# Browsers forensics ### Browsing history / download artefacts **Overview** The web browsers related artefacts can be split in the following categories: * User profile: web browsers, such as `Chronium`-based browsers and `Firefox`, implement a profile feature to store user's setttings, history, favourites, etc. The databases and files that store these information are usually stored under a user specific profile folder. * History: web browsing history and download history. * Cookies: web browsing cookies (session tokens). * Cache: cache of resources downloaded from accessed websites (images, text content, `HTML`, `CSS`, `Javascript` files, etc.). * Sessions: tabs and windows from a browsing session. * Settings: configuration settings. These files are often stored under `%LocalAppData%` (`%SystemDrive%:\Users\\AppData\Local\`) and `%AppData%` (`%SystemDrive%:\Users\\AppData\Roaming\`). **Artefacts details** | Name | Type | Description | Information / interpretation | Location | Tool(s) | | | | | | | | ------------------------------------------------------------------- | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------- | |

NTUSER
-
TypedURLs

| Web browsers usage |

URL entered (typed, pasted, or auto-completed) in the Internet Explorer (IE) web browser search bar.

Web searches do not generate entries, only typing of an URL will.

Entries are added / updated in near real-time.

|

The URL are stored as url1 to url\[N] in inversed chronological order.

The last write timestamp of the key is thus the timestamp of visit of the most recently visited URL.

|

File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat
Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedURLs

| | | | | | | | | `Microsoft Internet Explorer` | Web browsers usage |

Microsoft Internet Explorer artefacts.

For more information: Browsers forensics note.

| - |

History, downloads, cache, and cookies metadata in a ESE database:
%LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat
> History: History table
> Downloads: iedownload table.
> Cache: content table
> Cookies metadata: Cookies table.

Local files access, not necessarily through the webbrowser, may also appear in the WebCacheV01.dat database with the file URI scheme (such as file:///\:/folder/file).

Cookies:
%AppData%\Microsoft\Windows\Cookies

Sessions:
%LocalAppData%\Microsoft\Internet Explorer\Recovery\*.dat

| [`NirSoft's BrowsingHistoryView`](https://www.nirsoft.net/utils/browsing_history_view.html) | | | | | | | |

Microsoft Edge
(Legacy)

| Web browsers usage |

Microsoft Edge (legacy version) artefacts.

For more information: Browsers forensics note.

| - |

User profile(s):
%LocalAppData%\Packages\Microsoft.MicrosoftEdge\_XXX\AC

History, downloads, cache, and cookies (file shared with Microsoft Internet Explorer):
%LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat

Cache:
%LocalAppData%\Packages\Microsoft.MicrosoftEdge\_XXX\AC#!XXX\MicrosoftEdge\Cache

Sessions:
%LocalAppData%\Packages\Microsoft.MicrosoftEdge\_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active

Settings:
%LocalAppData%\Packages\Microsoft.MicrosoftEdge\_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb

| [`NirSoft's BrowsingHistoryView`](https://www.nirsoft.net/utils/browsing_history_view.html) | | | | | | | |

Microsoft Edge
(Chronium-based)

| Web browsers usage |

Microsoft Edge (Chronium-based) artefacts.

Since Edge version v79 (January 2020), Microsoft Edge uses a Chronium backend and shares similar artefacts to Google Chrome.

For more information: Browsers forensics note.

| - |

User profile(s):
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\*
With X ranging from one to n.

History:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\History

Cookies:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Network\Cookies

Cache:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Cache

Sessions:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Sessions

Settings:
%LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Preferences

| [`NirSoft's BrowsingHistoryView`](https://www.nirsoft.net/utils/browsing_history_view.html) | | `Google Chrome` | Web browsers usage |

Google Chrome artefacts.

For more information: Browsers forensics note.

| - |

User profile(s):
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\*
With X ranging from one to n.

History:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\History

Cookies:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Network\Cookies

Cache:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Cache

Sessions:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Sessions

Settings:
%LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Preferences

| [`NirSoft's BrowsingHistoryView`](https://www.nirsoft.net/utils/browsing_history_view.html) | | `Mozilla Firefox` | Web browsers usage |

Mozilla Firefox artefacts.

For more information: Browsers forensics note.

| - |

User profile(s):
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\*

History, downloads, and bookmarks in a SQLite database:
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\places.sqlite

Cookies in a SQLite database:
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cookies.sqlite

Cache:
%LocalAppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cache2\*

Sessions:
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\sessionstorebackups\*

Settings:
%AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\prefs.js

| [`NirSoft's BrowsingHistoryView`](https://www.nirsoft.net/utils/browsing_history_view.html) | | | | | | | ### Parsing As stated, [`NirSoft's BrowsingHistoryView`](https://www.nirsoft.net/utils/browsing_history_view.html) utility (`NirSoft_BrowsingHistoryView` KAPE module) can be used to parse a number of browsers artefacts to extract browsing history information. `BrowsingHistoryView` can be used either as a graphical application or as a command-line utility to export the parsing result (for instance in the CSV format). ``` # /HistorySource 3: Load history from the specified profiles folder (specified using /HistorySourceFolder). # /HistorySourceFolder example: "C:\Users" or "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users" (for shadow copy). # /VisitTimeFilterType 1: Load history dating back to any time. # /ShowTimeInGMT 1: Converts timestamps to UTC-0 (default to the local timezone). browsinghistoryview.exe /HistorySource 3 /HistorySourceFolder "" /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma ``` *** ### References