Safari Open Tabs & Tab Groups (BrowserState.db)

iosWeb ActivityDevice Extraction

Location

HomeDomain/Library/Safari/BrowserState.db

Description

SQLite database maintaining the state of all open Safari tabs, tab groups, and recently closed tabs. Records the URL, page title, tab ordering, last viewed timestamp, and tab group associations. This database reflects the real-time browsing state at the time of device acquisition.

Forensic Value

Open tabs represent browsing activity that may not yet appear in the main history database, capturing in-progress research or recently accessed content. Tabs that the user intended to revisit or was actively using at the time of seizure provide insight into current activities and interests. Recently closed tabs preserve evidence of pages the user dismissed shortly before device acquisition, which may represent attempts to conceal browsing activity. Tab group names created by the user can reveal organizational context about research topics.

Tools Required

Cellebrite UFEDiLEAPPMagnet AXIOMDB Browser for SQLite

Acquisition Methods

checkm8 Physical Extraction (A5–A11)

ios — physical

iTunes/Finder Backup Acquisition

ios — logical

AFC (Apple File Conduit) Extraction

ios — logical

checkm8 Filesystem Extraction

ios — logical

iCloud Backup Acquisition

ios — cloud