SANS Digital Forensics and Incident Response Blog

Safari Browser Forensics

Since Apple started installing Safari for Windows by default when you update iTunes, I imagine there's going to be considerably more interest in performing forensic analysis of Safari browser artifacts than there has been previously.

Safari ForensicsSafari for Windows

In searching for some tools to help with analysis of Safari artifacts on a case I recently worked, I came across SFT 1.1.1. SFT was first released about a year and a half ago, and was updated several times over the following six months. There are no recent updates. Except for one issue noted below, it seems to work OK. SFT 1.1.1 contains the following command-line Safari analysis utilities (note that the utilities for extracting Mac-specific Safari 2.x files are only included in the Linux version, and some of the utilities are provided both as executables and as Perl scripts):

safari_hist (1.1)Safari History.plist parser [README]
safari_downloads (3.0)Safari Downloads.plist file parser[README]
safari_cookies (1.0)Safari Cookies.plist file parser [README]
safari_bm (1.0.1)Safari Bookmarks.plist file parser [README]
pref_parser (0.9.1)General purpose .plist file parser [README]
safari_icon (1.0.1)Safari 3.x icon.db (Icon cache) file parser[README]
safari_icon_osx (1.0)Safari 2.x (Mac) Icon .cache file parser[README]
safari_cache 1.0Safari 2.x (Mac) Browser .cache file parser[README]
safari_wincache (1.0.1)Safari 3.x cache.db file parser[README]

Safari stores its configuration & cache files in more-or-less traditional Windows locations.

Bookmarks.plist, Cookies.plist, Preferences (com.apple.Safari.plist, WebKitPreferences.plist, PubSub.plist, & keychain.plist ), Downloads.plist, and History.plist (As well as a couple of other undocumented files which may be of interest: Clients.plist, Lastsession.plist, and Form values.plist. The first two of these can be opened with pref_parser, but the other appears to contain binary data of some sort.) are in various locations under:

Profilepath\Application Data\Apple Computer\Safari

While the Cache.db and WebpageIcons.db are under:

Profilepath\Local Settings\Application Data\Apple Computer\Safari

I tested each of the Windows utilities, and all except for safari_icon.exe worked correctly with the current Safari version. The documentation for safari_icon.exe and safari_icon.pl (the Perl script version of the same utility) refers to an icon.db file that's located in Profilepath\Local Settings\Application Data\Apple Computer\Safari. In my testing, this file was not created, but one named WebpageIcons.db was. I attempted to use safari_icon.exe to extract data from this file, but it failed, indicating that there was no ?Icon' table in the file. I dumped it using sqlite3, and found a similar table named ?IconData'. I replaced Icon with IconData on line 68 of the safari_icon.pl script, then installed a couple of additional Perl modules under my Cygwin instance (DBI-1.607 and DBD-SQLite-1.14), and was able to successfully execute safari_icon.pl.

If you liked this article, want to add something to it, or simply want to call me on the carpet for some inaccuracy, please feel free to leave a comment.

John McCash, GCFA Silver #2816, is currently a Forensic Investigator employed by a fortune 500 telecommunications equipment provider.