Safari, the default web browser for Apple devices, leaves behind various artifacts that can be useful for forensic analysis. These artifacts store information such as browsing history, session details, cached files, and thumbnails of visited websites. Understanding where and how Safari stores data on macOScan help investigators retrieve valuable insights.

Key Safari Data Locations

Safari stores different types of data across macOS . Below are the primary locations where forensic artifacts can be found:

macOS Locations:

• ~/Library/Safari/

• ~/Library/Containers/com.apple.safari/

These directories contain various types of browser-related data, including:

• Browsing history

• Cache files

• Session information

• Tab snapshots and thumbnails

• Downloaded files

• Cookies

------------------------------------------------------------------------------------------------------

Safari Browsing History

Safari tracks user browsing activity in a SQLite database file called History.db. This database is found in different locations depending on the device:

• macOS: ~/Library/Safari/History.db

Retention Period:

• macOS: Stores history for up to a year (default) but can be configured to retain data for a shorter period (one month, two weeks, one week, or one day).

Tracking iCloud-Synced Browsing Activity

If Safari history is synced across devices using iCloud, the origin field in History.db will indicate where the page was visited:

• 0 – Visited on this device

• 1 – Visited on another iCloud-connected device

Two primary tables within History.db store crucial data:

• history_items – Stores URLs, domains, and visit count.

• history_visits – Contains visit timestamps (Mac Epoch format) and webpage titles.

  
  

------------------------------------------------------------------------------------------------------

Safari Session Data

Safari maintains session-related information that helps reconstruct a user’s last browsing session. The session data is stored differently on macOS.

macOS:

• LastSession.plist (~/Library/Safari/LastSession.plist)

  • Stores tab history in a binary plist format.

  • If unencrypted, it contains tab identifiers, webpage titles, and URLs.

----------------------------------------------------------------------------------------------------------

Safari Thumbnails and Snapshots

Safari captures tab snapshots and thumbnails to provide a visual representation of open webpages.

macOS Snapshots:

~/Library/Containers/com.apple.Safari/Data/Library/Caches/com.apple.Safari/TabSnapshots/Metadata.db

• Stores cached tab screenshots along with metadata.

• Each snapshot has a UUID, which links it to its associated screenshot file.

-------------------------------------------------------------------------------------------------------------

Cloud-Synced Safari Tabs

Safari allows users to sync their open tabs across multiple Apple devices via iCloud. The CloudTabs.db file stores this information.

Locations:

• macOS: ~/Library/Safari/CloudTabs.db

Each record in this database includes:

• Hostname of the device where the tab is open.

• A list of currently open non-private tabs.

• A last modification timestamp indicating when the tab data was last updated.

Additional metadata about synced tabs can be found in:

• macOS: ~/Library/Containers/com.apple.Safari/Data/Library/Preferences/ByHost/com.apple.Safari.<HW UUID>.plist

-------------------------------------------------------------------------------------------------------------

Safari Cache and Cached Data

Cached data can provide insights into previously visited web pages, even if they are no longer stored in history.

Cache Database Location:

macOS: ~/Library/Containers/com.apple.Safari/Data/Library/Caches/com.apple.Safari/

The Cache.db SQLite database holds cached files and metadata:

• cfurl_cache_response table – Stores cache metadata, including URL and timestamps.

• cfurl_cache_receiver_data table – Contains the actual cached files.

-------------------------------------------------------------------------------------------------------------

Safari WebKit Cache: Understanding Cached Data

Safari uses the WebKit Cache to store cached website data, which can be found in different locations depending on the device:

• macOS: ~/Library/Containers/com.apple.Safari/Data/Library/Caches/com.apple.Safari/WebKitCache/

  
  

The WebKit cache contains different types of data, including:

• Records Directory: Stores cached data for each website visit.

• SubResources: Contains a list of cached items linked to a specific website visit.

• Resources Directory: Stores actual cached content such as images, scripts, and HTML pages.

• Blobs Directory: Stores additional cached media files that are too large to fit in a single resource file.

  
  

Correlation of Cached Files

All WebKit cached items can be correlated using 20-byte SHA1 hash filenames.

For example, if a user visits cyberengage.org to view an article , the SubResources file will list cached items such as images and scripts.

-------------------------------------------------------------------------------------------------------------

Key Safari Browser Artifacts for Investigation

Beyond cached data, Safari stores valuable information in several key files:

1. Safari Configuration and Recent Searches

File: com.apple.Safari.plist

(~/Library/Preferences/)

• Contents: Stores Safari’s configuration settings and a list of recent searches performed by the user.

