Safari is a web browser developed by Apple and is included as part of the Apple Macintosh OS X operating system.  It has been the default browser on all Apple computers since Mac OS X version 10.3 Panther and its first public release was in 2003.  Safari is currently at major version 5 released in June 2010.

In June 2007 Apple released a version of Safari for Microsoft Windows operating systems.  The version of Safari at this time was version 3.  Windows versions have been updated in parallel with Mac OS X versions ever since and are also at the time of writing at version 5.

Forensic Analysis of Safari

NetAnalysis® v1 currently supports the analysis of all versions of Safari.  Safari runs on Microsoft Windows and Apple Macintosh OS X operating systems.  The data created by Safari is file based and the structure of the data it creates is similar between operating systems.

Safari Browser v3 – 5

Safari, like all web browsers, aggressively prompts the user to update to the latest version to incorporate new security patches.  This means that you are likely to find the most recent version on computers currently in use, which at the time of writing is Version 5.

Internet History and Cache data is stored within each users profile, the exact location will vary depending on the operating system in use.

Safari stores Internet history records within an Apple property list file entitled history.plist (as shown in Figure 1).  Property list files have the file extension .plist and therefore are often referred to as plist files.  Plist files may be in either an XML format or a binary format.  For earlier versions of Safari (both Windows and Macintosh variants) the history.plist file was in the XML format.  Later and current versions utilise the binary plist format.  NetAnalysis parses both the XML and binary formatted history plist files.

Apple History Folder

Figure 1

Safari versions 3 to 5 store the cache in SQLite 3 database files entitled cache.db (as shown in Figure 2).  Earlier versions of Safari stored cache in files that had the file extension .cache.  These files are not currently supported.

Apple Cache Folder

Figure 2

Stage 1 – Recovery of Live Safari Data

To process and examine Safari live Internet history and cache with NetAnalysis, the following methodology should be used.  In the first instance, it is important to obtain the live data still resident within the file system (web pages can only be rebuilt from live cache data).

This can be done in either of the following three ways:

  • Export all of the data (preferably in the original folder structure) utilising a mainstream forensic tool
  • Mount the image using a forensic image tool
  • Access the original disk via a write protection device

Once the data has been extracted to an export folder, open NetAnalysis® and select File » Open All History From Folder.  Select the folder containing your exported Safari data.


Figure 3


Stage 2 – Recovery of Deleted Safari Data

HstEx® is a Windows-based, advanced professional forensic data recovery solution designed to recover deleted browser artefacts and Internet history from a number of different source evidence types.  HstEx® supports all of the major forensic image formats.

HstEx® currently supports the recovery of Safari XML and Binary plist data.  It cannot at the moment recover cache records (research and development is currently being conducted).  Figure 4 shows HstEx® processing

HstEx Processing Apple

Figure 4

Please see the following link for information on using HstEx® to recover browser data:

Please ensure you select the correct Data Type prior to processing.  Safari v5 stores history data in binary plist files.  When HstEx has finished processing, it will open a window similar to the one shown in Figure 5.  These files can now be imported into NetAnalysis® v1 by either selecting File» Open History and selecting all of the files, or select File » Open All History From Folder and selecting the root recovery folder.


HstEx Output Folder for Apple Safari Extraction

Figure 5

Default Folder Locations

Apple Safari data can be found in the following default folder locations (Figure 6):


Figure 6

Further Reading


We have been asked a few times recently about our new USB dongle licence option. The USB dongle licence is a small hardware device that plugs into a USB port on a host computer to provide licence information to our software.

Software licences stored on USB hardware offer a more flexible licence solution than licence key files. Our current EULA prohibits the use of a single licence key file on multiple workstations (we will be introducing hardware locked licence keys shortly). Each licence can only be installed on one system at any one time. With the USB dongle, you are permitted to install as many copies of our software as required and activate one instance of the software by running it with the USB dongle inserted (multiple instances on a single workstation are permitted). The dongle must be inserted whilst the software is being used.

Advantage of USB Licence Dongle

  • Allows the forensic investigator to use the software on a forensic workstation and a laptop without purchasing additional software licences.
  • As new products become available, additional licences can be added to the dongle.
  • Licences for multiple applications can be stored on one device.
  • Licence updates and changes can be easily made via the licence manager and encrypted update files.
  • The dongle does not function as a USB mass storage device so will not deprive you of drive letters.
  • Hardware dongles make it more difficult for licences to be stolen from the customer (such as with theft by employee).
  • It acts as a human interface device (HID) and is not affected by USB port security.
  • The software may be installed on several computers at the same time even if you only own a single licence.
  • The device contains an advanced microprocessor smart chip which has been certified by EAL4+ and ITSEC.
  • It requires no external device driver installation thus minimising common technical issues arising from device driver installation.

USB Dongle Upgrade Options

We are now offering a USB Dongle licence option for the following versions of our software:

  • NetAnalysis® > v1.52
  • HstEx® > v3.6
  • Blade® Standard / Professional > v1.0

Please note that Blade Standard / Professional can only be purchased with a USB licence dongle. With NetAnalysis, you have the option to purchase with either a licence key file or a USB licence dongle.

If you are an existing customer with a licence key file and wish to purchase a USB dongle upgrade, this can be done via our online store. The price of the upgrade will vary depending on the age of the licence key file. If your licence key file was purchased prior to 1st January 2007, you will need to purchase the USB dongle option with licence maintenance.

If you already own one of our USB dongles and wish to have additional licences added to the device, please contact us via our support portal for further information.

Further Information