Safari History, Downloads & Extensions
Location
~/Library/Safari/ (History.db, Downloads.plist, Extensions/)Description
Safari browser artifacts including the History.db SQLite database tracking visited URLs with timestamps, Downloads.plist recording downloaded files with source URLs and destination paths, cached web content, and installed browser extensions with their permissions and code.
Forensic Value
Safari History.db provides timestamped URL visit records that establish browsing activity and potential initial access vectors. The Downloads.plist supplements QuarantineEventsV2 with additional download metadata specific to Safari. Installed extensions should be reviewed for malicious or surveillance-capable add-ons that intercept web traffic or harvest credentials. Safari reading list and bookmarks may reveal attacker reconnaissance of target resources. The TopSites and LastSession plists provide additional context about the most recently active browsing sessions.
Tools Required
Collection Commands
sqlite3
sqlite3 ~/Library/Safari/History.db "SELECT datetime(hv.visit_time + 978307200, 'unixepoch') AS visit_date, hi.url, hv.title FROM history_visits hv JOIN history_items hi ON hv.history_item = hi.id ORDER BY hv.visit_time DESC LIMIT 500"
plutil
plutil -p ~/Library/Safari/Downloads.plist > /forensics/safari_downloads.txt
cp
cp -r ~/Library/Safari/ /forensics/safari_artifacts/
mac_apt
python mac_apt.py -i /path/to/image -o /forensics/output SAFARI
Collection Constraints
- •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.