Browsers forensics

Browsing history / download artefacts

Overview

The web browsers related artefacts can be split in the following categories:

User profile: web browsers, such as Chronium-based browsers and Firefox, implement a profile feature to store user's setttings, history, favourites, etc. The databases and files that store these information are usually stored under a user specific profile folder.
History: web browsing history and download history.
Cookies: web browsing cookies (session tokens).
Cache: cache of resources downloaded from accessed websites (images, text content, HTML, CSS, Javascript files, etc.).
Sessions: tabs and windows from a browsing session.
Settings: configuration settings.

These files are often stored under %LocalAppData% (%SystemDrive%:\Users\<USERNAME>\AppData\Local\) and %AppData% (%SystemDrive%:\Users\<USERNAME>\AppData\Roaming\).

Artefacts details

Name Type Description Information / interpretation Location Tool(s)

Name	Type	Description	Information / interpretation	Location	Tool(s)
`NTUSER` - `TypedURLs`	Web browsers usage	`URL` entered (typed, pasted, or auto-completed) in the `Internet Explorer (IE)` web browser search bar. Web searches do not generate entries, only typing of an `URL` will. Entries are added / updated in near real-time.	The `URL` are stored as `url1` to `url[N]` in inversed chronological order. The last write timestamp of the key is thus the timestamp of visit of the most recently visited `URL`.	File: `%SystemDrive%:\Users\<USERNAME>\NTUSER.dat` Registry key: `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedURLs`
`Microsoft Internet Explorer`	Web browsers usage	`Microsoft Internet Explorer` artefacts. For more information: Browsers forensics note.	-	History, downloads, cache, and cookies metadata in a `ESE` database: `%LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat` > History: `History` table > Downloads: `iedownload` table. > Cache: `content` table > Cookies metadata: `Cookies` table. Local files access, not necessarily through the webbrowser, may also appear in the `WebCacheV01.dat` database with the `file` `URI` scheme (such as `file:///<DRIVE_LETTER>:/folder/file`). Cookies: `%AppData%\Microsoft\Windows\Cookies` Sessions: `%LocalAppData%\Microsoft\Internet Explorer\Recovery\*.dat`	`NirSoft's BrowsingHistoryView`
`Microsoft Edge` (Legacy)	Web browsers usage	`Microsoft Edge` (legacy version) artefacts. For more information: Browsers forensics note.	-	User profile(s): `%LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC` History, downloads, cache, and cookies (file shared with `Microsoft Internet Explorer`): `%LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat` Cache: `%LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC#!XXX\MicrosoftEdge\Cache` Sessions: `%LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active` Settings: `%LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb`	`NirSoft's BrowsingHistoryView`
`Microsoft Edge` (`Chronium`-based)	Web browsers usage	`Microsoft Edge` (`Chronium`-based) artefacts. Since Edge version `v79` (January 2020), `Microsoft Edge` uses a `Chronium` backend and shares similar artefacts to `Google Chrome`. For more information: Browsers forensics note.	-	User profile(s): `%LocalAppData%\Microsoft\Edge\User Data\<Default \| Profile X>\` With* `X` ranging from one to n. History: `%LocalAppData%\Microsoft\Edge\User Data\<Default \| Profile X>\History` Cookies: `%LocalAppData%\Microsoft\Edge\User Data\<Default \| Profile X>\Network\Cookies` Cache: `%LocalAppData%\Microsoft\Edge\User Data\<Default \| Profile X>\Cache` Sessions: `%LocalAppData%\Microsoft\Edge\User Data\<Default \| Profile X>\Sessions` Settings: `%LocalAppData%\Microsoft\Edge\User Data\<Default \| Profile X>\Preferences`	`NirSoft's BrowsingHistoryView`
`Google Chrome`	Web browsers usage	`Google Chrome` artefacts. For more information: Browsers forensics note.	-	User profile(s): `%LocalAppData%\Google\Chrome\User Data\<Default \| Profile X>\` With* `X` ranging from one to n. History: `%LocalAppData%\Google\Chrome\User Data\<Default \| Profile X>\History` Cookies: `%LocalAppData%\Google\Chrome\User Data\<Default \| Profile X>\Network\Cookies` Cache: `%LocalAppData%\Google\Chrome\User Data\<Default \| Profile X>\Cache` Sessions: `%LocalAppData%\Google\Chrome\User Data\<Default \| Profile X>\Sessions` Settings: `%LocalAppData%\Google\Chrome\User Data\<Default \| Profile X>\Preferences`	`NirSoft's BrowsingHistoryView`
`Mozilla Firefox`	Web browsers usage	`Mozilla Firefox` artefacts. For more information: Browsers forensics note.	-	User profile(s): `%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\` History, downloads, and bookmarks in a `SQLite` database: `%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\places.sqlite` Cookies in a `SQLite` database: `%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cookies.sqlite` Cache: `%LocalAppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cache2\` Sessions: `%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\sessionstorebackups\*` Settings: `%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\prefs.js`	`NirSoft's BrowsingHistoryView`

