iOS Safari History
Safari History.db records visits with timestamp, URL, title, visit count, and referrer. Combined with tabs.db it reconstructs a user's mobile browsing session.
Where to find it
Default filesystem paths and registry locations. Collect these with your preferred live-response or disk-image tooling.
- $/private/var/mobile/Library/Safari/History.db
- $/private/var/mobile/Containers/Data/Application/{UUID}/Library/Safari/History.db
Forensic significance
Common scenarios in which this artifact becomes decisive evidence.
- Researching crime preparation (location, weapons, tactics)
- Contraband content investigation
- Phishing or social-engineering victim analysis
MITRE ATT&CK mapping
Techniques this artifact can help detect or substantiate. Click a technique to view the official MITRE entry.
Tools that parse it
unJaena AI and other DFIR tools commonly used to extract evidence from this artifact.
Related artifacts
iOS SMS / iMessage (sms.db)
iOS stores SMS, MMS, and iMessage conversations in a single SQLite database including timestamps, read receipts, attachments, and reply threading.
TypedURLs
Internet Explorer / Edge Legacy registry key storing the last 25 URLs a user typed manually into the address bar — stronger evidence than a general visit record.
iOS Call History
CallHistory.storedata logs every cellular, VoIP, FaceTime, and third-party call (WhatsApp, KakaoTalk) with duration, direction, and contact information.
KakaoTalk iOS
Korea's dominant messenger. iOS client stores chatrooms, messages, contacts, and attachment metadata in SQLite databases inside the app sandbox.
Stop parsing artifacts by hand
unJaena AI ingests disk images, live-response output, and mobile backups, then automatically correlates every artifact on this page — and 200+ more — into an investigator-ready timeline.
Try unJaena AI →