Thursday, March 21, 2019
Home / Tutorials / Safari Forensic Tutorial

Safari Forensic Tutorial


In Mac OS X, iOS and in many apple products store serialized objects in property list files (.plist). These file are used to store information of applications, bundles, User settings. These files are of two types namely binary property lists and XML property lists. XML plist files can be directly viewed from any program which process XML files while binary plist files should be converted to plain text for investigation.

Location of Safari Property List Files
We will be investigating the files under the following locations.

Windows XP:
C:\Documents and Settings\%username\Application Data\Apple Computer\Safari
Windows Vista and 7:
%appdata%\Apple Computer\Safari
Mac OS X:

I will be discussing the main objectives in the Safari Browser:

  • History.plist
  • Downloads.plist
  • Bookmarks.plist
  • Cookies.binarycookies
  • cache.db

I will be using SFT tool( in all examples

This file stores the visited URLs along with last visited date and time, number of visits, page title. Here is an example of my Computer.

URL Last Visit Date/Time Number of visits Page Title 2013-04-06 13:06:26 -0700 1 The New York Times - Breaking News, World News & Multimedia 2013-04-06 13:06:16 -0700 1 2013-04-06 13:04:23 -0700 1 HackThis!! - The Hackers Playground 2013-04-06 13:04:13 -0700 1 HackThis!! - The Hackers Playground 2013-04-06 13:03:54 -0700 1 YouTube 2013-04-06 13:03:45 -0700 1 Wikipedia 2013-04-06 12:52:53 -0700 1 Apple - Start

This file contains the entries of downloaded files and does not contain any cache files including images or any media. We can view this file using the SFT tool safari_downloads in this manner. This is a example from my Computer.


DownloadEntryProgressBytesSoFar: 5900
DownloadEntryPath: C:\Users\Un0wn\Downloads\24897.rb
DownloadEntryIdentifier: 59990399-A44C-CE40-B79D-07B2F99DAF66
DownloadEntryURL: DownloadEntryPro
gressTotalToLoad: 5900 Status: Completed

This file contains all the saved bookmarked URLs. This file can be processed by the SFT tool sft_bm.

Folder Title: BookmarksBar
URL_Title: Apple URL: http://
URL_Title: Yahoo! URL:
URL_Title: Google Maps URL:
URL_Title: YouTube URL:
URL_Title: Wikipedia URL:
: Folder Title: News
URL_Title: The New York Times URL:
URL_Title: Google News URL: feed://
URL_Title: Los Angeles Times URL:
URL_Title: BBC News URL:
URL_Title: USA Today URL:
: Folder Title: Popular
URL_Title: eBay URL:
URL_Title: Amazon URL:
URL_Title: Flickr URL:
URL_Title: Expedia Travel URL:
URL_Title: Orbitz URL:
URL_Title: Facebook URL:
URL_Title: Monster Jobs URL:
URL_Title: CareerBuilder URL:
URL_Title: Disney URL:
URL_Title: craigslist URL:

This file contains all the information related to cookies. This file can be parsed by safari_cookie_bin. This file is located inside the cookie folder in the same location. This includes the URL, the creation and expiration time, the cookie content.


URL Name Created Expires Path Contents fpc 2013-04-06T16:28:48.000000Z 2014-04-06T03:56:58.000000Z / d=XMMvkO9wskhnek5BFnXSQoS5xdSWt6RrvSXAb7X6p.cXsMbbkCVttT1bp7PzRMsBgcOnrXvfttHiyOu3bFFSn_wSXgb2NzFEDSNqWKUb9YrnHaH5opWITf54YIYq6CT4Hja.fRE7RcmW5Jy0aqBKhe2RiIuCU0.q0tSl_BoX3NMi9zsbyiEAsvy7lY1xhv7eEfVQwOc-&v=2 fpms 2013-04-07T01:40:34.000000Z 2014-04-07T01:40:33.000000Z / p_30345810=%7B%22stream_filter%22%3A%22%3A%3A1365300633674%22%7D MF2 2013-04-06T16:30:11.000000Z 2015-04-06T03:58:23.000000Z / 1r1rot9a9a0ep _chartbeat2 2013-04-06T20:06:41.000000Z 2013-05-06T20:06:41.000000Z / hf0zkn0xymr79ks7.1365265807248.1365278801138.00000000000001 krux_segs 2013-04-06T20:06:36.000000Z 2013-04-09T20:06:36.000000Z / kxe_ICdF6_0U&Campaign_ID 2013-04-06T20:06:29.000000Z 2013-04-08T20:06:29.000000Z / nyt2013_163x90_digi_hp_3J3H8&

The cache files can be easily dumped by the SFT tool safari_wicache. This cache.db file is included the following location.

C:\Users\%username%\AppData\Local\Apple Computer\Safari
safari_wincache -f cache.db -s C:\cache

And further more you can use sqlite GUI to view these cache files by using this query.

SELECT * FROM cfurl_cache_receiver_data; Further more if you want to learn about the safari cache.db investigating see the reference.

All property list file can be also processed by a tool called by Pete M. Wilson which is a open source perl script that can convert binary plist files to a XML readable form.


This is the last tutorial and from this I conclude the Browser forensic Tutorial Series. Thank you for reading these and I am happy if you learned something new.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Low Level IPhone programming

Video from JailbreakCon Twitter: @JailbreakCon – “Low Level iPhone Programming (And more!)” by winocm [remotely, …