NTUSER - TypedURLs

Web browsers usage

URL entered (typed, pasted, or auto-completed) in the Internet Explorer (IE) web browser search bar. Web searches do not generate entries, only typing of an URL will. Entries are added / updated in near real-time.

The URL are stored as url1 to url[N] in inversed chronological order. The last write timestamp of the key is thus the timestamp of visit of the most recently visited URL.

File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedURLs

Microsoft Internet Explorer

Web browsers usage

Microsoft Internet Explorer artefacts. For more information: Browsers forensics note.

History, downloads, cache, and cookies metadata in a ESE database: %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat > History: History table > Downloads: iedownload table. > Cache: content table > Cookies metadata: Cookies table. Local files access, not necessarily through the webbrowser, may also appear in the WebCacheV01.dat database with the file URI scheme (such as file:///<DRIVE_LETTER>:/folder/file). Cookies: %AppData%\Microsoft\Windows\Cookies Sessions: %LocalAppData%\Microsoft\Internet Explorer\Recovery\*.dat

NirSoft's BrowsingHistoryView

Microsoft Edge (Legacy)

Web browsers usage

Microsoft Edge (legacy version) artefacts. For more information: Browsers forensics note.

User profile(s): %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC History, downloads, cache, and cookies (file shared with Microsoft Internet Explorer): %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat Cache: %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC#!XXX\MicrosoftEdge\Cache Sessions: %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active Settings: %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb

NirSoft's BrowsingHistoryView

Microsoft Edge (Chronium-based)

Web browsers usage

Microsoft Edge (Chronium-based) artefacts. Since Edge version v79 (January 2020), Microsoft Edge uses a Chronium backend and shares similar artefacts to Google Chrome. For more information: Browsers forensics note.

User profile(s): %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\* With X ranging from one to n. History: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\History Cookies: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Network\Cookies Cache: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Cache Sessions: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Sessions Settings: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Preferences

NirSoft's BrowsingHistoryView

Google Chrome

Web browsers usage

Google Chrome artefacts. For more information: Browsers forensics note.

User profile(s): %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\* With X ranging from one to n. History: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\History Cookies: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Network\Cookies Cache: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Cache Sessions: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Sessions Settings: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Preferences

NirSoft's BrowsingHistoryView

Mozilla Firefox

Web browsers usage

Mozilla Firefox artefacts. For more information: Browsers forensics note.

User profile(s): %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\* History, downloads, and bookmarks in a SQLite database: %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\places.sqlite Cookies in a SQLite database: %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cookies.sqlite Cache: %LocalAppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cache2\* Sessions: %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\sessionstorebackups\* Settings: %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\prefs.js

NirSoft's BrowsingHistoryView

Parsing

As stated, NirSoft's BrowsingHistoryView utility (NirSoft_BrowsingHistoryView KAPE module) can be used to parse a number of browsers artefacts to extract browsing history information. BrowsingHistoryView can be used either as a graphical application or as a command-line utility to export the parsing result (for instance in the CSV format).

# /HistorySource 3: Load history from the specified profiles folder (specified using /HistorySourceFolder).
# /HistorySourceFolder <USER_PROFILES_FOLDER> example: "C:\Users" or "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users" (for shadow copy).
# /VisitTimeFilterType 1: Load history dating back to any time.
# /ShowTimeInGMT 1: Converts timestamps to UTC-0 (default to the local timezone).

browsinghistoryview.exe /HistorySource 3 /HistorySourceFolder "<USER_PROFILES_FOLDER>" /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma <OUTPUT_CSV>

References

https://www.13cubed.com/downloads/windows_browser_artifacts_cheat_sheet.pdf

https://book.hacktricks.xyz/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts

https://www.nirsoft.net/utils/browsing_history_view.html

https://www.forensafe.com/blogs/typedurls.html

PreviousWeb logs analysis NextEmail forensics

Last updated 11 months ago