Skip to content

Commit 892996f

Browse files
araesaaraesa
authored
Add Safari Browser History (#49)
Adds a Safari Browser History definition that parses the History.db database on macOS. Joins history_items and history_visits tables to get a per-visit browsing timeline. Note that Safari's data directory (~/Library/Safari/) is protected by macOS TCC. The Velociraptor agent must have Full Disk Access for this to return results.
1 parent 8df003c commit 892996f

File tree

1 file changed

+56
-0
lines changed

1 file changed

+56
-0
lines changed

definitions/Apple_SafariBrowser_History.yaml

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
Name: Safari Browser History
2+
Author: araesa
3+
Description: |
4+
Parses Safari browsing history from the History.db database.
5+
Joins history_items and history_visits tables to produce a
6+
per-visit browsing timeline. The Origin field indicates whether
7+
the visit was local or synced from another device via iCloud.
8+
9+
NOTE: Safari's data directory (~/Library/Safari/) is protected
10+
by macOS TCC. The Velociraptor agent must have Full Disk Access.
11+
12+
SQLiteIdentifyQuery: |
13+
SELECT count(*) AS `Check`
14+
FROM sqlite_master
15+
WHERE type='table'
16+
AND (name='history_items' OR name='history_visits');
17+
SQLiteIdentifyValue: 2
18+
Categories:
19+
- MacOS
20+
- Browser
21+
FilenameRegex: "History.db"
22+
Globs:
23+
- "/Users/*/Library/Safari/History.db"
24+
25+
Sources:
26+
- name: Visits
27+
VQL: |
28+
SELECT ID,
29+
timestamp(epoch=visit_time + 978307200) AS VisitTime,
30+
URL, Title, VisitCount, DomainExpansion,
31+
if(condition=Origin = 0,
32+
then="Local",
33+
else="iCloud Sync") AS Origin,
34+
Bool(Value=LoadSuccessful) AS LoadSuccessful,
35+
Bool(Value=HttpNonGet) AS HttpNonGet,
36+
RedirectSource, RedirectDestination, OSPath
37+
FROM Rows
38+
WHERE VisitTime > DateAfter AND VisitTime < DateBefore
39+
AND (URL, Title) =~ FilterRegex
40+
41+
SQL: |
42+
SELECT
43+
hi.id AS ID,
44+
hv.visit_time,
45+
hi.url AS URL,
46+
hv.title AS Title,
47+
hi.visit_count AS VisitCount,
48+
hi.domain_expansion AS DomainExpansion,
49+
hv.origin AS Origin,
50+
hv.load_successful AS LoadSuccessful,
51+
hv.http_non_get AS HttpNonGet,
52+
hv.redirect_source AS RedirectSource,
53+
hv.redirect_destination AS RedirectDestination
54+
FROM history_items hi
55+
JOIN history_visits hv ON hi.id = hv.history_item
56+
ORDER BY hv.visit_time ASC

0 commit comments

Comments
 (0)