Analyzing Apple Safari Artifacts
Written By: Selena Ley
Apple Safari is the default web browser on macs but is also available for download on Windows based machines as well. The following are key Safari plist files an examiner should locate and examine:
These files can be located at ~/Library/Safari/. Other artifacts of interest are:
It is also very important for examiners to note the “private browsing” feature and it's impact on these artifacts.
So what is this plist file? TopSites is a new feature that came out in version 3.x of Safari and gives a view of some of most visited sites by the user. Within the browser itself, a cover flow view of the top websites visited may be very useful for an examiner. Reading through the plist file is quite intuitive as well. Within the cover flow view, a user can edit their top sites and either mark a site as “pinned” or permanently removed from the top sites list. When a site is marked as pinned, then it will be permanently included in the list until the user chooses to reset the top sites list.
The plist file does not provide a time stamp of when an entry is added to the file but there are xml tags that indicate the last modified date/time of the file embedded within the file itself. Based on tests it seems that the file is appended with entries. However, tests on version 4 of the browser does not indicate when exactly a site is added to this plist file nor is it instantaneous. For example, visiting a website multiple times (even after restarting the application) does not guarantee a website to be included in this file. However, the plist file may be updated several minutes later to include top websites visited.
When a user clears the cache, the browser will prompt if the Top Sites should also be reset to the default sites. If it is reset, then the TopSites.plist file will be changed immediately and any pinned sites will also be cleared.
Some special notes about this plist file:
Pinned entries will have be denoted with the key value of “TopSiteIsPinned”. This is tied to a user action so it may be of interest to an examiner.
Default top sites has a key of “TopSiteIsBuiltin”.
This is a binary plist file used to store Safari bookmarks. By default, Safari will have some websites included in the Bookmarks.plist file. These built-in bookmarks will also be located in the Bookmark menu bar. The user may choose to add new bookmarks to the existing “Bookmark Bar” folder or any subfolders that is created. Note that some users may accidentally add it to the “Top Sites” folder in which case the bookmark will NOT appear in the Bookmarks.plist file.
If the user chooses to sort / group their bookmarks into folders, then the individual bookmark entries will be grouped together as an array of objects in the plist file, with the folder name included. Below is an screenshot of the bookmarks.plist file containing a folder called “Test Bookmarks” with 4 entries. Notice that the individual bookmarked sites are subitems within an array of objects belonging to that “Test Bookmarks” folder or list:
Bookmarks.plist example from Safari as seen in Property List Editor
Within the bookmarks.plist file, each entry will have a WebBookmarkUUID with a corresponding 32 character hex value. Using that WebBookmarkUUID, a corresponding file can be found using that 32 character value as the file name with a file extension of “.webbookmark”. On a Leopard system, these webbookmark files can be found in ~/Library/Caches/Metadata/Safari/Bookmarks” folder. Each webbookmark file is a bplist (binary property list) file containing the URL of the bookmark. Note that the bookmarks.plist file does NOT contain the date/time when the entry was added. However, you can use the webbookmark entry to help determine this.
This plist file is used to track of active websites in the current Safari session. Within this plist file, entries exist per Safari window. If there are multiple tabs open within the same window, the plist file will indicate the list of websites. If there are multiple windows, then there will be a separate entry within the same file.
LastSession.plist example from Safari as seen in Property List Editor
When the browser closes unexpectedly such as in a crash, it will use this file to attempt to restore your previous windows. For examiners, this file may contain data of evidentiary value. Note that when the user closes a window or tab, this file is updated immediately.
The history.plist file contains a list of web sites visited with the corresponding date/time as well as visit count. Tests indicate that this file is appended at the head / top of the file with the most recent URL visited. You can also confirm this and sort the entries by using the embedded date/time. Note that the date/time is in MAC absolute time and will need to be decoded.
For each entry in the history.plist file, there is a corresponding webhistory file located at ~/Library/Caches/Metadata/Safari/History (on version 4.x). This webhistory file can be opened using the default plist editor to parse out the URL. When history is cleared (which is different than empty cache), the webhistory files are deleted and the History.plist file is resized to 0 bytes.
** Important Note** A new “feature” in Safari is to create a snapshot / thumbnail of the website and stored in ~/Library/Caches/com.apple.Safari/Webpage Previews. This is on by default. These are JPEG and PNG files with the same file name but different extension. Note that sometimes there may only be one of the two files and this is generally the case when the user has navigated to another page before the other thumbnail / image was created and saved to disk. When the history is cleared, the preview pages will also be deleted unless they are related to bookmarked websites. In version 4 and 5, users have the ability to clear the preview pages when they choose to reset Safari but generally most users will not choose this option. The other option is to modify the safari application either via the terminal or in the Finder.
On a Leopard system, the cookies.plist file is located at ~/Library/Cookies/ subfolder. This is a standard plist file and can be easily reviewed. We can examine this file quickly for some indication of websites visited, date/tme, as well as potential account names.
** Important note** If the history is cleared, the information may still reside in cache! This database file will be resized when the user chooses to empty cache.
Impact of Private Browsing
If the user turns on private browsing, the History.plist, LastSession.plist, and TopSites.plist files are not updated. Screenshots or previews of the websites will not be captured. You can attempt to carve for the webpages in unallocated space. If the Mac is still on, then a memory dump will provide a history of websites visited. You can use the terminal to review what is in memory or you can use some forensic tools to analyze live memory. Another method is to query the Cache.db file located at ~/Library/Caches/com.apple.Safari. Note that once the browser (operating in private mode) is closed, this file will be resized and the historical websites and embedded information cleared. If the browser crashes in the middle of private browsing, you can also look at crash logs for any web history that may be useful to your case.