Your encrypted photos revealed in macOS cache

Quicklook is a super cool mechanism allowing you to quick check file contents without opening it in specialized application. When you press the space bar on for instance *xlsx file, you can see following preview without having MS Excel installed.

Wojciech Reguła 2018.06.19   –   4 min read

Quicklook is a super cool mechanism allowing you to quick check file contents without opening it in specialized application. When you press the space bar on for instance *xlsx file, you can see following preview without having MS Excel installed.

While reading *OS Internals Volume I (that I highly recommend btw) I stopped on Quicklook chapter. I found out that Quicklook registers com.apple.quicklook.ThumbnailsAgent XPC service that is responsible for creating thumbnails database and storing it in /var/folders/…/C/com.apple.QuickLook.thumbnailcache/ directory.
It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path. They stay there even if you delete these files or if you have previewed them in encrypted HDD or TrueCrypt/VeraCrypt container.

Let’s create a VeraCrypt container, mount it and save Luke Skywalker’s photo (in my case /Volumes/Container/luke-skywalker.png). Also, press space on it to make QuickLook cache it.

Now we do the same thing, but with placing Darth Vader in macOS Encrypted HFS+/APFS drive (in my case /Volumes/EncryptedHDD/test/darth-vader.jpeg).

Now we should have both images cached. Using following command we can found necessary files:

sM4CBt00Ks:~ r3$ find $TMPDIR../C/com.apple.QuickLook.thumbnailcache/ -type f -name "index.sqlite" /var/folders//d5/5p9d59rs67d59ttncml57pqw0000gp/C/com.apple.QuickLook.thumbnailcache/index.sqlite 
sM4CBt00Ks:~ r3$ find $TMPDIR../C/com.apple.QuickLook.thumbnailcache/ -type f -name "thumbnails.data" /var/folders//d5/5p9d59rs67d59ttncml57pqw0000gp/C/com.apple.QuickLook.thumbnailcache/thumbnails.data

Now, copy them to other location.

sM4CBt00Ks:~ r3$ mkdir ~/Desktop/ql_post/ 
sM4CBt00Ks:~ r3$ cp /var/folders//d5/5p9d59rs67d59ttncml57pqw0000gp/C/com.apple.QuickLook.thumbnailcache/index.sqlite ~/Desktop/ql_post/ 
sM4CBt00Ks:~ r3$ cp /var/folders//d5/5p9d59rs67d59ttncml57pqw0000gp/C/com.apple.QuickLook.thumbnailcache/thumbnails.data ~/Desktop/ql_post/

Open index.sqlite to investigate the file contents.

We have information about the full paths and the file names. Now, let’s exfil the thumbnails.data file to retrieve the miniatures. 😈 I used a python script (https://github.com/mdegrazia/OSX-QuickLook-Parser) with my little modifications to provide macOS compatibility.

sM4CBt00Ks:OSX-QuickLook-Parser r3$ python2 quicklook_parser_v_3_5.py -d /Users/r3/Downloads/OSX-QuickLook-Parser/ -o /Users/r3/Downloads/OSX-QuickLook-Parser/output Processing Complete Records in table: 41 
Thumbnails available: 41 
Thumbnails extracted: 41

The output directory contains few thumbnail versions of our previews.

Below you can see the original miniatures (the biggest cached by Quicklook).

Enough to determine the encrypted picture contents, isn’t it?

Darth Vader photo, in original, has resolution equal 1920×1080 and in cached miniature — 336×182.

This technique is known and helps a lot in forensics, but I honestly didn’t know about this before. It was the big surprise for me to see that even files stored in encrypted containers may be that cached. Have it on mind when you will be using space to preview photos. 😉

#Update

This blog post was continued in cooperation with Patrick Wardle on Objective-See.com
https://objective-see.com/blog/blog_0x30.html

#Update 2

The story was also featured in:


Originally published at wojciechregula.blog.

Wojciech Reguła
Wojciech Reguła Senior IT Security Consultant