Items related to Apple Safari browser

Introduction

Safari is a web browser developed by Apple and is included as part of the Apple Macintosh OS X operating system.  It has been the default browser on all Apple computers since Mac OS X version 10.3 Panther and its first public release was in 2003.  Safari is currently at major version 5 released in June 2010.

In June 2007 Apple released a version of Safari for Microsoft Windows operating systems.  The version of Safari at this time was version 3.  Windows versions have been updated in parallel with Mac OS X versions ever since and are also at the time of writing at version 5.

Forensic Analysis of Safari

NetAnalysis® v1 currently supports the analysis of all versions of Safari.  Safari runs on Microsoft Windows and Apple Macintosh OS X operating systems.  The data created by Safari is file based and the structure of the data it creates is similar between operating systems.

Safari Browser v3 – 5

Safari, like all web browsers, aggressively prompts the user to update to the latest version to incorporate new security patches.  This means that you are likely to find the most recent version on computers currently in use, which at the time of writing is Version 5.

Internet History and Cache data is stored within each users profile, the exact location will vary depending on the operating system in use.

Safari stores Internet history records within an Apple property list file entitled history.plist (as shown in Figure 1).  Property list files have the file extension .plist and therefore are often referred to as plist files.  Plist files may be in either an XML format or a binary format.  For earlier versions of Safari (both Windows and Macintosh variants) the history.plist file was in the XML format.  Later and current versions utilise the binary plist format.  NetAnalysis parses both the XML and binary formatted history plist files.

Apple History Folder

Figure 1

Safari versions 3 to 5 store the cache in SQLite 3 database files entitled cache.db (as shown in Figure 2).  Earlier versions of Safari stored cache in files that had the file extension .cache.  These files are not currently supported.

Apple Cache Folder

Figure 2

Stage 1 – Recovery of Live Safari Data

To process and examine Safari live Internet history and cache with NetAnalysis, the following methodology should be used.  In the first instance, it is important to obtain the live data still resident within the file system (web pages can only be rebuilt from live cache data).

This can be done in either of the following three ways:

  • Export all of the data (preferably in the original folder structure) utilising a mainstream forensic tool
  • Mount the image using a forensic image tool
  • Access the original disk via a write protection device

Once the data has been extracted to an export folder, open NetAnalysis® and select File » Open All History From Folder.  Select the folder containing your exported Safari data.

BrowseForFolder

Figure 3

 

Stage 2 – Recovery of Deleted Safari Data

HstEx® is a Windows-based, advanced professional forensic data recovery solution designed to recover deleted browser artefacts and Internet history from a number of different source evidence types.  HstEx® supports all of the major forensic image formats.

HstEx® currently supports the recovery of Safari XML and Binary plist data.  It cannot at the moment recover cache records (research and development is currently being conducted).  Figure 4 shows HstEx® processing

HstEx Processing Apple

Figure 4

Please see the following link for information on using HstEx® to recover browser data:

Please ensure you select the correct Data Type prior to processing.  Safari v5 stores history data in binary plist files.  When HstEx has finished processing, it will open a window similar to the one shown in Figure 5.  These files can now be imported into NetAnalysis® v1 by either selecting File» Open History and selecting all of the files, or select File » Open All History From Folder and selecting the root recovery folder.

 

HstEx Output Folder for Apple Safari Extraction

Figure 5

Default Folder Locations

Apple Safari data can be found in the following default folder locations (Figure 6):

FileLocations

Figure 6

Further Reading

Overview

HstEx v3.6 adds a number of new features and fixes some minor bugs. One of the major new features released in this version is the ability to recover Safari binary plist data.

New Feature: Apple Safari Binary Plist Recovery

The Apple Safari browser stores Internet history records in an Apple Property List (plist). With the earlier versions of the Safari browser (version varies depending on operating system), this file was in XML format. In later versions, Apple switched to using a proprietary binary plist format. NetAnalysis supports both XML and binary plist files.

Using our proprietary Intelli-Carve™ technology (developed for our data recovery product Blade), we have enhanced HstEx by adding the ability to recover Safari binary plist history files. HstEx can recover this data even if the original file was deleted.

The data is recovered by HstEx and output in the form of *.hstx files. These files can then be loaded directly into NetAnalysis v1.52.

USB Licence Dongle Support

As some of you may be aware, our Blade data recovery product is licensed with a USB licence dongle. We are now offering the option to licence NetAnalysis and HstEx with a USB licence dongle. The USB licence dongle provides you with much greater flexibility over a licence key file (which is restricted to one licence key per machine) as the USB dongle can be easily moved from machine to machine. This is not permitted with a licence key file which is restricted to a single workstation.

Existing licence key file holders can purchase a USB licence dongle upgrade through our store. Please see the following link for further information on USB Dongle Licences.

New Feature – Cancel and Partial Recovery during Search Phase

This feature allows you to select cancel during the search phase of a recovery. On selecting cancel, you have the option of recovering what has been found so far (assuming HstEx has found data to recovery at this point) and perform a partial recovery.

New Feature – Open Export Folder on Completion

This feature can be accessed via the Options menu. When set, at the end of the extraction process, the Export folder will automatically open for easy access.

Data Recovery Buffer Size

With previous versions of HstEx, the processing block size was fixed to whichever block size had been set when the original device had been imaged (normally 64 Sectors). Version 3.6 now allows you to manually set the processing block size with the potential of speeding up the recovery.