Quicklook is a super cool mechanism allowing you to quick check file contents without opening it in specialized application. When you press the space bar on for instance *xlsx file, you can see following preview without having MS Excel installed. QLpreview While reading *OS Internals Volume I (that I highly recommend btw) I stopped on Quicklook chapter. I found out that Quicklook registers com.apple.quicklook.ThumbnailsAgent XPC service that is responsible for ==creating thumbnails== database and storing it in /var/folders/…/C/com.apple.QuickLook.thumbnailcache/ directory. It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path. They stay there even if you delete these files or if you have previewed them in encrypted HDD or TrueCrypt/VeraCrypt container. #Proof of Concept Let’s create a VeraCrypt container, mount it and save Luke Skywalker’s photo (in my case /Volumes/Container/luke-skywalker.png). Also, press space on it to make QuickLook cache it. luke1 Now we do the same thing, but with placing Darth Vader in macOS Encrypted HFS+/APFS drive (in my case /Volumes/EncryptedHDD/test/darth-vader.jpeg). vader1 Now we should have both images cached. Using following command we can found necessary files:

sM4CBt00Ks:~ r3$ find $TMPDIR../C/com.apple.QuickLook.thumbnailcache/ -type f -name "index.sqlite"
sM4CBt00Ks:~ r3$ find $TMPDIR../C/com.apple.QuickLook.thumbnailcache/ -type f -name "thumbnails.data"

Now, copy them to other location.

sM4CBt00Ks:~ r3$ mkdir ~/Desktop/ql_post/
sM4CBt00Ks:~ r3$ cp /var/folders//d5/5p9d59rs67d59ttncml57pqw0000gp/C/com.apple.QuickLook.thumbnailcache/index.sqlite ~/Desktop/ql_post/
sM4CBt00Ks:~ r3$ cp /var/folders//d5/5p9d59rs67d59ttncml57pqw0000gp/C/com.apple.QuickLook.thumbnailcache/thumbnails.data ~/Desktop/ql_post/

Open index.sqlite to investigate the file contents. sqlite We have information about the full paths and the file names. Now, let’s exfil the thumbnails.data file to retrieve the miniatures. 😈 I used a python script (https://github.com/mdegrazia/OSX-QuickLook-Parser) with my little modifications to provide macOS compatibility.

sM4CBt00Ks:OSX-QuickLook-Parser r3$ python2 quicklook_parser_v_3_5.py -d /Users/r3/Downloads/OSX-QuickLook-Parser/ -o /Users/r3/Downloads/OSX-QuickLook-Parser/output 
Processing Complete
Records in table: 41
Thumbnails available: 41
Thumbnails extracted: 41

The output directory contains few thumbnail versions of our previews. versions Below you can see the original miniatures (the biggest cached by Quicklook). 31.darth-vader.jpeg_3 26.luke-skywalker.jpg_2 Enough to determine the encrypted picture contents, isn’t it? Darth Vader photo, in original, has resolution equal 1920x1080 and in cached miniature - 336x182.

This technique is known and helps a lot in forensics, but I honestly didn’t know about this before. It was the big surprise for me to see that even files stored in encrypted containers may be that cached. Have it on mind when you will be using space to preview photos. 😉

Update #1

This blog post was continued in cooperation with Patrick Wardle on Objective-See.com https://objective-see.com/blog/blog_0x30.html

Update #2

The story was also featured in: https://thehackernews.com/2018/06/apple-macos-quicklook.html https://arstechnica.com/information-technology/2018/06/reminder-macos-still-leaks-secrets-stored-on-encrypted-drives/ https://forums.appleinsider.com/discussion/205990/flaw-in-macos-quick-look-could-reveal-encrypted-data

Update #3

Bug fixed in macOS Mojave 10.14 https://support.apple.com/en-us/HT209139 Screenshot-2018-12-19-at-20.19.09