Browser Forensics

Browser forensics refers to a branch of digital forensic analysis focused on investigating web browsers.

Acquisition

Google: "%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\"

Firefox: “%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\”

Edge: “%USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\”

Opera: “%USERPROFILE%\AppData\Roaming\Opera Software\Opera Stable”

Browser Artifacts

Some typical artifacts found in browser forensics include:

• Search history

• Visited Websites

• Downloads

• Cookies

• Cache

• Bookmarks

• Favicons

• Sessions

• Form history

• Thumbnails

• Extensions

Search History

Search history records search terms and reveals user intentions by showing exact URLs entered in the search bar.

🔒 Location:

Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\History”

Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\places.sqlite”

Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\History”

Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\History”

The search history is stored in an SQLite database called “History” within the “keyword_search_term” table.

Visited Websites

This artifact includes browsing history, such as visited URLs and timestamps, essential for identifying user activity, pinpointing compromise origins, and expediting investigations.

🔒 Location:

Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\History”

Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\places.sqlite”

Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\History”

Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\History”

This data is stored in the “History” SQLite database within the “visits” table.

Downloads

This artifact records downloaded files, their names, and the source URLs, making it valuable for identifying and analyzing potentially malicious files.

🔒 Location:

Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\History”

Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\places.sqlite”

Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\History”

Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\History”

This data is stored in the “History” SQLite database, within the “downloads_url_chains” and “downloads” tables.

Cookies

Cookies are small data pieces stored by websites on a user's browser. Analyzing cookies reveals information about the websites that set them, the stored data, and their expiration dates, offering insights into past web sessions, domain names, and more.

🔒 Location:

Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies”

Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\cookies.sqlite”

Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies”

Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Network\Cookies”

Cache

Web cache is a temporary storage for web data like HTML pages and images. Cache analysis helps reconstruct a user's browsing history and uncover frequently visited websites, potentially revealing evidence.

This data is stored in multiple data block files, indexed by a separate index file.

🔒 Location:

Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data”

Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\webappsstore.sqlite”

Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data”

Opera: “C:\Users\[username]\AppData\Local\Opera Software\Opera Stable\Cache\Cache_Data”

Opera cache is saved under “\Appdata\Local*”, while the rest of the Opera data is stored under “\Appdata\Roaming\”.

Bookmarks

Bookmarks are key artifacts in browser forensics, representing saved web pages for later access. Stored in dedicated folders, they offer insights into frequently visited sites and user interests. Analyzing bookmarks helps reconstruct browsing history and identify behavior patterns.

🔒 Location:

Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Bookmarks”

Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\places.sqlite”

Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Bookmarks”

Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Bookmarks”

Bookmarks are stored in a JSON file named “Bookmarks” in the default directory.

Favicons

Favicons are small images associated with websites, appearing in the browser's address bar and used for bookmarking. In browser forensics, favicons can reveal frequently visited sites and user interests. The domain name of the website where the favicon was loaded is recorded, even if the history file is deleted. However, not all websites have favicons, especially malicious ones, and this artifact may be inconsistent in newer browser versions, limiting its reliability.

🔒 Location:

Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Favicons”

Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\favicons.sqlite”

Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Favicons”

Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Favicons”

This data is stored in an SQLite database named “Favicons” in the default directory.

Session file

Session files store information about web pages open during the last browser session, including URLs, page titles, text entered in forms, and sometimes browsing history or cookies. Even if history is deleted, these files can help reconstruct browsing activity and identify behavior patterns. They provide valuable data when the browser is closed and history is removed.

If the user opens the browser for a new session, the previous session file remains but its contents are nullified, rendering it useless.

🔒 Location:

Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Sessions\*”

Firefox (1): “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\sessionstore.jsonlz4”

Firefox (2): “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\sessionstore-backups\*”

Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\*”

Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Sessions\*”

This data is stored in an SQLite database named “Sessions” in the default directory.

Form History

Form history stores text entered by a user into web forms, such as search boxes or online forms, to simplify future form-filling. It can reveal insights into the user's browsing habits, interests, and sensitive information entered into forms.

The "Form History" artifact can reveal sensitive information such as passwords, credit card details, and other personal data entered into online forms.

🔒 Location:

Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Web Data”

Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\formhistory.sqlite”

Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Web Data”

Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Web Data”

This data is stored in an SQLite database named “Web Data.”

Thumbnails

Thumbnails are small versions of images or videos generated by web browsers to help organize and navigate media files. Stored in the cache or temporary files, they can reveal the types of media accessed or downloaded by a user and provide clues about the websites or online services involved.

🔒 Location:

Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Top Sites”

Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites”

Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Top Sites”

Extensions

Browser extensions, or "addons," are small software programs added to web browsers to enhance functionality, such as organizing tabs, blocking ads, or saving passwords. However, extensions can be malicious, either from shady vendors or through supply chain attacks, where legitimate extensions are hijacked for harmful purposes. They can serve as important evidence in cases involving malicious extensions.

🔒 Location:

Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Extensions\{randomfoldername}\*”

Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\extensions\*”

Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\{randomfoldername}\*”

Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Extensions\{randomfoldername}\*”

Extension metadata is stored in the "Extensions" folder, within folders that are randomly named.

Tools

BrowsingHistoryView

Hindsight Framework

DB Browser for SQLite

Strings (Session file)

Manual Browser Analysis

In addition to the above artifacts, we also have another interesting database to examine.

Top Sites

A good source for gathering user online activity is the “Top Sites” database, which provides information about the websites a user visits, even if the history file is deleted.

Web data

When a user enters login credentials, credit card details, addresses, or other data, the browser prompts whether to save this information. If saved, the data is automatically filled in the next time the user visits the same website, eliminating the need to re-enter it.

The "keywords" table provides valuable information about websites visited, including favicon details and other relevant data.

If a user saves information such as addresses or phone numbers in their browser, it can be found in tables like "autofill_profile_addresses."

The "autofill" table contains information such as emails, usernames, and other data that the user has saved in the browser.

Credit card information, including card numbers, expiration dates, and potentially CVV codes, may be found in the "credit_cards" table. While credit card numbers and CVVs are often encrypted, expiration dates are typically stored as they are less sensitive. This data can help track the user's online transactions and purchased goods or services, depending on the payment gateway and API used.

---

Reference

• https://www.foxtonforensics.com/browser-history-examiner/chrome-history-location

This knowledge has been compiled from resources provided by LetsDefend.