# Browsers forensics ### Browsing history / download artefacts **Overview** The web browsers related artefacts can be split in the following categories: * User profile: web browsers, such as `Chronium`-based browsers and `Firefox`, implement a profile feature to store user's setttings, history, favourites, etc. The databases and files that store these information are usually stored under a user specific profile folder. * History: web browsing history and download history. * Cookies: web browsing cookies (session tokens). * Cache: cache of resources downloaded from accessed websites (images, text content, `HTML`, `CSS`, `Javascript` files, etc.). * Sessions: tabs and windows from a browsing session. * Settings: configuration settings. These files are often stored under `%LocalAppData%` (`%SystemDrive%:\Users\\AppData\Local\`) and `%AppData%` (`%SystemDrive%:\Users\\AppData\Roaming\`). **Artefacts details** | Name | Type | Description | Information / interpretation | Location | Tool(s) | | | | | | | | ------------------------------------------------------------------- | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------- | |

NTUSER
-
TypedURLs

| Web browsers usage |

URL entered (typed, pasted, or auto-completed) in the Internet Explorer (IE) web browser search bar.

Web searches do not generate entries, only typing of an URL will.

Entries are added / updated in near real-time.

|

The URL are stored as url1 to url\[N] in inversed chronological order.

The last write timestamp of the key is thus the timestamp of visit of the most recently visited URL.

|

File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat
Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedURLs

| | | | | | | | | `Microsoft Internet Explorer` | Web browsers usage |

Microsoft Internet Explorer artefacts.

For more information: Browsers forensics note.

| - |

History, downloads, cache, and cookies metadata in a ESE database:
%LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat
> History: History table
> Downloads: iedownload table.
> Cache: content table
> Cookies metadata: Cookies table.

Local files access, not necessarily through the webbrowser, may also appear in the WebCacheV01.dat database with the file URI scheme (such as file:///\:/folder/file).

Cookies:
%AppData%\Microsoft\Windows\Cookies

Sessions:
%LocalAppData%\Microsoft\Internet Explorer\Recovery\*.dat

| [`NirSoft's BrowsingHistoryView`](https://www.nirsoft.net/utils/browsing_history_view.html) | | | | | | | |

Microsoft Edge
(Legacy)

| Web browsers usage |

Microsoft Edge (legacy version) artefacts.

For more information: Browsers forensics note.

| - |

User profile(s):
%LocalAppData%\Packages\Microsoft.MicrosoftEdge\_XXX\AC

History, downloads, cache, and cookies (file shared with Microsoft Internet Explorer):
%LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat

Cache:
%LocalAppData%\Packages\Microsoft.MicrosoftEdge\_XXX\AC#!XXX\MicrosoftEdge\Cache

Sessions:
%LocalAppData%\Packages\Microsoft.MicrosoftEdge\_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active

Settings:
%LocalAppData%\Packages\Microsoft.MicrosoftEdge\_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb

| [`NirSoft's BrowsingHistoryView`](https://www.nirsoft.net/utils/browsing_history_view.html) | | | | | | | |

Microsoft Edge
(Chronium-based)

| Web browsers usage |

Microsoft Edge (Chronium-based) artefacts.

Since Edge version v79 (January 2020), Microsoft Edge uses a Chronium backend and shares similar artefacts to Google Chrome.

For more information: Browsers forensics note.

| - |

User profile(s):
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\*
With X ranging from one to n.

History:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\History

Cookies:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Network\Cookies

Cache:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Cache

Sessions:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Sessions

Settings:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Preferences

| [`NirSoft's BrowsingHistoryView`](https://www.nirsoft.net/utils/browsing_history_view.html) | | `Google Chrome` | Web browsers usage |

Google Chrome artefacts.

For more information: Browsers forensics note.

| - |

User profile(s):
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\*
With X ranging from one to n.

History:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\History

Cookies:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Network\Cookies

Cache:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Cache

Sessions:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Sessions

Settings:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Preferences

| [`NirSoft's BrowsingHistoryView`](https://www.nirsoft.net/utils/browsing_history_view.html) | | `Mozilla Firefox` | Web browsers usage |

Mozilla Firefox artefacts.

For more information: Browsers forensics note.

| - |

User profile(s):
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\*

History, downloads, and bookmarks in a SQLite database:
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\places.sqlite

Cookies in a SQLite database:
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cookies.sqlite

Cache:
%LocalAppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cache2\*

Sessions:
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\sessionstorebackups\*

Settings:
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\prefs.js

| [`NirSoft's BrowsingHistoryView`](https://www.nirsoft.net/utils/browsing_history_view.html) | | | | | | | ### Parsing As stated, [`NirSoft's BrowsingHistoryView`](https://www.nirsoft.net/utils/browsing_history_view.html) utility (`NirSoft_BrowsingHistoryView` KAPE module) can be used to parse a number of browsers artefacts to extract browsing history information. `BrowsingHistoryView` can be used either as a graphical application or as a command-line utility to export the parsing result (for instance in the CSV format). ``` # /HistorySource 3: Load history from the specified profiles folder (specified using /HistorySourceFolder). # /HistorySourceFolder example: "C:\Users" or "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users" (for shadow copy). # /VisitTimeFilterType 1: Load history dating back to any time. # /ShowTimeInGMT 1: Converts timestamps to UTC-0 (default to the local timezone). browsinghistoryview.exe /HistorySource 3 /HistorySourceFolder "" /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma ``` *** ### References --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.qazeer.io/dfir/common/browsers_forensics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.