Safari

Overview

Safari is the default web browser on macOS and is deeply integrated with the operating system. Because it ships with every Mac and is the default handler for web links, Safari artifacts are present on virtually every macOS system -- even when users primarily use other browsers. Safari forensic artifacts provide critical evidence for user activity timelines, search queries, downloaded files, authentication tokens, and browsing patterns.

Safari stores its data across multiple files in well-known locations under the user's home directory. The primary storage formats are SQLite databases (for history and local storage) and binary property lists (for downloads, bookmarks, extensions, and session state). Cookies use a proprietary binary format (Cookies.binarycookies).

Artifact Summary

File Locations

The primary Safari artifact directory for each user is:

~/Library/Safari/

Additional artifacts are stored in:

~/Library/Cookies/                     # Cookie store (legacy)
~/Library/Containers/com.apple.Safari/ # Cookie store (sandboxed, macOS 10.14+)
~/Library/WebKit/WebsiteData/          # Local storage (macOS 11.0+)
~/Library/Caches/com.apple.Safari/     # Cached web content

Complete Directory Layout

~/Library/Safari/
  History.db                  # SQLite - browsing history
  History.db-wal              # Write-ahead log
  History.db-shm              # Shared memory file
  Downloads.plist             # Binary plist - download records
  Bookmarks.plist             # Binary plist - bookmarks and Reading List
  TopSites.plist              # Binary plist - frequently visited sites
  LastSession.plist           # Binary plist - tabs from last close
  CloudTabs.db                # SQLite - iCloud synced tabs (Safari 15+)
  SafariTabs.db               # SQLite - tab groups (Safari 15+)
  RecentlyClosedTabs.plist    # Binary plist - recently closed tabs
  Extensions/
    Extensions.plist           # Extension metadata
  Favicon Cache/
    favicons.db                # SQLite - site icons

~/Library/Cookies/
  Cookies.binarycookies       # Binary - cookie store (legacy path)

~/Library/Containers/com.apple.Safari/Data/Library/Cookies/
  Cookies.binarycookies       # Binary - cookie store (sandboxed, macOS 10.14+)

~/Library/WebKit/WebsiteData/LocalStorage/
  https_example.com_0.localstorage     # Per-origin SQLite databases

Safari Version Detection

Safari's version can be determined from:

/Applications/Safari.app/Contents/Info.plist
  -> CFBundleShortVersionString

Timestamps

Safari uses Core Data timestamps throughout its databases and plist files. These represent the number of seconds (with fractional precision) since the Core Data epoch:

Epoch: 2001-01-01 00:00:00 UTC (Unix timestamp 978307200)

Conversion formula:

Unix timestamp = Core Data timestamp + 978307200

For example, a Core Data timestamp of 725760000.0 converts to:

725760000 + 978307200 = 1704067200 = 2024-01-01 00:00:00 UTC

In Python:

from datetime import datetime, timezone, timedelta

COREDATA_EPOCH = datetime(2001, 1, 1, tzinfo=timezone.utc)

def coredata_to_datetime(ts):
    return COREDATA_EPOCH + timedelta(seconds=ts)

In SQL (SQLite):

SELECT datetime(visit_time + 978307200, 'unixepoch') AS visit_datetime
FROM history_visits;

Forensic Handling

Database Safety

Safari's History.db is a live SQLite database that may be actively written to. For forensic soundness:

1. Copy the database file along with its WAL (write-ahead log) and SHM (shared memory) files
2. Open the copy in read-only mode
3. Checkpoint the WAL on the copy (not the original) to ensure all pending writes are captured
4. Never modify the original files

Sensitive Data

Safari artifacts contain highly sensitive information:

• Cookies: Authentication tokens and session identifiers (values should be redacted in reports)
• Local Storage: Web application data that may include personal information
• History: Complete browsing activity revealing personal interests, searches, and habits
• Downloads: Record of all files obtained from the internet

Multi-User Collection

Safari artifacts exist per-user. A thorough forensic collection should enumerate all user accounts on the system and collect artifacts for each user independently. Elevated privileges (root/sudo) are typically required to access other users' Library directories.

Tool Support

macfor

The browser.safari plugin in macfor collects all Safari artifacts listed above. It is included in the open-source community edition.

# Collect Safari artifacts only
macfor collect --plugin browser.safari --output ./evidence.zip

# Collect all browser artifacts
macfor collect --category browser --output ./evidence.zip

Collection options allow skipping sensitive artifacts:

• --skip-cookies: Omit cookie collection
• --skip-local-storage: Omit LocalStorage collection
• --history-only: Collect only History.db

Other Tools

• mac_apt (macOS Artifact Parsing Tool): Parses Safari history, downloads, and bookmarks
• Autopsy / The Sleuth Kit: Safari artifact modules available
• AXIOM / Cellebrite: Commercial tools with Safari parsing support
• DB Browser for SQLite: Manual examination of History.db
• plutil / plistutil: Manual examination of plist-format artifacts
• BinaryCookieReader: Python tool for parsing Cookies.binarycookies

References

• Apple Safari Developer Documentation
• SANS FOR518: Mac and iOS Forensic Analysis and Incident Response
• DFIR.Training Safari Forensics Resources
• CCL Solutions: Safari Analysis Papers
• Apple File System Reference