Thursday, January 4, 2018

Safari Plugin Forensics - com.apple.Safari.plist

I'm posting this later than promised but this is a slightly revised version of what I submitted for Guidance Software's forensic bug bounty on BugCrowd.

In OS X 10.9, Apple started tracking which sites were configured to play Flash video in the file /Users/[user]/Libary/Safari/PlugInOrigins.plist. I originally discovered this while working on a case where a user had been browsing adult websites at work. The user's browser history (if I'm remembering this correctly) did not have any entries showing his visits to these sites but there was an entry in PlugInOrigins.plist showing that he had enabled Flash for one of them.  I eventually found a lot of other material to support the accusation and the user admitted what he had been up to.
As of OS X 10.10, the PluginOrigins.plist file is no longer used. The setting is now saved in /Users/[user]/Library/Preferences/com.apple.Safari.plist. 
The file is stored in binary xml format and can be converted with the cmd "plutil -convert xml1 com.apple.Safari.plist". A sample portion of this file is below. There is an entry for each configured site showing whether Flash should play, not play, or ask the user. It also tracks the last visited date and time. This artifact can be used to show whether a computer/account was used to visit a particular site. For example, the artifact in the file below would demonstrate that the computer was used to visit the HBO Now service on August 1st at 5:57 AM GMT.
 <key>com.macromedia.Flash Player.plugin</key>
    <dict>
        <key>PlugInDisallowPromptBeforeUseDialog</key>
        <true/>
        <key>PlugInFirstVisitPolicy</key>
        <string>PlugInPolicyBlock</string>
        <key>PlugInHostnamePolicies</key>
        <array>
            <dict>
                <key>PlugInHostname</key>
                <string>play.hbonow.com</string>
                <key>PlugInLastVisitedDate</key>
                <date>2017-08-01T05:57:45Z</date>
                <key>PlugInPageURL</key>
                <string>https://play.hbonow.com/</string>
                <key>PlugInPolicy</key>
                <string>PlugInPolicyAllowWithSecurityRestrictions</string>
                <key>PlugInRunUnsandboxed</key>
                <false/>
            </dict>
This file also contains artifacts for other plugins such as SilverLight, e.g.:
<key>com.microsoft.SilverlightPlugin</key>
   <dict>
        <key>PlugInDisallowPromptBeforeUseDialog</key>
        <true/>
        <key>PlugInFirstVisitPolicy</key>
        <string>PlugInPolicyBlock</string>
        <key>PlugInHostnamePolicies</key>
        <array>
            <dict>
                <key>PlugInHostname</key>
                <string>amazon.com</string>
                <key>PlugInLastVisitedDate</key>
                <date>2017-07-17T03:20:55Z</date>
                <key>PlugInPageURL</key>
                <string>https://www.amazon.com/Dawn-Planet-Apes-Andy-Serkis/</string>
                <key>PlugInPolicy</key>
                <string>PlugInPolicyAllowWithSecurityRestrictions</string>
                <key>PlugInRunUnsandboxed</key>
                <false/>
            </dict>
        </array>
Notice in this example that it shows the specific URL that was visited.


No comments:

Post a Comment