Microsoft Edge Forensics: Screenshot History

According to a recent article on Neowin, Microsoft Edge has a new feature that allows it to take screenshots of every web page a user visits. The feature is called “Save screenshots of site for History” and is available in Microsoft Edge 117, which is currently available for testing in the Canary and Dev channels. The feature is off by default, but if a user decides to turn it on, Edge will take screenshots of the sites the user visits and save them so that user can quickly revisit the site from history.

This blog post explores the value of this newly released Microsoft Edge feature from a digital forensics standpoint.

Blog post authored by Denis Szadkowski

Feature Overview

The newly introduced feature “Save screenshots of site for History” can be found by visiting the following URL (Microsoft Edge Dev/Canary >=117):

edge://settings/?search=screenshots%20of%20site

“Save screenshot of site for History” — Microsoft Edge Version 118.0.2048.1 dev

After enabling the feature the browser history will show screenshots of web pages the user visited when hovering over the corresponding history items as shown in the figure below:

“Save screenshot of site History” in action

The screenshots that are presented to the user are created by Microsoft Edge while visiting the web page and are updated on regular visits.

Under The Hood

The implementation of the “Save screenshots of site for History” feature relies on the commonly know SQLite database named “History” as its central data store. This database, which can be found under the directory %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\History provides a trove of information related to browsing activities which can be of great value to investigators. In the following figure the structure of the “History” database is presented.

Microsoft Edge — SQLite Database “History”

The relevant table for the newly introduced feature is the one named edge_visits which contains the following columns:

Microsoft Edge “History” — “edge_visits” Table

As can be seen in the figure above the column data stores a data blob that corresponds to a 420x235 pixel screenshot (jpeg), which gets created whenever the user visits a web page. The edge_visits table on its own does not provide any information related to when the screenshot was created or for which exact URL it was taken. By combining information from the “History” database tables visits, edge_visits and urls investigators can find the missing information.

The SQL query below combines the necessary tables visits, edge_visits and urls to achieve this.

SELECT 
 visits.visit_time, 
 urls.url, 
 edge_visits.data 
FROM 
 visits 
 LEFT JOIN urls ON urls.id=visits.url 
 LEFT JOIN edge_visits ON visits.id=edge_visits.visit_id
WHERE edge_visits.data NOT NULL

The visit_id column from the edge_visits table matches the id column from the visits table. In comparison to the edge_visits table the visits table has additional information e.g., the timestamp of the visit and a url column containing the id of the exact URL that was visited. By joining all three tables together it is possible to get a screenshot of the web page visit, the timestamp of the visit and the exact URL where the screenshot was taken.

SQL JOIN of tables “edge_visits”, “visits” and “urls”

The screenshots created by Microsoft Edge during web page visits can easily be exported from the “History” database by running the following command:

sqlite3 History "SELECT hex(edge_visits.data) FROM edge_visits WHERE edge_visits.visit_id=25" | xxd -r -p > 25.jpg  

The results of the command can be observed in the figure below. Although the screenshot resolution is low it still can provide investigators with useful visual clues about the state of a web page that a user visited at a given point in time.

Original screenshot exported from “History” database

Your Local Wayback Machine

During the analysis of the “Save screenshots of site for History” feature the author found that Microsoft Edge not only stores the most recent screenshot of a web page visited by the user but it stores multiple versions for the same URL. This behavior is demonstrated in the following GIF:

“Save screenshot of site History” in action

Having access to the screenshot history of a given web page regularly visited by an individual can help investigators to prove the progression of criminal activity over time. Additionally, from an incident response perspective this feature can be leveraged to investigate initial access in which Microsoft Edge is part of the entry vector. One example might be a user visiting his exchange online mailbox and then opening a phishing email and afterwards clicking the malicious URL inside the email. Those activities would have been screenshotted by the “Save screenshots of site for History” feature of Microsoft Edge, which in turn would have allowed investigators to better understand the initial access vector.

Conclusion and Outlook

Microsoft Edge provides investigators with a trove of forensic artifacts that can be leveraged to prove criminal activities or gather information about attackers. With its newest feature “Save screenshots of site for History” the already rich ecosystem of Microsoft Edge forensic artifacts got yet again extended. The fact that the feature is disabled by default and not yet included in the stable channel could limit its forensic value but the author believes that in the foreseeable future this might change. The reason for this is the highly competitive browser market in which the big vendors Microsoft, Google and Mozilla are trying to attract users with shiny new convenience features.