As most forensicators would agree, index.dat files are an extremely valuable Windows artifact to an investigation. These files store all sorts of internet browsing history from Internet Explorer, as well as where a user browsed to within directories on the device using Windows Explorer. Even after clearing the internet history, emptying your cache, and removing cookies in Internet Explorer, the logs of where a user surfed on the internet remains stored within the file.
Even though Windows operating systems are still the most prevalent, what is the equivalent to Mac operating systems, which are quickly becoming just as popular? The sad revelation (in my mind) is that there is no exact equivalent of an index.dat file on a Mac. For Safari, internet browsing history is stored in a plist (property list file which stores application information) within the system library. This plist is located at:
*One commonality between index.dat files and history.plist is that they are both stored locally under the user’s profile
One Xcode4 is installed, navigating to the history.plist file and double-clicking it will automatically open the file in the PlistEditor. Under “WebHistoryDates” will be each entry in the browser history.
The history.plist files are read in chronological order from the bottom to the top, meaning that the top entry (Item 0) is the most recently visited website.
Expanding each item in the history will show its contents
Although, one flaw (forensically speaking) of this plist file is that unlike the index.dat files, the history.plist file gets cleared when the browsing history is cleared from Safari. Because of this, a lot of valuable data can become lost. When a user is in Safari and goes to History > Clear History (which is the easy way to clear browsing history) there are still some artifacts left behind that investigators can use to determine other sites that were browsed before history was cleared. One of these artifacts is the Cache.
The first method is to carve deleted browsing history from unallocated space. More details on this methodology can be found on Richard Drinkwater’s blog.
Cached entries are located at /username/Library/Caches/com.apple.Safari where there is a Cache.db (SQL Database file) and a folder called “Webpage Previews” The Webpage Previews folder will contain snapshots of webpages that were previewed even before the browser history was cleared
In my opinion, analyzing the web browsing history on a Mac operating system can be much more work intensive than analyzing an index.dat file, seeing as an investigator has to look in multiple places on a Mac device to find the same information that can be found in the index.dat. Learning forensics on a Windows device, I was surprised when I found out that deleted browsing history is not kept on the device normally. On the other hand, when I mentioned this topic to a coworker, he was surprised that Windows actually kept that information.
If anyone has any further guidance or comments, please feel free to post. Mac analysis is extremely new to me, but what I’ve found so far is extremely interesting