top of page
Search

Browser Forensics - Tools & Techniques

Updated: Feb 26, 2022

Our browsers are saving a lot of data about our online activity and creating a digital entity for us, basically to improve our internet browsing and use as many online features as we can.


Having said that, the amount of information stored locally in the browser's folders is huge and can be super useful for forensic analysis.


In this article, I am going to demonstrate the most useful ways to extract the forensic data we need during our digital investigation. Also, you will find some highly rated and useful tools in order to present this kind of data.



Point of interest

Here are some of the most useful artifacts we are going to take a look at:

  • Logins & Passwords - Emails and passwords used by the profile.

  • Downloads - All the files downloaded by the profile.

  • Cache - When navigating websites, the browser creates all sorts of cache data for many reasons. For example, to speed loading time of websites.

  • Bookmarks - All the preferred sites are saved by the user.

  • Extension & Addons - Third-party application used by the profile.

  • Navigation History - Useful data about the navigation history of the user. Can be used to track down if the user has visited some malicious sites for example

  • Autocomplete Data - The browser's suggestions are based on what the profile was searching for the most.

  • Form Data - The browser uses saved data in order to help the profile to fill some forms and sometimes saves this data for the next time.


Browsers Under Interest



Google Chrome

Artifact

Path

Logins & Passwords

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Login Data

Downloads

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\History

Cache

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Cache

Bookmarks

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Bookmarks

Extensions & Addons

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Extensions\

Navigation History

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\History

Autocompleted Data

Form Data

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Web Data


Mozilla Firefox

Artifact

Path

Logins & Password

Logins - C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\logins.json

Passwords - C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\key4.db

Downloads

C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\downloads.sqlite

Cache

C:\Users\XXX\AppData\Local\Mozilla\Firefox\Profiles\[profileID].default\cache2\entries

Bookmarks

C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\bookmarkbackups\

Extensions & Addons

Extension -

C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\addons.sqlite


Browsers -

C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\extensions.sqlite

Navigation History

C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\places.sqlite

Form Data

C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\formhistory.sqlite


Microsoft Edge

Artifact

Path

Downloads

C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Cache

C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\#!XXX\MicrosoftEdge\Cache

Bookmarks

C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb

Navigation History

C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat



Tools


DB Browser for SQLite

This tool will help us to use all the data saved inside Chrome & Firefox databases, which are saved as .sqlite files.

To open the database in DB Browser do the following;

  1. Click on the ‘open database’ button in the toolbar.

  2. Navigate to where you have stored the database file on your local machine, select it and click open.

When opening the database, the ‘Database Structure’ tab on the left and the ‘DB Schema’ pane on the right will look very similar. However, the ‘DB Schema’ pane is only there to allow us to see the details of the schema for the tables. In particular, what tables are in the database and the fields and their types are in each table.

The ‘Database Structure’ tab on the left allows initiating actions on the tables.


Nirsoft Web Browser Tools

BrowsingHistoryView is a new utility that reads the history data of 14 different Web browsers:

  • Internet Explorer

  • Microsoft Edge

  • Mozilla Firefox

  • Google Chrome

  • Safari

  • Waterfox

  • Chrome Canary

  • Opera

  • Pale Moon

  • Brave

  • SeaMonkey

  • Yandex

  • Vivaldi

This tool displays the browsing history of all these Web browsers in one table.

The browsing history table includes the following information: Visited URL, Title, Visit Time, Visit Count, Web browser, and User Profile. This tool also allows us to watch the browsing history of all user profiles in a running system, as well as to get the browsing history from the external hard drive.




Hindsight

Hindsight can parse a number of different types of web artifacts, including URLs, download history, cache records, bookmarks, autofill records, saved passwords, preferences, browser extensions, HTTP cookies, and Local Storage records (HTML5 cookies).

Once the data is extracted from each file, it is correlated with data from other history files and placed in a timeline.

Some of the command-line options are:

  • -i or –input Path to the Chrome “Default” directory

  • -o or –output Name of the output file (without extension)

  • -f or –format Output format (default is XLSX, other options are SQLite and JSON)

  • -c or –cache Path to the cache directory; only needed if the directory is outside the given “input” directory. Mac systems are set up this way by default.

  • -b or –browser_type The type of browser the input files belong to. Supported options are Chrome (default) and Brave.

  • -l or –log Location Hindsight should log to (will append if exists)

  • -h or –help Shows these options and the default Chrome data locations

  • -t or –timezone Display timezone for the timestamps in XLSX output

You can read more and download this tool over here: https://github.com/obsidianforensics/hindsight


We can use either GUI or CLI versions -

GUI - 

python hindsight-gui.py

CLI - 

python hindsight.py


Use the profile paths you like -

Browser

Path

Google Chrome

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default

Mozilla Firefox

C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\

Microsoft Edge

C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC


Comments

ABOUT THIS SITE

This site is intended for educational purposes in the cybersecurity world. 
All rights reserved to Security Hive only and his owners.

 

GET IN TOUCH

Leave us a message on

Contact page>>

© Security Hive 2020

 
bottom of page