Web Browsers Forensics

Nasreddine Bencherchali
Sep 19 · 4 min read

When doing forensics analysis, browsers are a gold mine with the amount of information they contain.

Often the source of incidents and malware can be traced down using the artifacts found inside of browsers. From the navigation history to downloaded files, browsers are a critical piece in any forensics analysis.

In this article, we’ll talk about the different browsers available today, where each one of them stores these artifacts and how to extract, understand and make sense of them.

Browsers Artifacts

When we talk about browser artifacts we talk about, navigation history, bookmarks, list of downloaded files, cache data…etc.

These artifacts are files stored inside of specific folders in the operating system.

Each browser stores its files in a different place than other browsers and they all have different names, but they all store (most of the time) the same type of data (artifacts).

Let us take a look at the most commun artifacts stored by browsers.

  • Navigation History : Contains data about the navigation history of the user. Can be used to track down if the user has visited some malicious sites for example
  • Autocomplete Data : This is the data that the browser suggest based on what you search the most. Can be used in tandem with the navigation history to get more insight.
  • Bookmarks : Self Explanatory.
  • Extensions and Addons : Self Explanatory.
  • Cache : When navigating websites, the browser creates all sortes of cache data (images, javascript files…etc) for many reasons. For example to speed loading time of websites. These cache files can be a great source of data during a forensic investigation.
  • Logins : Self Explanatory.
  • Favicons : They are the little icons found in tabs, urls, bookmarks and the such. They can be used as another source to get more information about the website or places the user visited.
  • Browser Sessions : Self Explanatory.
  • Downloads :Self Explanatory.
  • Form Data : Anything typed inside forms is often times stored by the browser, so the next time the user enters something inside of a form the browser can suggest previously entered data.
  • Thumbnails : Self Explanatory.

With that said, let us dive right in.

Mozilla Firefox

  • Profile Path : Contains the profile data and the majority of the artifacts.
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\C:\Users\XXX\AppData\Local\Mozilla\Firefox\Profiles\[profileID].default\
  • Navigation History + Bookmarks [SQLite Database]
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\places.sqlite
  • Bookmarks Backups [Folder / .jsonlz4 Files]
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\bookmarkbackups\
  • Cookies [SQLite Database]
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\cookies.sqlite
  • Cache [Multiple Types Of Data]
C:\Users\XXX\AppData\Local\Mozilla\Firefox\Profiles\[profileID].default\cache2\entriesC:\Users\XXX\AppData\Local\Mozilla\Firefox\Profiles\[profileID].default\startupCache
  • Form History [SQLite Database]
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\formhistory.sqlite
  • Addons + Extensions [SQLite Database] : Contains data about the installed addons in the browser.
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\addons.sqliteC:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\extensions.sqlite
  • Favicons [SQLite Database]
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\favicons.sqlite
  • Settings And Preferences
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\prefs.js
  • Logins + Passwords [JSON File]
- LoginsC:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\logins.json- PasswordsC:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\key4.dbC:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\key3.db (Older Version)
  • Sessions Data [jsonlz4 File] : A file that contain data about the current session (Tabs and Websites opened).
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\sessionstore.jsonlz4C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\sessionstore-backups\
  • Downloads [SQLite Database] : List of downloaded files from Firefox
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\downloads.sqlite
  • Thumbnails: Folder containing the images shown when we open the “about:newtab” page.
C:\Users\XXX\AppData\Local\Mozilla\Firefox\Profiles\[profileID].default\thumbnails

Google Chrome

  • Profile Path : Contains the profile data and the majority of the artifacts.
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\DefaultC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData
  • Navigation History + Downloads + Search History [SQLite Database]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\HistoryC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\History
  • Cookies [SQLite Database]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\CookiesC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Cookies
  • Cache [Multiple Types]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\CacheC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Cache
  • Bookmarks [JSON]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\BookmarksC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Bookmarks
  • Form History [SQLite Database]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Web DataC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Web Data
  • Favicons [SQLite Database]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\FaviconsC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Favicons
  • Logins [SQLite Database]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Login Data
  • Sessions Data
- Current Sessions / TabsC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Current SessionC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Current SessionC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Current TabsC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Current Tabs- Last (Previous) Sessions / TabsC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Last SessionC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Last SessionC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Last TabsC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Last Tabs
  • Addons + Extensions [Folders]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Extensions\C:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\
  • Thumbnails [SQLite Database]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Top SitesC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Thumbnails (Older versions)

Microsoft Edge

  • Profile Path
C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC
  • History + Cookies + Downloads [ESE Database]
C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
  • Settings + Bookmarks + Reading List [ESE Database]
C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb
  • Cache
C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\#!XXX\MicrosoftEdge\Cache
  • Sessions
- Last Active SessionC:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active

Internet Explorer [Coming Soon]

Opera [Coming Soon]

Safari [Coming Soon]

Tools

Now that we’ve seen the different artifacts that we can collect from a forensics point of view.

Let’s take a look at some of the tools that can help us make sens of this data.

Resources

Below are some resources to read up more about these artifacts and browser forensics in general.

Thanks for reading.

I’ll be updating and adding more artifacts from other browsers periodically as i learn more about them. So please look forward to it.

If you have any suggestions or comments about anything mentioned here please feel free to hit me on twitter @nas_bench

Nasreddine Bencherchali

Written by

Just another Infosec blog where i write about all things DFIR, Malware and occasionally Python.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade