# Browser Forensics

## Acquisition

**`Google:`** `"%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\"`

**`Firefox:`** `“%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\”`

**`Edge:`** `“%USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\”`

**`Opera:`** `“%USERPROFILE%\AppData\Roaming\Opera Software\Opera Stable”`

## Browser Artifacts

Some typical artifacts found in browser forensics include:

* Search history
* Visited Websites
* Downloads
* Cookies
* Cache
* Bookmarks
* Favicons
* Sessions
* Form history
* Thumbnails
* Extensions

### Search History

Search history records search terms and reveals user intentions by showing exact URLs entered in the search bar.

:lock: Location:

**`Chrome:`** `“C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\History”`

**`Firefox:`** `“C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\places.sqlite”`

**`Edge:`** `“C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\History”`

**`Opera:`** `“C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\History”`

{% hint style="info" %}
The search history is stored in an SQLite database called “History” within the “keyword\_search\_term” table.
{% endhint %}

### Visited Websites

This artifact includes browsing history, such as visited URLs and timestamps, essential for identifying user activity, pinpointing compromise origins, and expediting investigations.

:lock: Location:

**`Chrome:`** `“C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\History”`

**`Firefox:`** `“C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\places.sqlite”`

**`Edge:`** `“C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\History”`

**`Opera:`** `“C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\History”`

{% hint style="info" %}
This data is stored in the “History” SQLite database within the “visits” table.
{% endhint %}

### Downloads

This artifact records downloaded files, their names, and the source URLs, making it valuable for identifying and analyzing potentially malicious files.

:lock: Location:

**`Chrome:`** `“C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\History”`

**`Firefox:`** `“C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\places.sqlite”`

**`Edge:`** `“C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\History”`

**`Opera:`** `“C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\History”`

{% hint style="info" %}
This data is stored in the “History” SQLite database, within the “downloads\_url\_chains” and “downloads” tables.
{% endhint %}

### Cookies

Cookies are small data pieces stored by websites on a user's browser. Analyzing cookies reveals information about the websites that set them, the stored data, and their expiration dates, offering insights into past web sessions, domain names, and more.

:lock: Location:

**`Chrome:`** `“C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies”`&#x20;

**`Firefox:`** `“C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\cookies.sqlite”`

**`Edge:`** `“C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies”`

**`Opera:`** `“C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Network\Cookies”`

### Cache

Web cache is a temporary storage for web data like HTML pages and images. Cache analysis helps reconstruct a user's browsing history and uncover frequently visited websites, potentially revealing evidence.

This data is stored in multiple data block files, indexed by a separate index file.

:lock: Location:

**`Chrome:`** `“C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data”`

**`Firefox:`** `“C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\webappsstore.sqlite”`

**`Edge:`** `“C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data”`

**`Opera:`** `“C:\Users\[username]\AppData\Local\Opera Software\Opera Stable\Cache\Cache_Data”`

{% hint style="info" %}
Opera cache is saved under “\Appdata\Local\*”, while the rest of the Opera data is stored under “\Appdata\Roaming\”.
{% endhint %}

### Bookmarks&#x20;

Bookmarks are key artifacts in browser forensics, representing saved web pages for later access. Stored in dedicated folders, they offer insights into frequently visited sites and user interests. Analyzing bookmarks helps reconstruct browsing history and identify behavior patterns.

:lock: Location:

**`Chrome:`** `“C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Bookmarks”`

**`Firefox:`** `“C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\places.sqlite”`

**`Edge:`** `“C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Bookmarks”`&#x20;

**`Opera:`** `“C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Bookmarks”`

{% hint style="info" %}
Bookmarks are stored in a JSON file named “Bookmarks” in the default directory.
{% endhint %}

### Favicons&#x20;

Favicons are small images associated with websites, appearing in the browser's address bar and used for bookmarking. In browser forensics, favicons can reveal frequently visited sites and user interests. The domain name of the website where the favicon was loaded is recorded, even if the history file is deleted. However, not all websites have favicons, especially malicious ones, and this artifact may be inconsistent in newer browser versions, limiting its reliability.

:lock: Location:

**`Chrome:`** `“C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Favicons”`

**`Firefox:`** `“C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\favicons.sqlite”`

**`Edge:`** `“C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Favicons”`

**`Opera:`** `“C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Favicons”`

{% hint style="info" %}
This data is stored in an SQLite database named “Favicons” in the default directory.
{% endhint %}

### Session file&#x20;

Session files store information about web pages open during the last browser session, including URLs, page titles, text entered in forms, and sometimes browsing history or cookies. Even if history is deleted, these files can help reconstruct browsing activity and identify behavior patterns. They provide valuable data when the browser is closed and history is removed.

