"Reset Safari" doesn't really clean all the cookies
of Safari web browser
Caches - This folder has the potential to be a gold mine of historical
data for the examiner. The contents include information of application
usage, web sites visited, buddy lists, downloaded files, etc. The best
general advice that can be given regarding this directory is explore. Look
in the folders here and see how the information may apply to your specific
case. Keep in mind that many folders here will remain even after an
application has been removed from the system
--Ryan R. Kubasiak, Investgator - New York State Police: Macintosh Forensics
// http://www.appleexaminer.com/Downloads/MacForensics.pdf
Apple Safari web browser version 5 and higher started to have a new "privacy
option" in a main menu, "Reset Safari". It's supposed to clean all the
private data saved by the browser. Instead of that it's giving the user a
false sense of privacy, because many other files survive on the computer's
hard drive.
Let's see, how precise is Safari when cleaning cookies
Reset Safari... --> Remove all cookies.
Done.
But something resides in ~/Library/Safari/LocalStorage still:
cd ~/Library/Safari/LocalStorage
ls
http_www.youtube.com_0.localstorage
https_www.facebook.com_0.localstorage
...
[and hunderds of others]
whats inside?
sqlite3 http_www.youtube.com_0.localstorage .dump
BEGIN TRANSACTION;
CREATE TABLE ItemTable (key TEXT UNIQUE ON CONFLICT REPLACE, value TEXT NOT
NULL ON CONFLICT FAIL);
INSERT INTO "ItemTable"
VALUES('yt-remote-device-id','{"data":"ef1e670e-d0ff-4ac2-a4ec-ea7b1f91b6f4","expiration":1396358291019,"creation":1364822291019}');
INSERT INTO "ItemTable"
VALUES('cu-done','{"data":"true","expiration":1384738700399,"creation":1382060300400}');
INSERT INTO "ItemTable"
VALUES('aid::oa39bdt6ZKAF5L3hdJEbOw','{"data":{"channel":"oa39bdt6ZKAF5L3hdJEbOw","aid":"P-kM2wl4AcM","origin":"AD_VIEW"},"expiration":1383696461512,"creation":1383091661512}');
INSERT INTO "ItemTable"
VALUES('aid::6E_87l8TH6Q9OwX2N1ikZA','{"data":{"channel":"6E_87l8TH6Q9OwX2N1ikZA","aid":"P6Q1Jmt-VRA","origin":"AD_VIEW"},"expiration":1383698806856,"creation":1383094006856}');
INSERT INTO "ItemTable"
VALUES('aid::bounded-collectable-storage','{"data":["fehakku7t4FXozPO-UPNwQ","P7o4B-EdYBRetrs-74SvkQ","SVYixA33WdNBOX_Huv89cQ","oa39bdt6ZKAF5L3hdJEbOw","6E_87l8TH6Q9OwX2N1ikZA","MAKFkooFBHOZnbF5zim-vA"],"creation":1383097633307}');
INSERT INTO "ItemTable"
VALUES('history_channel_::MAKFkooFBHOZnbF5zim-vA','{"data":"20131030:a","expiration":1383702433304,"creation":1383097633304}');
INSERT INTO "ItemTable"
VALUES('aid::MAKFkooFBHOZnbF5zim-vA','{"data":{"channel":"MAKFkooFBHOZnbF5zim-vA","aid":"P9jo8l6hThA","origin":"AD_VIEW"},"expiration":1383702433307,"creation":1383097633307}');
INSERT INTO "ItemTable"
VALUES('history_channel_::bounded-collectable-storage','{"data":["SVYixA33WdNBOX_Huv89cQ","Ro_cfj3eVyJFMfzLAcVUOQ","MAKFkooFBHOZnbF5zim-vA"],"creation":1383097633305}');
INSERT INTO "ItemTable"
VALUES('context-PSAOXkf0-oU','{"data":"{\"clickindex\":0,\"items\":[{\"type\":\"video\",\"id\":\"PSAOXkf0-oU\",\"time\":\"1:39\",\"title\":\"\\\"The
Hobbit\\\" Couch Gag from \\\"4 Regrettings and A Funeral\\\" | THE SIMPSONS
| ANIMATION on FOX\",\"user\":\"Animation Domination\",\"views\":\"5,283,212
views\"},{\"type\":\"video\",\"id\":\"nIsCs9_-LP8\",\"time\":\"2:13\",\"title\":\"Emotional
baby! Too cute!\",\"user\":\"Alain Leroux\",\"views\":\"20,588,479
views\"},{\"type\":\"video\",\"id\":\"Ts-DW4_aSYI\",\"time\":\"1:53\",\"title\":\"Browse
the web with elinks\",\"user\":\"JWAGVideo\",\"views\":\"2,277
etc....
Another place where unknown content resides is Adobe Flash's LSO cookie
cache, located at:
~/Library/Caches/Adobe/Flash Player/
// that's not problem just with safari browser
// https://en.wikipedia.org/wiki/Local_shared_object
The most interesting is this file:
~/Library/Caches/Metadata/Safari/History/.tracked\ filenames.plist
Suspicious is especially the fact, the file is hidden (starting with a dot)
and saved in 'History folder', bypassing probably "Clean Cookies.." function.
Some users have met this under unknown conditions.
The puropose of this file is still not well known.
// http://hintsforums.macworld.com/showthread.php?t=144954
If you get it, analyze!
solution:
setup shell script (example):
#/bin/sh
echo "cleaning out safari's shit...";
# initial curiousity.
#
if ls "~/Library/Caches/Metadata/Safari/History/.tracked\ filenames.plist"; then
echo "HOOOOORRAAAY! You won a jackpot!"
read -p "Press [Enter] key to delete all, [CTRL+C] to examine..."
fi
# using tool srm from
ports instead of rm, to wipe the files in more safe way
# if you don't have srm, use rm, but be aware that the files could be
# recovered
# flash is keeping it's own LSO cookies, independently
srm -rsv "~/Library/Caches/Adobe/Flash Player/"
# cache contains Webpage previews, for example screenshots of your webmail
# account you just logged out from
srm -rsv "~/Library/Caches/com.apple.Safari/"
# clean them all, god will sort them out
# maybe you will need a more gentle setting, i'm just rough and don't need
# Safari's bookmarks
srm -rsv "~/Library/Safari/"
# depending on the version, you also have to wipe out this folder
# for sure
# explore by yourself and check for opened (using 'lsof' tool)
http://hintsforums.macworld.com/showthread.php?t=144954and changed files
srm -rsv "~/Library/Caches/Metadata/Safari/"
# official place where cookies are stored in
srm -rsv "~/Library/Cookies/"
# quicktime is during the Internet usage also storing some "caches"
srm -rsv "~/Library/Caches/QuickTime/downloads/"
# to get another false security feeling
echo "...clean!";
# don't cope with 'recent searches' which are stored in
# "Library/Preferences/com.apple.Safari.plist"
# go through cache files of your favourite application as well.
# skype is also storing quite a lot
you can run this script on regular basis by cron or by hand after finishing
the work and leaving the computer for example, or on logout etc.... Safer
with Safari Application quit.
It's like cleaning the hands. You wash them after touching something rotten.
And you clean them before touching something clean.
// https://en.wikipedia.org/wiki/Evercookie
EOF
Comments requested
~~~~~~~~~
Binary Sxizophreny - index of comp related stuff
Kangaroo's Homepage (czech)