Open in app

Sign in

Write

Sign in

Web Browsers Forensic Artifacts

Mehrnoush
4 min readAug 25, 2022

--

There is at least one browser installed on each system; therefore, when you have a case to solve, you can rely on the data stored by the browser as a piece of evidence. People use web browsers to do a lot of work like web surfing, book reading, interacting with local or remote web applications, etc. Each one left a footprint that may help to complete a puzzle and solve the case.

Web Browser Forensics

Browsers keep track and store them in some places on the disk. So, there is a chance to extract valuable information and recover some deleted artifacts. This post provides the path of this source of evidence in brief.

My cheatsheet

Unfortunately, I could not upload a high-quality image here. If you want a high-quality picture, just email me or send a direct message on social media.

Firefox

Which interesting artifacts could be find from Firefox?

Mozilla Firefox cheatsheet

Which one contains factual answers to 5WH questions?

Some firefox artifacts need to answer the 5WH questions

Firefox store important artifacts in SQLite database.

Some database files

As you see in the picture above, Firefox does not store “cache” in SQLite nor json.

History

  • History

Windows XP

%USERPROFILE%\Application Data\MozillaFirefox\Profiles[ProfileID].default\places.sqlite

Windows 7/8/10

%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles[ProfileID].default\places.sqlite

Form History

%USERPROFILE%\AppData\Roaming\MozillaFirefox\Profiles[profileID].default\formhistory.sqlite

Bookmarks backups

%USERPROFILE%\AppData\Roaming\MozillaFirefox\Profiles[profileID].default\bookmarkbackups

  • Cookies

Windows XP

%USERPROFILE%\Application Data\MozillaFirefox\Profiles[ProfileID].default\cookies.sqlite

Windows 7/8/10

%USERPROFILE%\AppData\Roaming\MozillaFirefox\Profiles[ProfileID].default\cookies.sqlite

  • Cache
cache

Windows XP

%USERPROFILE%\Local Settings\ApplicationData\MozillaFirefox\Profiles [ProfileID].default\Cache

Windows 7/8/10

%USERPROFILE%\AppData\Local\MozillaFirefox\Profiles\[ProfileID].default\Cache

  • Session Restore

Windows 7/8/10

%USERPROFILE%\AppData\Roaming\MozillaFirefox\Profiles[ProfileID].default\sessionstore.js

%USERPROFILE%\AppData\Roaming\MozillaFirefox\Profiles\[profileID].default\sessionstore-backups

  • Addons

%USERPROFILE%\AppData\Roaming\MozillaFirefox\Profiles[profileID].default\addons.sqlite

Extensions

%USERPROFILE%\AppData\Roaming\MozillaFirefox\Profiles\[profileID].defaultextensions.sqlite

  • Credentials

-Logins

%USERPROFILE%AppDataRoamingMozillaFirefoxProfiles[profileID].defaultlogins.json

-Passwords

%USERPROFILE%AppDataRoamingMozillaFirefoxProfiles[profileID].defaultkey4.db

Older version:

%USERPROFILE%AppDataRoamingMozillaFirefoxProfiles[profileID].defaultkey3.db

-Downloads

%USERPROFILE%AppDataRoamingMozillaFirefoxProfiles[profileID].defaultdownloads.sqlite

Thumbnails

%USERPROFILE%AppDataRoamingMozillaFirefoxProfiles[profileID].defaultdownloads.sqlite

Chrome

Which interesting artifacts could be find from Chrome?

cheatsheet

Which one contains factual answers to 5WH questions?

  • History
The Artifacts may find from History and Archived History

Windows XP

%USERPROFILE%\Local Settings\ApplicationData\Google\Chrome\User Data\Default\History

Windows 7/8/10

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History

Form History

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Web Data

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Web Data

  • Cookies
Cookies as source of evidence

Windows XP

%USERPROFILE%\LocalSettings\Application Data\Google\Chrome\User Data\Default\LocalStorage\

Windows 7/8/10

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Local Storage\

Cache

Chrome Cache as a source of Evidence

Windows XP

%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default\ Cache — data_# and f_######

Windows 7/8/10

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Cache\ — data_# and f_######

Preferences

Preferences

Session Restore

Windows 7/8/10

Current Sessions

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Current Session

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Current Session

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Current Tabs

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Current Tabs

Previous Sessions

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Last Session

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Last Session

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Last Tabs

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Last Tabs

  • Credentials

Logins

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Login Data

Extensions

%USERPROFILE%\AppData\Local\GoogleChrome\User Data\Default\Extensions

Edge

Which interesting artifacts could be find from Edge?

Cheatsheet

Which one contains factual answers to 5WH questions?

  • History
Chrome/Edge History Downloads as a source of evidence

Histories, Cookies and Downloads

%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat

Settings, Bookmarks and Reading List

%USERPROFILE%\AppData\Local\Packages\Microsoft.MicrosoftEdge_<appid>\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\xxx\DBStore\spartan.edb

Sessions

Last Active Session

%USERPROFILE%\AppData\Local\Packages\Microsoft.MicrosoftEdge_<appid>\AC\MicrosoftEdge\User\Default\Recovery\Active

  • Cache

%USERPROFILE%\AppData\Local\Packages\Microsoft.MicrosoftEdge_<appid>\AC\<identifier>\MicrosoftEdge\Cache

  • Cookies

%userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_<appid>\AC\<identifier>\Microsoft\Edge\Cookies\XXXXXXXX.cookie

IE

Which interesting artifacts could be find from Edge?

Cheatsheet

Which one contains factual answers to 5WH questions?

  • History

IE6–7

%USERPROFILE%\Local Settings\History\History.IE5

IE8–9

%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat

IE10–11

%USERPROFILE%\AppData\Local\Microsoft\Windows\ History\History.IE5

  • Session Restore

Windows 7/8/10

%USERPROFILE%/AppData/Local/Microsoft/Internet Explorer/Recovery

  • Cache

IE8–9

%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5

IE10

%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5

IE11

%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IE

  • Cookies

IE9–10

%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies

IE11

%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookies

  • WebStorage

%USERPROFILE%\AppData\Local\Microsoft\Internet Explorer\DOMStore

Summary

After obtaining the evidence mentioned above, you may analyze them using SQLite browser and ESE Viewer. Finding the relation between different sources may helps solve the case. Because of the dynamic nature of web browsers, developing software that covers all of these sources is challenging. Sometimes, working directly with files and databases is not a bad idea. However, the mindmap I draw with Xmind software provides some valuable tools.

This post will be updated soon and cover the web browser artifacts on Linux and Mac OS.

Browser Forensics
Chrome Forensic
Firefox Forensic
Edge Forensic
Ie Forensic

--

--

Mehrnoush

Written by Mehrnoush

431 Followers

Cyber Security and Digital Forensic enthusiast.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams