How Safari stores web history

Safari has a very simple method of storing browser history compared to those that use SQLite databases.

If the computer is running Windows XP, the Safari default path to user data is:

C:\Documents and Settings\<User Name>\Application Data\Apple Computer\Safari

For Windows Vista and Windows 7, the default path is:

C:\Users\<User Name>\AppData\Roaming\Apple Computer\Safari\

For Apple Macintosh computers, the default path is:

/Users/<User Name>/Library/Safari

History is stored in a binary XML file named History.plist. History is only stored for a month. The data can easily viewed in a hex editor, but can be converted to a structured text file on Macintosh computers by typing in the command:

$ defaults read /Users/<username>/Library/Safari/History > history.txt

This produces output like below:

{
WebHistoryDates = (
       {
            "" = "http://www.twitter.com/";
            D =             (
                1
            );
            lastVisitWasFailure = 1;
            lastVisitedDate = "297678774.0";
            redirectURLs =             (
                "http://twitter.com/"
            );
            title = "Twitter / Home";
            visitCount = 2;
        },
        {
            "" = "http://www.apple.com/startpage/";
            D = (
                1,
                3,
                3,
                1,
                1,
                2,
                0
            );
            W = (
                12,
                18,
                15,
                31
            );
            lastVisitedDate = "297678768.7";
            title = "Apple - Start";
            visitCount = 87;
        },           
    );
    WebHistoryFileVersion = 1;
}

The format for each entry appears to have the URL visited, followed by a list of “D”, an optional list of “W”, an optional last visit was a failure, the date this URL was last visited, an optional redirect URL, the URL page title and the total visit count. Safari stores the date as the number of seconds since 1st January 2001 GMT. It is not clear what the D and W lists are for, as the only reference to History.plist on the internet is to an older version of Safari which stored fewer fields. If anyone has any ideas on what they mean, I’d love to know. Even programs that convert web log files into nice tables (Such as Net Analysis) ignore the D and W fields.

Other files that are useful are Bookmarks.plist and Form Values.plist. Bookmarks.plist contains a list of the user’s bookmarks, and Form Values.plist the user’s form inputs – however this file appears to be store data in an encrypted format.

Update: The ‘D’ and ‘W’ lists seem to add up to the visitCount, and when you view your history via Safari it does tell you all the times you’ve visited a site (date only, not time) even though that’s no explicitly stored. I still can’t figure out how the D and W correspond to previous visits though.

References

• Mac Forensics: Mac OS X and the HFS+ File System, Philip Craiger & PK Burke
• Analyzing Safari 2.x Web Browser Artifacts using SFT, Jacob Cunningham
• MacScriptor Forum