Browsers forensics
Browsing history / download artefacts
Overview
The web browsers related artefacts can be split in the following categories:
User profile: web browsers, such as
Chronium
-based browsers andFirefox
, implement a profile feature to store user's setttings, history, favourites, etc. The databases and files that store these information are usually stored under a user specific profile folder.History: web browsing history and download history.
Cookies: web browsing cookies (session tokens).
Cache: cache of resources downloaded from accessed websites (images, text content,
HTML
,CSS
,Javascript
files, etc.).Sessions: tabs and windows from a browsing session.
Settings: configuration settings.
These files are often stored under %LocalAppData%
(%SystemDrive%:\Users\<USERNAME>\AppData\Local\
) and %AppData%
(%SystemDrive%:\Users\<USERNAME>\AppData\Roaming\
).
Artefacts details
NTUSER
-
TypedURLs
Web browsers usage
URL
entered (typed, pasted, or auto-completed) in the Internet Explorer (IE)
web browser search bar.
Web searches do not generate entries, only typing of an URL
will.
Entries are added / updated in near real-time.
The URL
are stored as url1
to url[N]
in inversed chronological order.
The last write timestamp of the key is thus the timestamp of visit of the most recently visited URL
.
File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat
Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedURLs
Microsoft Internet Explorer
Web browsers usage
-
History, downloads, cache, and cookies metadata in a ESE
database:
%LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat
> History: History
table
> Downloads: iedownload
table.
> Cache: content
table
> Cookies metadata: Cookies
table.
Local files access, not necessarily through the webbrowser, may also appear in the WebCacheV01.dat
database with the file
URI
scheme (such as file:///<DRIVE_LETTER>:/folder/file
).
Cookies:
%AppData%\Microsoft\Windows\Cookies
Sessions:
%LocalAppData%\Microsoft\Internet Explorer\Recovery\*.dat
Microsoft Edge
(Legacy)
Web browsers usage
-
User profile(s):
%LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC
History, downloads, cache, and cookies (file shared with Microsoft Internet Explorer
):
%LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat
Cache:
%LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC#!XXX\MicrosoftEdge\Cache
Sessions:
%LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active
Settings:
%LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb
Microsoft Edge
(Chronium
-based)
Web browsers usage
-
User profile(s):
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\*
With X
ranging from one to n.
History:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\History
Cookies:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Network\Cookies
Cache:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Cache
Sessions:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Sessions
Settings:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Preferences
Google Chrome
Web browsers usage
-
User profile(s):
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\*
With X
ranging from one to n.
History:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\History
Cookies:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Network\Cookies
Cache:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Cache
Sessions:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Sessions
Settings:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Preferences
Mozilla Firefox
Web browsers usage
-
User profile(s):
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\*
History, downloads, and bookmarks in a SQLite
database:
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\places.sqlite
Cookies in a SQLite
database:
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cookies.sqlite
Cache:
%LocalAppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cache2\*
Sessions:
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\sessionstorebackups\*
Settings:
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\prefs.js
Parsing
As stated, NirSoft's BrowsingHistoryView
utility (NirSoft_BrowsingHistoryView
KAPE module) can be used to parse a number of browsers artefacts to extract browsing history information. BrowsingHistoryView
can be used either as a graphical application or as a command-line utility to export the parsing result (for instance in the CSV format).
References
https://www.13cubed.com/downloads/windows_browser_artifacts_cheat_sheet.pdf
https://book.hacktricks.xyz/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts
https://www.nirsoft.net/utils/browsing_history_view.html
https://www.forensafe.com/blogs/typedurls.html
Last updated