Overview

Safari is a web browser developed by Apple and is included as part of the Apple Macintosh OS X operating system.  It has been the default browser on all Apple computers since Mac OS X version 10.3 Panther and its first public release was in 2003.  Safari is currently at major version 8 released in October 2014.

In June 2007 Apple released a version of Safari for Microsoft Windows operating systems.  The version of Safari at this time was version 3.  Windows versions have been updated in parallel with Mac OS X versions ever since and are at the time of writing at version 5. As of 2011, Safari is the fourth most widely used browser in the US, following Internet Explorer, Mozilla Firefox, and Google Chrome, respectively.

Forensic Analysis of Safari

NetAnalysis currently supports the analysis of all versions of Safari.  Safari runs on Microsoft Windows and Apple Macintosh OS X operating systems.  The data created by Safari is file based and the structure of the data it creates is similar between operating systems.

Safari Browser v3 - 8

Safari, like all web browsers, aggressively prompts the user to update to the latest version to incorporate new security patches.  This means that you are likely to find the most recent version on computers currently in use, which at the time of writing is Version 5 for Windows and Version 8 for Mac OS X.  Internet History and Cache data is stored within each users profile, the exact location varys depending on the operating system in use.  Safari v3- 7 stores Internet history records within an Apple property list file entitled history.plist (as shown in Figure 1).  Property list files have the file extension .plist and therefore are often referred to as plist files.  Plist files may be in either an XML format or a binary format.

 

For earlier versions of Safari (both Windows and Macintosh variants) the history.plist file was in the XML format.  Later and current versions utilise the binary plist format.  NetAnalysis parses both the XML and binary formatted history plist files.

   

 

Figure 1


Recently Apple Safari v8 was released with OS X Yosemite and brought with it a change to its history storage. As a result, HstEx® v4.1 has been updated to support the recovery of individual entries from Safari v8 history records. History records are split across History Items and Visits. In HstEx we offer an option to recover both types (as shown in Figure 2).

 

Figure 2

 

Safari versions 3 to 8 store the cache in SQLite 3 database files entitled cache.db (as shown in Figure 3).  Earlier versions of Safari stored cache in files that had the file extension .cache.  These files are not currently supported.


Figure 3

Stage 1 - Recovery of Live Safari Data

To process and examine Safari live Internet history and cache with NetAnalysis, the following methodology should be used.  In the first instance, it is important to obtain the live data still resident within the file system (web pages can only be rebuilt from live cache data).  This can be done in either of the following three ways:

  1. Export all of the data (preferably in the original folder structure) utilising a mainstream forensic tool
  2. Mount the image using a forensic image tool
  3. Access the original disk via a write protection device

Once the data has been extracted to an export folder, open NetAnalysis, create a New Case and select Import » Data from Folder.  Select the folder containing your exported Safari data.

Please be aware that NetAnalysis will attempt to identify and import any browser related files.  If you only wish to process one specific browser type, only select the folder containing the file you wish to process, or open a specific file using Import » Data From Files(s).

Stage 2 - Recovery of Deleted Safari Data

HstEx is a Windows-based, advanced professional forensic data recovery solution designed to recover deleted browser artefacts and Internet history from a number of different source evidence types.  HstEx supports all of the major forensic image formats.  HstEx currently supports the recovery of Safari XML and Binary plist data.  

Please see the following link for information on using HstEx to recover browser data:

Please ensure you select the correct Data Type prior to processing.  Safari v5 stores history data in binary plist files.  When HstEx has finished processing, it will open a window similar to the one shown in Figure 3.  These files can now be imported into NetAnalysis by either selecting Import » Data from File(s) and selecting all of the files, or selecting Import » Data from Folder and selecting the root recovery folder.

Figure 4