Safari has a very simple method of storing browser history compared to those that use SQLite databases.
If the computer is running Windows XP, the Safari default path to user data is:
C:\Documents and Settings\<User Name>\Application Data\Apple Computer\Safari
For Windows Vista and Windows 7, the default path is:
C:\Users\<User Name>\AppData\Roaming\Apple Computer\Safari\
For Apple Macintosh computers, the default path is:
/Users/<User Name>/Library/Safari
History is stored in a binary XML file named History.plist. History is only stored for a month. The data can easily viewed in a hex editor, but can be converted to a structured text file on Macintosh computers by typing in the command:
$ defaults read /Users/<username>/Library/Safari/History > history.txt
This produces output like below:
{ WebHistoryDates = ( { "" = "http://www.twitter.com/"; D = ( 1 ); lastVisitWasFailure = 1; lastVisitedDate = "297678774.0"; redirectURLs = ( "http://twitter.com/" ); title = "Twitter / Home"; visitCount = 2; }, { "" = "http://www.apple.com/startpage/"; D = ( 1, 3, 3, 1, 1, 2, 0 ); W = ( 12, 18, 15, 31 ); lastVisitedDate = "297678768.7"; title = "Apple - Start"; visitCount = 87; }, ); WebHistoryFileVersion = 1; }
The format for each entry appears to have the URL visited, followed by a list of “D”, an optional list of “W”, an optional last visit was a failure, the date this URL was last visited, an optional redirect URL, the URL page title and the total visit count. Safari stores the date as the number of seconds since 1st January 2001 GMT. It is not clear what the D and W lists are for, as the only reference to History.plist on the internet is to an older version of Safari which stored fewer fields. If anyone has any ideas on what they mean, I'd love to know. Even programs that convert web log files into nice tables (Such as Net Analysis) ignore the D and W fields.
Other files that are useful are Bookmarks.plist and Form Values.plist. Bookmarks.plist contains a list of the user’s bookmarks, and Form Values.plist the user’s form inputs – however this file appears to be store data in an encrypted format.
References
Update: The 'D' and 'W' lists seem to add up to the visitCount, and when you view your history via Safari it does tell you all the times you've visited a site (date only, not time) even though that's no explicitly stored. I still can't figure out how the D and W correspond to previous visits though.
How about that: I think D stores the visit count of the last few Days and W of the last few Weeks. For example: D = 1,0,0,4,2,1 might mean that, the day before the last visit it was visited 1, the day before that 0 and the day before that 0 and the day before that 4 and so on times. The same might go for the weeks. What do you think?
Lenzie privacy AES naughty bunny Gullane magnets symposium play proxy logs Windows 7 sewing Vista binky magic papier mache Belgium Istanbul PostgreSQL chicken ballistics iPod touch kill chain ADS Barcelona Tineye encryption Irari rules conference Karanga camp Internet Explorer iPod Touch digital forensics security Google Chrome The Balmoral government threat assessment backup link files exhibition crafts chocolate Safari Firefox Routine Activities Theory foamcore compSIA. Security+ Data Protection Act Skye Lockheed Martin Post Secret answers laptop The cloud malware UK Cyber Security Strategy chemistry Edinburgh England timezones