Overview Safari is a web browser developed by Apple and is included as part of the Apple Macintosh OS X operating system.  It has been the default browser on all Apple computers since Mac OS X version 10.3 Panther and its first public release was in 2003.  Safari is currently at major version 5 released in June 2010.  In June 2007 Apple released a version of Safari for Microsoft Windows operating systems.  The version of Safari at this time was version 3.  Windows versions have been updated in parallel with Mac OS X versions ever since and are also at the time of writing at version 5  As of 2011, Safari is the fourth most widely used browser in the US, following Internet Explorer, Mozilla Firefox, and Google Chrome, respectively. On this page:

Forensic Analysis of Safari

NetAnalysis currently supports the analysis of all versions of Safari.  Safari runs on Microsoft Windows and Apple Macintosh OS X operating systems.  The data created by Safari is file based and the structure of the data it creates is similar between operating systems.

Safari Browser v3 - 5

Safari, like all web browsers, aggressively prompts the user to update to the latest version to incorporate new security patches.  This means that you are likely to find the most recent version on computers currently in use, which at the time of writing is Version 5.  Internet History and Cache data is stored within each users profile, the exact location varys depending on the operating system in use.  Safari stores Internet history records within an Apple property list file entitled history.plist (as shown in Figure 1).  Property list files have the file extension .plist and therefore are often referred to as plist files.  Plist files may be in either an XML format or a binary format.

NetAnalysis parses both the XML and binary formatted history plist files.

Figure 1

Safari versions 3 to 5 store the cache in SQLite 3 database files entitled cache.db (as shown in Figure 2).  Earlier versions of Safari stored cache in files that had the file extension .cache.  These files are not currently supported.

Figure 2

Stage 1 - Recovery of Live Safari Data

To process and examine Safari live Internet history and cache with NetAnalysis, the following methodology should be used.  In the first instance, it is important to obtain the live data still resident within the file system (web pages can only be rebuilt from live cache data).  This can be done in either of the following three ways:

1. Export all of the data (preferably in the original folder structure) utilising a mainstream forensic tool
2. Mount the image using a forensic image tool
3. Access the original disk via a write protection device

Once the data has been extracted to an export folder, open NetAnalysis and select File >> Open All History From Folder.  Select the folder containing your exported Safari data.

Figure 3

Stage 2 - Recovery of Deleted Safari Data

HstEx is a Windows-based, advanced professional forensic data recovery solution designed to recover deleted browser artefacts and Internet history from a number of different source evidence types.  HstEx supports all of the major forensic image formats.  HstEx currently supports the recovery of Safari XML and Binary plist data.

 Figure 4 shows HstEx processing:

Figure 4

Please see the following link for information on using HstEx to recover browser data:

• Quick Start Guide - HstEx

Please ensure you select the correct Data Type prior to processing.  Safari v5 stores history data in binary plist files.  When HstEx has finished processing, it will open a window similar to the one shown in Figure 5.  These files can now be imported into NetAnalysis by either selecting File >> Open History and selecting all of the files, or select File >> Open All History From Folder and selecting the root recovery folder.

Figure 5

Further information

• Default Folder Locations
• Wikipedia Article - Safari Browser
• Apple Safari Version History
• Apple Property List Files