Safari History, Downloads & Extensions

macosUser ActivityDisk Image

Location

~/Library/Safari/ (History.db, Downloads.plist, Extensions/)

Description

Safari browser artifacts including the History.db SQLite database tracking visited URLs with timestamps, Downloads.plist recording downloaded files with source URLs and destination paths, cached web content, and installed browser extensions with their permissions and code.

Forensic Value

Safari History.db provides timestamped URL visit records that establish browsing activity and potential initial access vectors. The Downloads.plist supplements QuarantineEventsV2 with additional download metadata specific to Safari. Installed extensions should be reviewed for malicious or surveillance-capable add-ons that intercept web traffic or harvest credentials. Safari reading list and bookmarks may reveal attacker reconnaissance of target resources. The TopSites and LastSession plists provide additional context about the most recently active browsing sessions.

Tools Required

DB Browser for SQLitemac_aptHindsightCrowdstrike UACAutopsy

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical