Safari Browsing History (Mac)
Safari is the default browser on the Mac OS X Operating System. As with most browsers, there is a plethora of information to be found and Browsing History is one of them. If you are looking into the Safari Browsing History on an Apple computer, you will have to find the History.plist to get that information. For those that don’t know, a plist is a Preference file for an application on an Apple computer. They usually contain user settings for that particular application. They also hold information regarding that application. The default setting for Browsing History in Safari 4 and 5 is one month.
Now, locate the Safari History plist by navigating to /username/Library/Safari/History.plist on the suspect machine. Then export it out of your case. If you are working in a Windows based forensics lab, you can download a copy of WOWSoft’s free plist Editor and install it. Once installed, find the exported copy of the History.plist file and open it. You will see the following screen:
If you are using a Mac as your forensics platform, I would suggest heading over to the Apple Developers site and register there to get a free copy of XCode 3. XCode comes with a plist Editor included. Once installed, it becomes your default viewer for plists. Locate the History.plist file that you wish to view and double click on it. It will open in the plist Editor and here is what you will see:
Now let’s say I want to find out the Last Visit Date & Time to a particular site. I would locate the site in the History and look for the lastVisitedDate row and look across to the right to the third column:
Now the value that you see recorded there is Mac Absolute Time. You are going to want to decode that into a readable format. In Windows, you can download a copy of R. Craig Wilson’s DCode to do that. For example, you would take the number shown in the lastVisitedDate row and enter all of the numbers in up to the period into DCode, choose Mac Absolute Time and make sure to adjust for the suspect machine’s Time Zone Settings and click on Decode. I have used the lastVisitedDate string from the example screenshots I have provided above and received the following results:
AUTHOR NOTE– As of this post, I am unfamiliar with a tool/utility that works in Mac OS X that has the same functionality. If someone can point me in the right direction, I will be more than happy to edit this post and give full credit.
Forensic Tools of Use
Apple Developer Tools (XCode): http://developer.apple.com/programs/mac/
WOWSoft’s Free plist editor of Windows: http://www.icopybot.com/blog/free-plist-editor-for-windows-10-released.htm
DCode by R. Craig Wilson (Digital Detective UK): http://www.digital-detective.co.uk/freetools/decode.asp