Safari Open Tabs & Tab Groups (BrowserState.db)

Location

Description

SQLite database maintaining the state of all open Safari tabs, tab groups, and recently closed tabs. Records the URL, page title, tab ordering, last viewed timestamp, and tab group associations. This database reflects the real-time browsing state at the time of device acquisition.

Forensic Value

Open tabs represent browsing activity that may not yet appear in the main history database, capturing in-progress research or recently accessed content. Tabs that the user intended to revisit or was actively using at the time of seizure provide insight into current activities and interests. Recently closed tabs preserve evidence of pages the user dismissed shortly before device acquisition, which may represent attempts to conceal browsing activity. Tab group names created by the user can reveal organizational context about research topics.

Tools Required

Collection Commands

idevicebackup2 backup --full /forensics/ios_backup/

python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/

idevicebackup2 extract --domain HomeDomain /forensics/safari_extract/

Collection Constraints

• •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References