lowmanio.co.uk

How Safari stores web history

Fri, 11 Jun 2010 11:41AM

Category: Digital Forensics & Malware

Written by Sarah | With 2 comments

Safari has a very simple method of storing browser history compared to those that use SQLite databases.

If the computer is running Windows XP, the Safari default path to user data is:

C:\Documents and Settings\<User Name>\Application Data\Apple Computer\Safari

For Windows Vista and Windows 7, the default path is:

C:\Users\<User Name>\AppData\Roaming\Apple Computer\Safari\

For Apple Macintosh computers, the default path is:

/Users/<User Name>/Library/Safari

History is stored in a binary XML file named History.plist. History is only stored for a month. The data can easily viewed in a hex editor, but can be converted to a structured text file on Macintosh computers by typing in the command:

$ defaults read /Users/<username>/Library/Safari/History > history.txt

This produces output like below:

{
WebHistoryDates = (
       {
            "" = "http://www.twitter.com/";
            D =             (
                1
            );
            lastVisitWasFailure = 1;
            lastVisitedDate = "297678774.0";
            redirectURLs =             (
                "http://twitter.com/"
            );
            title = "Twitter / Home";
            visitCount = 2;
        },
        {
            "" = "http://www.apple.com/startpage/";
            D = (
                1,
                3,
                3,
                1,
                1,
                2,
                0
            );
            W = (
                12,
                18,
                15,
                31
            );
            lastVisitedDate = "297678768.7";
            title = "Apple - Start";
            visitCount = 87;
        },           
    );
    WebHistoryFileVersion = 1;
}

The format for each entry appears to have the URL visited, followed by a list of “D”, an optional list of “W”, an optional last visit was a failure, the date this URL was last visited, an optional redirect URL, the URL page title and the total visit count. Safari stores the date as the number of seconds since 1st January 2001 GMT. It is not clear what the D and W lists are for, as the only reference to History.plist on the internet is to an older version of Safari which stored fewer fields. If anyone has any ideas on what they mean, I'd love to know. Even programs that convert web log files into nice tables (Such as Net Analysis) ignore the D and W fields.

Other files that are useful are Bookmarks.plist and Form Values.plist. Bookmarks.plist contains a list of the user’s bookmarks, and Form Values.plist the user’s form inputs – however this file appears to be store data in an encrypted format.

References

Tagged with: web history, Safari

Comments

Update: The 'D' and 'W' lists seem to add up to the visitCount, and when you view your history via Safari it does tell you all the times you've visited a site (date only, not time) even though that's no explicitly stored. I still can't figure out how the D and W correspond to previous visits though. 
Sarah
Mon, 14 Jun 2010 03:04PM
How about that:

I think D stores the visit count of the last few Days and W of the last few Weeks. For example: D = 1,0,0,4,2,1 might mean that, the day before the last visit it was visited 1, the day before that 0 and the day before that 0 and the day before that 4 and so on times. The same might go for the weeks. What do you think?
Felix Morgner
Sat, 16 Mar 2013 05:19AM

Add a comment

captcha