Safari Artifact Parser (sap)


The Safari Browser has many artifacts available that the forensics examiner can use in identifying a user's Internet activity. This includes Safari's various SQLite databases, associated property lists (plists), cookies and cache. This tool focuses on those artifacts associated with the desktop version of the browser, however, many of these same artifacts appear in the mobile version of the browser as well.

There are a few locations one needs to look to find the various files that Safari uses. These are located in the local user's subdirectory; starting with the Library/Safari folder, there are various files (and types of files) that are related to Safari in some aspect. For the Cookies and Cache files used on a MacOS, they are located in the Library/Cookies, Library/Cache subdirectories, respectively. More details of the specific files parsed by the sap tool are identified in the user's guide.

How to use sap

sap is a console application. If this tool is used to parse Safari artifacts in the user directories on a live MacOS system, you will need to whitelist the application so that it has access to the requisite folder locations where the artifacts are located.

One can display the menu options by typing in the executable name with no parameters. A screen shot of the menu is shown below.

sap menu

Below is an example of running the tool in its simplest form. Without explicitly setting any options, the tool will default to the SQL Select-type parser. The parsed output will dump to the screen, unless one sends the output to a file.

    > sap64 -db History.db -csv -out results.csv

To process multiple databases one would use the -enumdir option while enumerating a folder and subfolder of databases, like so:

    > sap64 -enumdir safari_folder -num_subdirs 3 -carve -out results.csv

For more information

The user's guide can be viewed here

If you would like more information about sap, contact us via email.


Intel 32-bit VersionIntel 64-bit VersionARM 64-bit Version
Mac OS X:Not Availablesap.v.0.16.dmgsap.v.0.16.dmgmd5/sha1
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.