Browsers forensics
Browsing history / download artefacts
Overview
The web browsers related artefacts can be split in the following categories:
User profile: web browsers, such as
Chronium-based browsers andFirefox, implement a profile feature to store user's setttings, history, favourites, etc. The databases and files that store these information are usually stored under a user specific profile folder.History: web browsing history and download history.
Cookies: web browsing cookies (session tokens).
Cache: cache of resources downloaded from accessed websites (images, text content,
HTML,CSS,Javascriptfiles, etc.).Sessions: tabs and windows from a browsing session.
Settings: configuration settings.
These files are often stored under %LocalAppData% (%SystemDrive%:\Users\<USERNAME>\AppData\Local\) and %AppData% (%SystemDrive%:\Users\<USERNAME>\AppData\Roaming\).
Artefacts details
NTUSER
-
TypedURLs
Web browsers usage
URL entered (typed, pasted, or auto-completed) in the Internet Explorer (IE) web browser search bar.
Web searches do not generate entries, only typing of an URL will.
Entries are added / updated in near real-time.
The URL are stored as url1 to url[N] in inversed chronological order.
The last write timestamp of the key is thus the timestamp of visit of the most recently visited URL.
File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat
Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedURLs
Microsoft Internet Explorer
Web browsers usage
Microsoft Internet Explorer artefacts.
For more information: Browsers forensics note.
-
History, downloads, cache, and cookies metadata in a ESE database:
%LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat
> History: History table
> Downloads: iedownload table.
> Cache: content table
> Cookies metadata: Cookies table.
Local files access, not necessarily through the webbrowser, may also appear in the WebCacheV01.dat database with the file URI scheme (such as file:///<DRIVE_LETTER>:/folder/file).
Cookies:
%AppData%\Microsoft\Windows\Cookies
Sessions:
%LocalAppData%\Microsoft\Internet Explorer\Recovery\*.dat
Microsoft Edge
(Legacy)
Web browsers usage
Microsoft Edge (legacy version) artefacts.
For more information: Browsers forensics note.
-
User profile(s):
%LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC
History, downloads, cache, and cookies (file shared with Microsoft Internet Explorer):
%LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat
Cache:
%LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC#!XXX\MicrosoftEdge\Cache
Sessions:
%LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active
Settings:
%LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb
Microsoft Edge
(Chronium-based)
Web browsers usage
Microsoft Edge (Chronium-based) artefacts.
Since Edge version v79 (January 2020), Microsoft Edge uses a Chronium backend and shares similar artefacts to Google Chrome.
For more information: Browsers forensics note.
-
User profile(s):
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\*
With X ranging from one to n.
History:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\History
Cookies:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Network\Cookies
Cache:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Cache
Sessions:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Sessions
Settings:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Preferences
Google Chrome
Web browsers usage
Google Chrome artefacts.
For more information: Browsers forensics note.
-
User profile(s):
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\*
With X ranging from one to n.
History:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\History
Cookies:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Network\Cookies
Cache:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Cache
Sessions:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Sessions
Settings:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Preferences
Mozilla Firefox
Web browsers usage
Mozilla Firefox artefacts.
For more information: Browsers forensics note.
-
User profile(s):
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\*
History, downloads, and bookmarks in a SQLite database:
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\places.sqlite
Cookies in a SQLite database:
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cookies.sqlite
Cache:
%LocalAppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cache2\*
Sessions:
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\sessionstorebackups\*
Settings:
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\prefs.js
Parsing
As stated, NirSoft's BrowsingHistoryView utility (NirSoft_BrowsingHistoryView KAPE module) can be used to parse a number of browsers artefacts to extract browsing history information. BrowsingHistoryView can be used either as a graphical application or as a command-line utility to export the parsing result (for instance in the CSV format).
# /HistorySource 3: Load history from the specified profiles folder (specified using /HistorySourceFolder).
# /HistorySourceFolder <USER_PROFILES_FOLDER> example: "C:\Users" or "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users" (for shadow copy).
# /VisitTimeFilterType 1: Load history dating back to any time.
# /ShowTimeInGMT 1: Converts timestamps to UTC-0 (default to the local timezone).
browsinghistoryview.exe /HistorySource 3 /HistorySourceFolder "<USER_PROFILES_FOLDER>" /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma <OUTPUT_CSV>References
https://www.13cubed.com/downloads/windows_browser_artifacts_cheat_sheet.pdf
https://book.hacktricks.xyz/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts
https://www.nirsoft.net/utils/browsing_history_view.html
https://www.forensafe.com/blogs/typedurls.html
Last updated