{% hint style="warning" %}
If the user opens the browser for a new session, the previous session file remains but its contents are nullified, rendering it useless.
{% endhint %}

:lock: Location:

**`Chrome:`** `“C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Sessions\*”`

**`Firefox (1):`** `“C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\sessionstore.jsonlz4”`

**`Firefox (2):`** `“C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\sessionstore-backups\*”`

**`Edge:`** `“C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\*”`

**`Opera:`** `“C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Sessions\*”`&#x20;

{% hint style="info" %}
This data is stored in an SQLite database named “Sessions” in the default directory.
{% endhint %}

### Form History&#x20;

Form history stores text entered by a user into web forms, such as search boxes or online forms, to simplify future form-filling. It can reveal insights into the user's browsing habits, interests, and sensitive information entered into forms.

{% hint style="danger" %}
The "Form History" artifact can reveal sensitive information such as passwords, credit card details, and other personal data entered into online forms.
{% endhint %}

:lock: Location:

**`Chrome:`** `“C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Web Data”`

**`Firefox:`** `“C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\formhistory.sqlite”`

**`Edge:`** **`“C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Web Data”`**

**`Opera:`** **`“C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Web Data”`**

{% hint style="info" %}
This data is stored in an SQLite database named “Web Data.”
{% endhint %}

### Thumbnails&#x20;

Thumbnails are small versions of images or videos generated by web browsers to help organize and navigate media files. Stored in the cache or temporary files, they can reveal the types of media accessed or downloaded by a user and provide clues about the websites or online services involved.

:lock: Location:

**`Chrome:`** `“C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Top Sites”`

**`Edge:`** `“C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites”`

**`Opera:`** `“C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Top Sites”`

### Extensions&#x20;

Browser extensions, or "addons," are small software programs added to web browsers to enhance functionality, such as organizing tabs, blocking ads, or saving passwords. However, extensions can be malicious, either from shady vendors or through supply chain attacks, where legitimate extensions are hijacked for harmful purposes. They can serve as important evidence in cases involving malicious extensions.

:lock: Location:

**`Chrome:`** `“C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Extensions\{randomfoldername}\*”`

**`Firefox:`** `“C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[randomfoldername]\extensions\*”`

**`Edge:`** `“C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\{randomfoldername}\*”`

**`Opera:`** `“C:\Users\[username]\AppData\Roaming\Opera Software\Opera Stable\Extensions\{randomfoldername}\*”`

{% hint style="info" %}
Extension metadata is stored in the "Extensions" folder, within folders that are randomly named.
{% endhint %}

<details>

<summary>Tools</summary>

#### BrowsingHistoryView

Hindsight Framework

DB Browser for SQLite

Strings (Session file)

</details>

## Manual Browser Analysis

In addition to the above artifacts, we also have another interesting database to examine.

### Top Sites&#x20;

A good source for gathering user online activity is the “Top Sites” database, which provides information about the websites a user visits, even if the history file is deleted.

### Web data&#x20;

When a user enters login credentials, credit card details, addresses, or other data, the browser prompts whether to save this information. If saved, the data is automatically filled in the next time the user visits the same website, eliminating the need to re-enter it.

{% hint style="info" %}
The "keywords" table provides valuable information about websites visited, including favicon details and other relevant data.
{% endhint %}

{% hint style="info" %}
If a user saves information such as addresses or phone numbers in their browser, it can be found in tables like "autofill\_profile\_addresses."
{% endhint %}

{% hint style="info" %}
The "autofill" table contains information such as emails, usernames, and other data that the user has saved in the browser.
{% endhint %}

{% hint style="info" %}
Credit card information, including card numbers, expiration dates, and potentially CVV codes, may be found in the "credit\_cards" table. While credit card numbers and CVVs are often encrypted, expiration dates are typically stored as they are less sensitive. This data can help track the user's online transactions and purchased goods or services, depending on the payment gateway and API used.
{% endhint %}

***

### Reference

* <https://www.foxtonforensics.com/browser-history-examiner/chrome-history-location>

{% hint style="success" %}
This knowledge has been compiled from resources provided by [LetsDefend](https://letsdefend.io/).
{% endhint %}

#### A cheat sheet from [13cubed](https://training.13cubed.com/downloads):

{% file src="/files/IrSzeyQhrGbzx9bUxQxH" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://walterdrake.gitbook.io/mysite/browser-forensics/browser-forensics.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.