2. Cookies Storage

• File: Cookies.binarycookies

• Contents: Stores cookies in a proprietary binary format.

• Parsing Tools: Open-source scripts like Safari-Binary-Cookie-Parser can be used to extract cookie data.

  
  

• Note: Other applications using WebKit (such as Twitter’s in-app browser) may also store cookies in a similar manner.

3. Bookmarks and Browsing History

• macOS: Bookmarks.plist (/users/deanwinchester/library/safari)

• Recently Closed Tabs: Stored in RecentlyClosedTabs.plist, which keeps track of tabs recently closed by the user.

4. Download History

Safari keeps a record of downloaded files in Downloads.plist, (/users/deanwinchester/library/safari) but this data is automatically deleted after one day by default.

macOS Download History Details:

• DownloadEntryIdentifier: Unique identifier for each download.

• DownloadEntryURL: URL where the file was downloaded from.

• DownloadEntryPath: File location on the system (usually in ~/Downloads).

• Timestamps: Records the start and completion time of the download.

• DownloadEntryBookmark: Bookmark BLOB

  
  

-----------------------------------------------------------------------------------------------------------------

Apple Mail

Apple Mail, the default email client for macOS , stores a wealth of information about email accounts, messages, and attachments.

Apple Mail Data Locations

macOS Mail Storage

On macOS, Apple Mail data is stored in the following locations:

• ~/Library/Mail/ – Primary storage for all email messages and metadata.

• ~/Library/Containers/com.apple.mail/ – Contains additional application-specific data.

• macOS 10.13 – V5

• macOS 10.14 – V6

• macOS 10.15 – V7.... and so on

Each email account has a dedicated GUID directory, which can be correlated using Accounts3.sqlite or Accounts4.sqlite databases.

Types of Apple Mail Data

Apple Mail stores various types of data that can provide insights into email activity:

• Accounts – Information about configured email accounts.

• Cached Messages and Attachments – Locally stored copies of emails and their attachments.

• Envelope Index – A database containing metadata about emails.

• Mail Downloads – Attachments saved by the user.

Understanding Mailbox Structures

Each email account has multiple mailboxes corresponding to different folders:

• Inbox

• Sent Messages

• Drafts

• Deleted Messages

• Junk

• Notes

• User-created mailboxes

• Example paths:

~/Library/Mail/V#/GUID/Inbox.mbox, Sent Messages.mbox, etc.

• The .mboxCache.plist file contains details about mailbox organization.

• Email messages are stored as .emlx files within the Messages directory inside .mbox folders.

Email Messages and Attachments

Apple Mail stores individual emails as .emlx files, which contain:

• Plaintext email headers and body content.

• An embedded property list with metadata.

Attachments are handled in two ways:

• Quick Look Viewing: Temporarily stored in ~/Library/Mail Downloads/ or ~/Library/Containers/com.apple.mail/Data/Library/Mail Downloads/.

• Saved Attachments: Stored in the ~/Downloads directory.

Metadata for downloaded attachments includes extended attributes, such as quarantine information, which tracks when and how a file was downloaded.

Envelope Index: The Email Metadata Database

The Envelope Index SQLite database (found in MailData) indexes Apple Mail messages and includes:

• Addresses Table: Stores indexed email addresses and contact names.

• Attachments Table: Lists email attachments.

• Mailboxes Table: Stores mailbox details, including message counts.

• Messages Table: Contains metadata such as sender, recipient, subject, timestamps, and read status.

• Subjects Table: Stores email subjects.

-------------------------------------------------------------------------------------------------------------------

Recents Database

Apple devices store a wealth of user interaction data to enhance user experience and functionality. One such data source is the Recents Database, which keeps track of recent interactions across various applications, including email, phone calls, and messages. This data can be valuable for both forensic investigations and general system understanding.

Where is the Recents Database Stored?

The Recents database is found on macOS:

macOS:~/Library/Containers/com.apple.corerecents.recentsd/Data/Library/Recents/

What Information Does the Recents Database Contain?

The Recents database logs interactions with various applications, helping track recent activities such as:

• Associated Applications: Identifies which app (Mail, Messages, Phone, etc.) was used.

• Contacts & Locations: Stores recent interactions with contacts or locations.

• Timestamps: Logs the last few instances of communication or activity.

• Additional Metadata: Stores various keys and values related to interactions.

------------------------------------------------------------------------------------------------------------------

Conclusion

Safari stores a vast amount of information that can be crucial in forensic investigations. From cached web pages to download history and Apple Mail, analyzing these artifacts can provide valuable insights.

---------------------------------------Dean--------------------------------------------------