Parses Safari history database
name: MacOS.Applications.Safari.History
description: |
Parses Safari history database
author: Deepak Sharma - @rxurien
type: CLIENT
precondition: SELECT OS From info() where OS = 'darwin'
parameters:
- name: HistoryPath
default: /Users/*/Library/Safari/History.db
- name: SQLQuery
default: |
SELECT * FROM history_visits INNER JOIN history_items ON history_items.id = history_visits.history_item;
- name: UserRegex
default: .
- name: UploadFile
description: Upload History.db File
type: bool
sources:
- name: History
query: |
LET history_db = SELECT
parse_string_with_regex(regex="/Users/(?P<User>[^/]+)", string=FullPath).User AS User,
FullPath
FROM glob(globs=HistoryPath)
SELECT * FROM foreach(row=history_db,
query={
SELECT timestamp(cocoatime=visit_time) AS VisitTime, User, title AS PageTitle, url AS URL, domain_expansion AS Domain, visit_count AS VisitCount, load_successful AS IsLoadSuccessful, FullPath AS FilePath
FROM sqlite(
file=FullPath,
query=SQLQuery)
})
- name: Upload
query: |
SELECT * FROM if(condition=UploadFile,
then={
SELECT User, FullPath AS FilePath,
upload(file=FullPath) AS FileDetails
FROM history_db
})