You might have observed by default browsers store data like search queries, username, password, form data, emails, credit card data and other sensitive information. Also, browsers do contain downloaded media like Images, Videos, Exe’s, documents etc. Bookmarks and browser history gives an idea of a user’s surfing habit and interest. You might have realised browsers store a lot of sensitive information about users and its surfing habit. Thus they play a very important role in forensics due to the nature and amount of data they store with them.

Why Browser Forensics

With the help of Browser Forensics and with the assistance of forensics tools one can extract sensitive data and chosen keywords from most web browsers. One can retrieve deleted data and keywords, check whether history was cleared, retrieve artefacts like Cookies, Downloads data, History, Saved Password, websites visited etc. Also, Browser Forensics helps a lot to understand how an attack on a system was conducted, helping in finding the source of Malwares/Adwares/Spywares, Malicious Emails and Phishing Websites etc. There are many web browsers available like Safari, Chrome, Firefox, IE, and Opera etc. depending upon the platform being used. In this post, we will be learning about how to conduct forensics for Safari Browser.

Safari

Safari is the official browser by Apple for their MacOS based on the WebKit engine. Though it was first developed for Apple, it runs on all platforms. Few salient features offered by Safari Browser –  1)    Real time report on list of trackers  blocked 2)    Own extensions store 3)    Automatic Password compromise checking

Safari Artifacts

An artifact is a remnant or trace left behind on the computer which helps to identify the source of malicious traffic and attack conducted onto the system. Few examples include cache data, History, Downloads etc. Safari stores these artifacts inside specific folders in the operating system. The file location for every browser is different but the file format remains the same. Following are the common artifacts stored by Safari – 1)  Navigation History – This reveals navigation history of the user. It can be used to track whether a user has visited any malicious URL or not. 2) Autocomplete Data – This reveals data that has been used on various forms and search terms etc. It is used with Navigation History for more insight. 3) Bookmarks – Self Explanatory 4) Add-ons, Extensions and Plugins – Self Explanatory 5) Cache – Contains cache data from various websites like Images, Javascript Files etc 6)    Logins – Self Explanatory 7)    Form Data – Self Explanatory 8)    Favicons – Self Explanatory 9)    Session Data – Self Explanatory 10)  Thumbnails – Self Explanatory 11)  Favorites – Self Explanatory 12)  Sensitive data – Self Explanatory

Various Artifacts and its URL

Following are the location of various artifacts and their respective URL to query to locate an artefact –

    History.plist file – /safari_hist.README     Downloads.plist file – /safari_download.README     Cookies.plist file – /safari_cookies.README     Bookmarks.plist file – /safari_bm.README     General purpose .plist file – /pref_parser.README     Icon.db file – /safari_icon.README     Icon .cache file – /safari_icon_osx.README     Browser .cache file – /safari_cache.README     Cache.db file – /safari_wincache.README

Apart from above, there are other locations too to check for Artifacts. They are –

A)   Profilepath\Application Data\Apple Computer\Safari B)   Profilepath\Local Settings\Application Data\Apple Computer\Safari

Tools

Now we know different artifacts and their location let’s see what all tools can be used for performing Browser Forensics – 1)    DB Browser – For opening .sqlite files 2) DB Browser – For opening .sqlite files 3) Nirsoft Web Browsers Tools 4) BrowsingHistoryView 5) ESEDatabaseView 6) Session History Scrounger – for Firefox 7) Sysinternals Strings 8) OS Forensics 9) Magnet IEF 10)  Browser History Viewer 11)  Browser History Examiner 12)  Hindsight 13)  libsedb  – Library to access the Extensible Storage Engine (ESE), Database   File (EDB) format 14)  Web Browser Addons View 15)  The LaZagne Project 16)  firepwd.py (open source tool to decrypt Mozilla protected passwords) 17)  Firefox Search Engine Extractor (Open ‘search.json.mozlz4’ files) 18)  Firefox Bookmark Backup Reader/Decompressor (Open ‘ jsonlz4’ files)  

Sources 

https://www.cybercrimechambers.com/web-browser-forensics.php https://www.digitalforensics.com/blog/an-overview-of-web-browser-forensics/ https://medium.com/@nasbench/web-browsers-forensics-7e99940c579a https://www.sciencedirect.com/topics/computer-science/forensic-artifact