Safari Artifact Parser (sap)
Introduction
The Safari Browser has many artifacts available that the forensics examiner can use in identifying a user's Internet activity. This includes Safari's various SQLite databases, associated property lists (plists), cookies and cache. This tool focuses on those artifacts associated with the desktop version of the browser, however, many of these same artifacts appear in the mobile version of the browser as well.
There are a few locations one needs to look to find the various files that Safari uses. These are located in the local user's subdirectory; starting with the Library/Safari folder, there are various files (and types of files) that are related to Safari in some aspect. For the Cookies and Cache files used on a MacOS, they are located in the Library/Cookies, Library/Cache subdirectories, respectively. More details of the specific files parsed by the sap tool are identified in the user's guide.
How to use sap
sap is a console application. If this tool is used to parse Safari artifacts in the user directories on a live MacOS system, you will need to whitelist the application so that it has access to the requisite folder locations where the artifacts are located.
One can display the menu options by typing in the executable name with no parameters. A screen shot of the menu is shown below.
Below is an example of running the tool in its simplest form. Without explicitly setting any options, the tool will default to the SQL Select-type parser. The parsed output will dump to the screen, unless one sends the output to a file.
> sap64 -db History.db -csv -out results.csv
To process multiple databases one would use the -enumdir option while enumerating a folder and subfolder of databases, like so:
> sap64 -enumdir safari_folder -num_subdirs 3 -carve -out results.csv
For more information
The user's guide can be viewed here
If you would like more information about sap, contact us via email.
Downloads
| Intel 32-bit Version | Intel 64-bit Version | ARM 64-bit Version | ||||
| Windows: | sap32.v.0.17.win.zip | sap64.v.0.17.win.zip | sap64a.v.0.17.win.zip | md5/sha1 | ||
| Linux: | sap32.v.0.17.lin.tar.gz | sap64.v.0.17.lin.tar.gz | sap64a.v.0.17.lin.tar.gz | md5/sha1 | ||
| Mac OS X: | Not Available | sap.v.0.17.dmg | sap.v.0.17.dmg | md5/sha1 | ||
| *32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present. | ||||||