Safari Forensic Tutorial

Introduction

In Mac OS X, iOS and in many apple products store serialized objects in property list files (.plist). These file are used to store information of applications, bundles, User settings. These files are of two types namely binary property lists and XML property lists. XML plist files can be directly viewed from any program which process XML files while binary plist files should be converted to plain text for investigation.

Location of Safari Property List Files
We will be investigating the files under the following locations.

Windows XP:
C:\Documents and Settings\%username\Application Data\Apple Computer\Safari
Windows Vista and 7:
%appdata%\Apple Computer\Safari
Mac OS X:
/Users/$username/Library/Safari

I will be discussing the main objectives in the Safari Browser:

• History.plist
• Downloads.plist
• Bookmarks.plist
• Cookies.binarycookies
• cache.db

I will be using SFT tool(http://jafat.sourceforge.net/files.html) in all examples

History.plist
This file stores the visited URLs along with last visited date and time, number of visits, page title. Here is an example of my Computer.
Code:

URL Last Visit Date/Time Number of visits Page Title
http://www.nytimes.com/ 2013-04-06 13:06:26 -0700 1 The New York Times - Breaking News, World News & Multimedia
http://pastebin.com/raw.php?i=qiktzpfU 2013-04-06 13:06:16 -0700 1 http://www.hackthis.co.uk/?login 2013-04-06 13:04:23 -0700 1 HackThis!! - The Hackers Playground
http://hackthis.co.uk/ 2013-04-06 13:04:13 -0700 1 HackThis!! - The Hackers Playground
http://www.youtube.com/ 2013-04-06 13:03:54 -0700 1 YouTube
http://www.wikipedia.org/ 2013-04-06 13:03:45 -0700 1 Wikipedia
http://www.apple.com/startpage/ 2013-04-06 12:52:53 -0700 1 Apple - Start

Downloads.plist
This file contains the entries of downloaded files and does not contain any cache files including images or any media. We can view this file using the SFT tool safari_downloads in this manner. This is a example from my Computer.

Code:

DownloadEntryProgressBytesSoFar: 5900
DownloadEntryPath: C:\Users\Un0wn\Downloads\24897.rb
DownloadEntryIdentifier: 59990399-A44C-CE40-B79D-07B2F99DAF66
DownloadEntryURL: http://www.exploit-db.com/download/24897/ DownloadEntryPro
gressTotalToLoad: 5900 Status: Completed

Bookmarks.plist
This file contains all the saved bookmarked URLs. This file can be processed by the SFT tool sft_bm.
Code:

Folder Title: BookmarksBar
URL_Title: Apple URL: http://
www.apple.com/
URL_Title: Yahoo! URL: http://www.yahoo.com/
URL_Title: Google Maps URL: http://maps.google.com/
URL_Title: YouTube URL: http://www.youtube.com/
URL_Title: Wikipedia URL: http://www.wikipedia.org/
: Folder Title: News
URL_Title: CNN URL: http://www.cnn.com/
URL_Title: The New York Times URL: http://www.nytimes.com/
URL_Title: Google News URL: feed://news.google.com/?output=rss
URL_Title: CNET News.com URL: http://www.news.com/
URL_Title: ESPN URL: http://espn.go.com/
URL_Title: Los Angeles Times URL: http://www.latimes.com/
URL_Title: BBC News URL: http://news.bbc.co.uk/
URL_Title: NPR URL: http://www.npr.org/
URL_Title: USA Today URL: http://www.usatoday.com/
: Folder Title: Popular
URL_Title: eBay URL: http://www.ebay.com/
URL_Title: Amazon URL: http://www.amazon.com/
URL_Title: Flickr URL: http://www.flickr.com/
URL_Title: Expedia Travel URL: http://www.expedia.com/
URL_Title: Orbitz URL: http://www.orbitz.com/
URL_Title: Facebook URL: https://www.facebook.com/
URL_Title: Monster Jobs URL: http://www.monster.com/
URL_Title: CareerBuilder URL: http://www.careerbuilder.com/
URL_Title: Disney URL: http://disney.go.com/
URL_Title: craigslist URL: http://www.craigslist.org/

Cookies.binarycookies
This file contains all the information related to cookies. This file can be parsed by safari_cookie_bin. This file is located inside the cookie folder in the same location. This includes the URL, the creation and expiration time, the cookie content.

Code:

URL Name Created Expires Path Contents
.www.yahoo.com fpc 2013-04-06T16:28:48.000000Z 2014-04-06T03:56:58.000000Z / d=XMMvkO9wskhnek5BFnXSQoS5xdSWt6RrvSXAb7X6p.cXsMbbkCVttT1bp7PzRMsBgcOnrXvfttHiyOu3bFFSn_wSXgb2NzFEDSNqWKUb9YrnHaH5opWITf54YIYq6CT4Hja.fRE7RcmW5Jy0aqBKhe2RiIuCU0.q0tSl_BoX3NMi9zsbyiEAsvy7lY1xhv7eEfVQwOc-&v=2
.www.yahoo.com fpms 2013-04-07T01:40:34.000000Z 2014-04-07T01:40:33.000000Z / p_30345810=%7B%22stream_filter%22%3A%22%3A%3A1365300633674%22%7D
rss.nytimes.com MF2 2013-04-06T16:30:11.000000Z 2015-04-06T03:58:23.000000Z / 1r1rot9a9a0ep
www.nytimes.com _chartbeat2 2013-04-06T20:06:41.000000Z 2013-05-06T20:06:41.000000Z / hf0zkn0xymr79ks7.1365265807248.1365278801138.00000000000001
www.nytimes.com krux_segs 2013-04-06T20:06:36.000000Z 2013-04-09T20:06:36.000000Z /
www.nytimes.com kxe_ICdF6_0U&Campaign_ID 2013-04-06T20:06:29.000000Z 2013-04-08T20:06:29.000000Z / nyt2013_163x90_digi_hp_3J3H8&Page=homepage.nytimes.com

Cache.db
The cache files can be easily dumped by the SFT tool safari_wicache. This cache.db file is included the following location.
Code:

C:\Users\%username%\AppData\Local\Apple Computer\Safari
safari_wincache -f cache.db -s C:\cache

And further more you can use sqlite GUI to view these cache files by using this query.
Code:

SELECT * FROM cfurl_cache_receiver_data; Further more if you want to learn about the safari cache.db investigating see the reference.

All property list file can be also processed by a tool called plutil.pl by Pete M. Wilson which is a open source perl script that can convert binary plist files to a XML readable form.

References
http://forensicsfromthesausagefactory.blogspot.com/2010/06/safari-browser-cache-examination-of.html
http://jafat.sourceforge.net/Analyzing_Safari_With_SFT.pdf

This is the last tutorial and from this I conclude the Browser forensic Tutorial Series. Thank you for reading these and I am happy if you learned something new.
-Un0wn_X