and exiftool. 00:15:13.113 --> 00:15:16.273 align:middle line:84% History is going to be stored in these log files. 00:15:16.273 --> 00:15:19.142 align:middle line:84% So if we open one, this is what it's going to look like. 00:15:19.142 --> 00:15:22.233 align:middle line:90% The file name is the date. 00:15:22.233 --> 00:15:24.722 align:middle line:84% And then we have timestamps, and we have the search, 00:15:24.722 --> 00:15:26.403 align:middle line:90% including the search engine-- 00:15:26.403 --> 00:15:28.693 align:middle line:90% pretty simple. 00:15:28.693 --> 00:15:30.802 align:middle line:90% Let's look for bookmarks. 00:15:30.802 --> 00:15:33.273 align:middle line:90% So we keep going down. 00:15:33.273 --> 00:15:35.273 align:middle line:84% We can see that DownloadRecords.sqlite. 00:15:35.273 --> 00:15:36.953 align:middle line:90% The bookmarks are in a plist. 00:15:36.953 --> 00:15:43.042 align:middle line:84% So this application uses plists, sqlite, log files, 00:15:43.042 --> 00:15:44.993 align:middle line:90% all of the things. 00:15:44.993 --> 00:15:50.353 align:middle line:84% So here, you can see the bookmarks-- 00:15:50.353 --> 00:15:53.053 align:middle line:90% pretty easy. 00:15:53.053 --> 00:15:59.353 align:middle line:84% All right, that is the end of Lab 5.3.