in macOS

Your encrypted photos revealed in macOS cache

Quicklook is a super cool mechanism allowing you to quick check file contents without opening it in specialized application. When you press the space bar on for instance *xlsx file, you can see following preview without having MS Excel installed.
QLpreview
While reading *OS Internals Volume I (that I highly recommend btw) I stopped on Quicklook chapter. I found out that Quicklook registers com.apple.quicklook.ThumbnailsAgent XPC service that is responsible for creating thumbnails database and storing it in /var/folders/.../C/com.apple.QuickLook.thumbnailcache/ directory.
It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path. They stay there even if you delete these files or if you have previewed them in encrypted HDD or TrueCrypt/VeraCrypt container.

Proof of Concept

Let's create a VeraCrypt container, mount it and save Luke Skywalker's photo (in my case /Volumes/Container/luke-skywalker.png). Also, press space on it to make QuickLook cache it.
luke1
Now we do the same thing, but with placing Darth Vader in macOS Encrypted HFS+/APFS drive (in my case /Volumes/EncryptedHDD/test/darth-vader.jpeg).
vader1
Now we should have both images cached. Using following command we can found necessary files:

sM4CBt00Ks:~ r3$ find $TMPDIR../C/com.apple.QuickLook.thumbnailcache/ -type f -name "index.sqlite"
/var/folders//d5/5p9d59rs67d59ttncml57pqw0000gp/C/com.apple.QuickLook.thumbnailcache/index.sqlite
sM4CBt00Ks:~ r3$ find $TMPDIR../C/com.apple.QuickLook.thumbnailcache/ -type f -name "thumbnails.data"
/var/folders//d5/5p9d59rs67d59ttncml57pqw0000gp/C/com.apple.QuickLook.thumbnailcache/thumbnails.data

Now, copy them to other location.

sM4CBt00Ks:~ r3$ mkdir ~/Desktop/ql_post/
sM4CBt00Ks:~ r3$ cp /var/folders//d5/5p9d59rs67d59ttncml57pqw0000gp/C/com.apple.QuickLook.thumbnailcache/index.sqlite ~/Desktop/ql_post/
sM4CBt00Ks:~ r3$ cp /var/folders//d5/5p9d59rs67d59ttncml57pqw0000gp/C/com.apple.QuickLook.thumbnailcache/thumbnails.data ~/Desktop/ql_post/

Open index.sqlite to investigate the file contents.
sqlite
We have information about the full paths and the file names. Now, let's exfil the thumbnails.data file to retrieve the miniatures. 😈 I used a python script (https://github.com/mdegrazia/OSX-QuickLook-Parser) with my little modifications to provide macOS compatibility.

sM4CBt00Ks:OSX-QuickLook-Parser r3$ python2 quicklook_parser_v_3_5.py -d /Users/r3/Downloads/OSX-QuickLook-Parser/ -o /Users/r3/Downloads/OSX-QuickLook-Parser/output 
Processing Complete
Records in table: 41
Thumbnails available: 41
Thumbnails extracted: 41

The output directory contains few thumbnail versions of our previews.
versions
Below you can see the original miniatures (the biggest cached by Quicklook).
31.darth-vader.jpeg_3
26.luke-skywalker.jpg_2
Enough to determine the encrypted picture contents, isn't it?
Darth Vader photo, in original, has resolution equal 1920x1080 and in cached miniature - 336x182.

This technique is known and helps a lot in forensics, but I honestly didn't know about this before. It was the big surprise for me to see that even files stored in encrypted containers may be that cached. Have it on mind when you will be using space to preview photos. 😉

Update

This blog post was continued in cooperation with Patrick Wardle on Objective-See.com
https://objective-see.com/blog/blog_0x30.html

Update 2

The story was also featured in:
https://thehackernews.com/2018/06/apple-macos-quicklook.html
https://arstechnica.com/information-technology/2018/06/reminder-macos-still-leaks-secrets-stored-on-encrypted-drives/
https://forums.appleinsider.com/discussion/205990/flaw-in-macos-quick-look-could-reveal-encrypted-data