Apple is about to release two new OS upgrades in the form of iOS 14 and macOS 11 (whoa, that's weird to say) this fall. With new OS versions is always going to come a lot of new artifact testing. I've always been fascinated with tracking browser preferences and due to the nature of how Safari operates, I feel that it's one of the most important browsers to track and understand the preferences of.
Apple likes to make sure that there's a level of protection between a user and granting permission for an application to do something. This is tracked as part of Apple's "Transparency, Consent, and Control" and tracked within the TCC.db across macOS and iOS. These databases are always a hot point of investigation for me because I'm always curious as to what permissions the application has asked for, as well as what permissions the user has granted. This can help guide me toward specific things to look for that may have been generated by an application.
For Safari, Apple also wants to extend that same protection and control to its users. This is done in the form of pop-ups that appear at the top of Safari asking a user if they want to extend specific preferences for a website to do a specific task. In the days of online conferencing and video chatting, its important to know if a site has been asking for certain information from the user and whether or not the user has accepted. But I'm getting ahead of myself. Let's start at 0.
Recently I got an update notification for Safari 14. Safari 14 is the version that will ship as part of iOS 14 and macOS 11. After updating, I started checking on some preferences to make sure they hadn't moved. Earlier this summer, I wrote a blog post on the main Magnet Forensics' blog to discuss some of my findings on Safari preference data. (Link: ) I figured that with Safari 14 updated, it's good to just revamp the post and give everyone a rundown of location values of specific files and how they can play info your investigations.
Let's start with a baseline. Safari, by default, records the following preferences:
- History: Safari for macOS will only keep 1 years worth of web history (by default). This differs from the 30 days of history that iOS keeps.
- Downloads: Safari only tracks the last 20 downloads in the Downloads.plist file, but this setting keeps that information only to the last 1 day as well. Meaning that by default only the last day's downloads will be available for review.
- Open Safe Files: If you're trying to prove if the user "opened" a file this can complicate things. Items that Gatekeeper deems "safe" it will automatically open after download. (Gee officer, I didn't know that video had bad stuff in it. I never played it.) Safari could still open a file FOR the user even if the user never intended to.
- History Storage Time
- Download Storage Time
- Download Locations
- Search Engine
- Open "Safe" Files setting
- Allow = 0
- Ask = 1
- Deny = 2
- Block = 1
- Allow = 2
- Ask = 0
- Deny = 1
- Allow = 2
- Allow All Auto-Play = 0
- Stop Media with Sound = 1
- Never Auto-Play = 2