Microsoft Edge Forensics: Screenshot History
According to a recent article on Neowin, Microsoft Edge has a new feature that allows it to take screenshots of every web page a user visits. The feature is called “Save screenshots of site for History” and is available in Microsoft Edge 117, which is currently available for testing in the Canary and Dev channels. The feature is off by default, but if a user decides to turn it on, Edge will take screenshots of the sites the user visits and save them so that user can quickly revisit the site from history.
This blog post explores the value of this newly released Microsoft Edge feature from a digital forensics standpoint.
Blog post authored by Denis Szadkowski
Feature Overview
The newly introduced feature “Save screenshots of site for History” can be found by visiting the following URL (Microsoft Edge Dev/Canary >=117):
edge://settings/?search=screenshots%20of%20site
After enabling the feature the browser history will show screenshots of web pages the user visited when hovering over the corresponding history items as shown in the figure below:
The screenshots that are presented to the user are created by Microsoft Edge while visiting the web page and are updated on regular visits.
Under The Hood
The implementation of the “Save screenshots of site for History” feature relies on the commonly know SQLite database named “History” as its central data store. This database, which can be found under the directory %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\History
provides a trove of information related to browsing activities which can be of great value to investigators. In the following figure the structure of the “History” database is presented.
The relevant table for the newly introduced feature is the one named edge_visits
which contains the following columns:
As can be seen in the figure above the column data
stores a data blob that corresponds to a 420x235
pixel screenshot (jpeg), which gets created whenever the user visits a web page. The edge_visits
table on its own does not provide any information related to when the screenshot was created or for which exact URL it was taken. By combining information from the “History” database tables visits
, edge_visits
and urls
investigators can find the missing information.
The SQL query below combines the necessary tables visits
, edge_visits
and urls
to achieve this.
SELECT
visits.visit_time,
urls.url,
edge_visits.data
FROM
visits
LEFT JOIN urls ON urls.id=visits.url
LEFT JOIN edge_visits ON visits.id=edge_visits.visit_id
WHERE edge_visits.data NOT NULL
The visit_id
column from the edge_visits
table matches the id
column from the visits
table. In comparison to the edge_visits
table the visits
table has additional information e.g., the timestamp of the visit and a url
column containing the id of the exact URL that was visited. By joining all three tables together it is possible to get a screenshot of the web page visit, the timestamp of the visit and the exact URL where the screenshot was taken.
The screenshots created by Microsoft Edge during web page visits can easily be exported from the “History” database by running the following command:
sqlite3 History "SELECT hex(edge_visits.data) FROM edge_visits WHERE edge_visits.visit_id=25" | xxd -r -p > 25.jpg
The results of the command can be observed in the figure below. Although the screenshot resolution is low it still can provide investigators with useful visual clues about the state of a web page that a user visited at a given point in time.
Your Local Wayback Machine
During the analysis of the “Save screenshots of site for History” feature the author found that Microsoft Edge not only stores the most recent screenshot of a web page visited by the user but it stores multiple versions for the same URL. This behavior is demonstrated in the following GIF:
Having access to the screenshot history of a given web page regularly visited by an individual can help investigators to prove the progression of criminal activity over time. Additionally, from an incident response perspective this feature can be leveraged to investigate initial access in which Microsoft Edge is part of the entry vector. One example might be a user visiting his exchange online mailbox and then opening a phishing email and afterwards clicking the malicious URL inside the email. Those activities would have been screenshotted by the “Save screenshots of site for History” feature of Microsoft Edge, which in turn would have allowed investigators to better understand the initial access vector.
Conclusion and Outlook
Microsoft Edge provides investigators with a trove of forensic artifacts that can be leveraged to prove criminal activities or gather information about attackers. With its newest feature “Save screenshots of site for History” the already rich ecosystem of Microsoft Edge forensic artifacts got yet again extended. The fact that the feature is disabled by default and not yet included in the stable channel could limit its forensic value but the author believes that in the foreseeable future this might change. The reason for this is the highly competitive browser market in which the big vendors Microsoft, Google and Mozilla are trying to attract users with shiny new convenience features.