Browsers forensics

Browsing history / download artefacts

Overview

The web browsers related artefacts can be split in the following categories:

  • User profile: web browsers, such as Chronium-based browsers and Firefox, implement a profile feature to store user's setttings, history, favourites, etc. The databases and files that store these information are usually stored under a user specific profile folder.

  • History: web browsing history and download history.

  • Cookies: web browsing cookies (session tokens).

  • Cache: cache of resources downloaded from accessed websites (images, text content, HTML, CSS, Javascript files, etc.).

  • Sessions: tabs and windows from a browsing session.

  • Settings: configuration settings.

These files are often stored under %LocalAppData% (%SystemDrive%:\Users\<USERNAME>\AppData\Local\) and %AppData% (%SystemDrive%:\Users\<USERNAME>\AppData\Roaming\).

Artefacts details

Name
Type
Description
Information / interpretation
Location
Tool(s)

NTUSER - TypedURLs

Web browsers usage

URL entered (typed, pasted, or auto-completed) in the Internet Explorer (IE) web browser search bar. Web searches do not generate entries, only typing of an URL will. Entries are added / updated in near real-time.

The URL are stored as url1 to url[N] in inversed chronological order. The last write timestamp of the key is thus the timestamp of visit of the most recently visited URL.

File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedURLs

Microsoft Internet Explorer

Web browsers usage

-

History, downloads, cache, and cookies metadata in a ESE database: %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat > History: History table > Downloads: iedownload table. > Cache: content table > Cookies metadata: Cookies table. Local files access, not necessarily through the webbrowser, may also appear in the WebCacheV01.dat database with the file URI scheme (such as file:///<DRIVE_LETTER>:/folder/file). Cookies: %AppData%\Microsoft\Windows\Cookies Sessions: %LocalAppData%\Microsoft\Internet Explorer\Recovery\*.dat

Microsoft Edge (Legacy)

Web browsers usage

-

User profile(s): %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC History, downloads, cache, and cookies (file shared with Microsoft Internet Explorer): %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat Cache: %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC#!XXX\MicrosoftEdge\Cache Sessions: %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active Settings: %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb

Microsoft Edge (Chronium-based)

Web browsers usage

-

User profile(s): %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\* With X ranging from one to n. History: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\History Cookies: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Network\Cookies Cache: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Cache Sessions: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Sessions Settings: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Preferences

Google Chrome

Web browsers usage

-

User profile(s): %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\* With X ranging from one to n. History: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\History Cookies: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Network\Cookies Cache: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Cache Sessions: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Sessions Settings: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Preferences

Mozilla Firefox

Web browsers usage

-

User profile(s): %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\* History, downloads, and bookmarks in a SQLite database: %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\places.sqlite Cookies in a SQLite database: %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cookies.sqlite Cache: %LocalAppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cache2\* Sessions: %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\sessionstorebackups\* Settings: %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\prefs.js

Parsing

As stated, NirSoft's BrowsingHistoryView utility (NirSoft_BrowsingHistoryView KAPE module) can be used to parse a number of browsers artefacts to extract browsing history information. BrowsingHistoryView can be used either as a graphical application or as a command-line utility to export the parsing result (for instance in the CSV format).

# /HistorySource 3: Load history from the specified profiles folder (specified using /HistorySourceFolder).
# /HistorySourceFolder <USER_PROFILES_FOLDER> example: "C:\Users" or "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users" (for shadow copy).
# /VisitTimeFilterType 1: Load history dating back to any time.
# /ShowTimeInGMT 1: Converts timestamps to UTC-0 (default to the local timezone).

browsinghistoryview.exe /HistorySource 3 /HistorySourceFolder "<USER_PROFILES_FOLDER>" /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma <OUTPUT_CSV>

References

https://www.13cubed.com/downloads/windows_browser_artifacts_cheat_sheet.pdf

https://book.hacktricks.xyz/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts

https://www.nirsoft.net/utils/browsing_history_view.html

https://www.forensafe.com/blogs/typedurls.html

Last updated