Browser Forensics
Browser forensics refers to a branch of digital forensic analysis focused on investigating web browsers.
Acquisition
Google: "%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\"
Firefox: “%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\”
Edge: “%USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\”
Opera: “%USERPROFILE%\AppData\Roaming\Opera Software\Opera Stable”
Browser Artifacts
Some typical artifacts found in browser forensics include:
Search history
Visited Websites
Downloads
Cookies
Cache
Bookmarks
Favicons
Sessions
Form history
Thumbnails
Extensions
Search History
Search history records search terms and reveals user intentions by showing exact URLs entered in the search bar.
🔒 Location:
Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\History”
Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\places.sqlite”
Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\History”
Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\History”
The search history is stored in an SQLite database called “History” within the “keyword_search_term” table.
Visited Websites
This artifact includes browsing history, such as visited URLs and timestamps, essential for identifying user activity, pinpointing compromise origins, and expediting investigations.
🔒 Location:
Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\History”
Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\places.sqlite”
Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\History”
Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\History”
This data is stored in the “History” SQLite database within the “visits” table.
Downloads
This artifact records downloaded files, their names, and the source URLs, making it valuable for identifying and analyzing potentially malicious files.
🔒 Location:
Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\History”
Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\places.sqlite”
Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\History”
Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\History”
This data is stored in the “History” SQLite database, within the “downloads_url_chains” and “downloads” tables.
Cookies
Cookies are small data pieces stored by websites on a user's browser. Analyzing cookies reveals information about the websites that set them, the stored data, and their expiration dates, offering insights into past web sessions, domain names, and more.
🔒 Location:
Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies”
Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\cookies.sqlite”
Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies”
Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Network\Cookies”
Cache
Web cache is a temporary storage for web data like HTML pages and images. Cache analysis helps reconstruct a user's browsing history and uncover frequently visited websites, potentially revealing evidence.
This data is stored in multiple data block files, indexed by a separate index file.
🔒 Location:
Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data”
Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\webappsstore.sqlite”
Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data”
Opera: “C:\Users\[username]\AppData\Local\Opera Software\Opera Stable\Cache\Cache_Data”
Opera cache is saved under “\Appdata\Local*”, while the rest of the Opera data is stored under “\Appdata\Roaming\”.
Bookmarks
Bookmarks are key artifacts in browser forensics, representing saved web pages for later access. Stored in dedicated folders, they offer insights into frequently visited sites and user interests. Analyzing bookmarks helps reconstruct browsing history and identify behavior patterns.
🔒 Location:
Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Bookmarks”
Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\places.sqlite”
Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Bookmarks”
Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Bookmarks”
Bookmarks are stored in a JSON file named “Bookmarks” in the default directory.
Favicons
Favicons are small images associated with websites, appearing in the browser's address bar and used for bookmarking. In browser forensics, favicons can reveal frequently visited sites and user interests. The domain name of the website where the favicon was loaded is recorded, even if the history file is deleted. However, not all websites have favicons, especially malicious ones, and this artifact may be inconsistent in newer browser versions, limiting its reliability.
🔒 Location:
Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Favicons”
Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\favicons.sqlite”
Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Favicons”
Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Favicons”
This data is stored in an SQLite database named “Favicons” in the default directory.
Session file
Session files store information about web pages open during the last browser session, including URLs, page titles, text entered in forms, and sometimes browsing history or cookies. Even if history is deleted, these files can help reconstruct browsing activity and identify behavior patterns. They provide valuable data when the browser is closed and history is removed.
If the user opens the browser for a new session, the previous session file remains but its contents are nullified, rendering it useless.
🔒 Location:
Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Sessions\*”
Firefox (1): “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\sessionstore.jsonlz4”
Firefox (2): “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\sessionstore-backups\*”
Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\*”
Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Sessions\*”
This data is stored in an SQLite database named “Sessions” in the default directory.
Form History
Form history stores text entered by a user into web forms, such as search boxes or online forms, to simplify future form-filling. It can reveal insights into the user's browsing habits, interests, and sensitive information entered into forms.
The "Form History" artifact can reveal sensitive information such as passwords, credit card details, and other personal data entered into online forms.
🔒 Location:
Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Web Data”
Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\formhistory.sqlite”
Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Web Data”
Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Web Data”
This data is stored in an SQLite database named “Web Data.”
Thumbnails
Thumbnails are small versions of images or videos generated by web browsers to help organize and navigate media files. Stored in the cache or temporary files, they can reveal the types of media accessed or downloaded by a user and provide clues about the websites or online services involved.
🔒 Location:
Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Top Sites”
Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites”
Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Top Sites”
Extensions
Browser extensions, or "addons," are small software programs added to web browsers to enhance functionality, such as organizing tabs, blocking ads, or saving passwords. However, extensions can be malicious, either from shady vendors or through supply chain attacks, where legitimate extensions are hijacked for harmful purposes. They can serve as important evidence in cases involving malicious extensions.
🔒 Location:
Chrome: “C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Extensions\{randomfoldername}\*”
Firefox: “C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\extensions\*”
Edge: “C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\{randomfoldername}\*”
Opera: “C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Extensions\{randomfoldername}\*”
Extension metadata is stored in the "Extensions" folder, within folders that are randomly named.
Manual Browser Analysis
In addition to the above artifacts, we also have another interesting database to examine.
Top Sites
A good source for gathering user online activity is the “Top Sites” database, which provides information about the websites a user visits, even if the history file is deleted.
Web data
When a user enters login credentials, credit card details, addresses, or other data, the browser prompts whether to save this information. If saved, the data is automatically filled in the next time the user visits the same website, eliminating the need to re-enter it.
The "keywords" table provides valuable information about websites visited, including favicon details and other relevant data.
If a user saves information such as addresses or phone numbers in their browser, it can be found in tables like "autofill_profile_addresses."
The "autofill" table contains information such as emails, usernames, and other data that the user has saved in the browser.
Credit card information, including card numbers, expiration dates, and potentially CVV codes, may be found in the "credit_cards" table. While credit card numbers and CVVs are often encrypted, expiration dates are typically stored as they are less sensitive. This data can help track the user's online transactions and purchased goods or services, depending on the payment gateway and API used.
Reference
This knowledge has been compiled from resources provided by LetsDefend.
Last updated