Safari Evidence Processor Module
This script, which was previously called the Safari Cache Evidence Processor Module, is a self-installing Evidence Processor module that parses macOS Safari web-browser data.
It currently supports parsing legacy cache content indexed by Cache.db files, WebKit cache content from WebKitCache folders, Internet history indexed by History.db files, cloud-tab data indexed by CloudTabs.db files, top-site data stored in TopSites.plist files, download information stored in Downloads.plist files, and recent tabs information stored in LastSession.plist and RecentlyClosedTabs.plist files.
Webkit cache versions 4, 12, 13 and 14 are supported. Please contact the author if there is an urgent need to parse other versions.
The module is installed by dragging and dropping it onto EnCase. It can then be invoked by selecting it under the Modules folder of the EnCase Evidence Processor dialog box. The examiner should ensure that file-signature analysis is checked in order to identify the content of each cached-resource (cached resources do not have file-extensions).
Additional important information is contained in the module installer and EnCase Evidence Processor dialog box.Download Now