InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Browsing history / download artefacts
  • Parsing
  • References
  1. DFIR
  2. Common

Browsers forensics

Browsing history / download artefacts

Overview

The web browsers related artefacts can be split in the following categories:

  • User profile: web browsers, such as Chronium-based browsers and Firefox, implement a profile feature to store user's setttings, history, favourites, etc. The databases and files that store these information are usually stored under a user specific profile folder.

  • History: web browsing history and download history.

  • Cookies: web browsing cookies (session tokens).

  • Cache: cache of resources downloaded from accessed websites (images, text content, HTML, CSS, Javascript files, etc.).

  • Sessions: tabs and windows from a browsing session.

  • Settings: configuration settings.

These files are often stored under %LocalAppData% (%SystemDrive%:\Users\<USERNAME>\AppData\Local\) and %AppData% (%SystemDrive%:\Users\<USERNAME>\AppData\Roaming\).

Artefacts details

Name
Type
Description
Information / interpretation
Location
Tool(s)

NTUSER - TypedURLs

Web browsers usage

URL entered (typed, pasted, or auto-completed) in the Internet Explorer (IE) web browser search bar. Web searches do not generate entries, only typing of an URL will. Entries are added / updated in near real-time.

The URL are stored as url1 to url[N] in inversed chronological order. The last write timestamp of the key is thus the timestamp of visit of the most recently visited URL.

File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedURLs

Microsoft Internet Explorer

Web browsers usage

-

History, downloads, cache, and cookies metadata in a ESE database: %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat > History: History table > Downloads: iedownload table. > Cache: content table > Cookies metadata: Cookies table. Local files access, not necessarily through the webbrowser, may also appear in the WebCacheV01.dat database with the file URI scheme (such as file:///<DRIVE_LETTER>:/folder/file). Cookies: %AppData%\Microsoft\Windows\Cookies Sessions: %LocalAppData%\Microsoft\Internet Explorer\Recovery\*.dat

Microsoft Edge (Legacy)

Web browsers usage

-

User profile(s): %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC History, downloads, cache, and cookies (file shared with Microsoft Internet Explorer): %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat Cache: %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC#!XXX\MicrosoftEdge\Cache Sessions: %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active Settings: %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb

Microsoft Edge (Chronium-based)

Web browsers usage

-

User profile(s): %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\* With X ranging from one to n. History: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\History Cookies: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Network\Cookies Cache: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Cache Sessions: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Sessions Settings: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Preferences

Google Chrome

Web browsers usage

-

User profile(s): %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\* With X ranging from one to n. History: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\History Cookies: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Network\Cookies Cache: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Cache Sessions: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Sessions Settings: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Preferences

Mozilla Firefox

Web browsers usage

-

User profile(s): %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\* History, downloads, and bookmarks in a SQLite database: %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\places.sqlite Cookies in a SQLite database: %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cookies.sqlite Cache: %LocalAppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cache2\* Sessions: %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\sessionstorebackups\* Settings: %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\prefs.js

Parsing

# /HistorySource 3: Load history from the specified profiles folder (specified using /HistorySourceFolder).
# /HistorySourceFolder <USER_PROFILES_FOLDER> example: "C:\Users" or "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users" (for shadow copy).
# /VisitTimeFilterType 1: Load history dating back to any time.
# /ShowTimeInGMT 1: Converts timestamps to UTC-0 (default to the local timezone).

browsinghistoryview.exe /HistorySource 3 /HistorySourceFolder "<USER_PROFILES_FOLDER>" /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma <OUTPUT_CSV>

References

https://www.13cubed.com/downloads/windows_browser_artifacts_cheat_sheet.pdf

https://book.hacktricks.xyz/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts

https://www.nirsoft.net/utils/browsing_history_view.html

https://www.forensafe.com/blogs/typedurls.html

PreviousWeb logs analysisNextEmail forensics

Last updated 1 year ago

Microsoft Internet Explorer artefacts. For more information: .

Microsoft Edge (legacy version) artefacts. For more information: .

Microsoft Edge (Chronium-based) artefacts. Since Edge version v79 (January 2020), Microsoft Edge uses a Chronium backend and shares similar artefacts to Google Chrome. For more information: .

Google Chrome artefacts. For more information: .

Mozilla Firefox artefacts. For more information: .

As stated, utility (NirSoft_BrowsingHistoryView KAPE module) can be used to parse a number of browsers artefacts to extract browsing history information. BrowsingHistoryView can be used either as a graphical application or as a command-line utility to export the parsing result (for instance in the CSV format).

NirSoft's BrowsingHistoryView
Browsers forensics note
NirSoft's BrowsingHistoryView
Browsers forensics note
NirSoft's BrowsingHistoryView
Browsers forensics note
NirSoft's BrowsingHistoryView
Browsers forensics note
NirSoft's BrowsingHistoryView
Browsers forensics note
NirSoft's BrowsingHistoryView