There is at least one browser installed on each system; therefore, when you have a case to solve, you can rely on the data stored by the browser as a piece of evidence. People use web browsers to do a lot of work like web surfing, book reading, interacting with local or remote web applications, etc. Each one left a footprint that may help to complete a puzzle and solve the case.
Browsers keep track and store them in some places on the disk. So, there is a chance to extract valuable information and recover some deleted artifacts. This post provides the path of this source of evidence in brief.
Unfortunately, I could not upload a high-quality image here. If you want a high-quality picture, just email me or send a direct message on social media.
Firefox
Which interesting artifacts could be find from Firefox?
Which one contains factual answers to 5WH questions?
Firefox store important artifacts in SQLite database.
As you see in the picture above, Firefox does not store “cache” in SQLite nor json.
History
- History
Windows XP
%USERPROFILE%\Application Data\MozillaFirefox\Profiles[ProfileID].default\places.sqlite
Windows 7/8/10
%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles[ProfileID].default\places.sqlite
Form History
%USERPROFILE%\AppData\Roaming\MozillaFirefox\Profiles[profileID].default\formhistory.sqlite
Bookmarks backups
%USERPROFILE%\AppData\Roaming\MozillaFirefox\Profiles[profileID].default\bookmarkbackups
- Cookies
Windows XP
%USERPROFILE%\Application Data\MozillaFirefox\Profiles[ProfileID].default\cookies.sqlite
Windows 7/8/10
%USERPROFILE%\AppData\Roaming\MozillaFirefox\Profiles[ProfileID].default\cookies.sqlite
- Cache
Windows XP
%USERPROFILE%\Local Settings\ApplicationData\MozillaFirefox\Profiles [ProfileID].default\Cache
Windows 7/8/10
%USERPROFILE%\AppData\Local\MozillaFirefox\Profiles\[ProfileID].default\Cache
- Session Restore
Windows 7/8/10
%USERPROFILE%\AppData\Roaming\MozillaFirefox\Profiles[ProfileID].default\sessionstore.js
%USERPROFILE%\AppData\Roaming\MozillaFirefox\Profiles\[profileID].default\sessionstore-backups
- Addons
%USERPROFILE%\AppData\Roaming\MozillaFirefox\Profiles[profileID].default\addons.sqlite
Extensions
%USERPROFILE%\AppData\Roaming\MozillaFirefox\Profiles\[profileID].defaultextensions.sqlite
- Credentials
-Logins
%USERPROFILE%AppDataRoamingMozillaFirefoxProfiles[profileID].defaultlogins.json
-Passwords
%USERPROFILE%AppDataRoamingMozillaFirefoxProfiles[profileID].defaultkey4.db
Older version:
%USERPROFILE%AppDataRoamingMozillaFirefoxProfiles[profileID].defaultkey3.db
-Downloads
%USERPROFILE%AppDataRoamingMozillaFirefoxProfiles[profileID].defaultdownloads.sqlite
Thumbnails
%USERPROFILE%AppDataRoamingMozillaFirefoxProfiles[profileID].defaultdownloads.sqlite
Chrome
Which interesting artifacts could be find from Chrome?
Which one contains factual answers to 5WH questions?
- History
Windows XP
%USERPROFILE%\Local Settings\ApplicationData\Google\Chrome\User Data\Default\History
Windows 7/8/10
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History
Form History
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Web Data
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Web Data
- Cookies
Windows XP
%USERPROFILE%\LocalSettings\Application Data\Google\Chrome\User Data\Default\LocalStorage\
Windows 7/8/10
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Local Storage\
Cache
Windows XP
%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default\ Cache — data_# and f_######
Windows 7/8/10
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Cache\ — data_# and f_######
Preferences
Session Restore
Windows 7/8/10
Current Sessions
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Current Session
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Current Session
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Current Tabs
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Current Tabs
Previous Sessions
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Last Session
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Last Session
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Last Tabs
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Last Tabs
- Credentials
Logins
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Login Data
Extensions
%USERPROFILE%\AppData\Local\GoogleChrome\User Data\Default\Extensions
Edge
Which interesting artifacts could be find from Edge?
Which one contains factual answers to 5WH questions?
- History
Histories, Cookies and Downloads
%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
Settings, Bookmarks and Reading List
%USERPROFILE%\AppData\Local\Packages\Microsoft.MicrosoftEdge_<appid>\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\xxx\DBStore\spartan.edb
Sessions
Last Active Session
%USERPROFILE%\AppData\Local\Packages\Microsoft.MicrosoftEdge_<appid>\AC\MicrosoftEdge\User\Default\Recovery\Active
- Cache
%USERPROFILE%\AppData\Local\Packages\Microsoft.MicrosoftEdge_<appid>\AC\<identifier>\MicrosoftEdge\Cache
- Cookies
%userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_<appid>\AC\<identifier>\Microsoft\Edge\Cookies\XXXXXXXX.cookie
IE
Which interesting artifacts could be find from Edge?
Which one contains factual answers to 5WH questions?
- History
IE6–7
%USERPROFILE%\Local Settings\History\History.IE5
IE8–9
%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
IE10–11
%USERPROFILE%\AppData\Local\Microsoft\Windows\ History\History.IE5
- Session Restore
Windows 7/8/10
%USERPROFILE%/AppData/Local/Microsoft/Internet Explorer/Recovery
- Cache
IE8–9
%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
IE10
%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
IE11
%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IE
- Cookies
IE9–10
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies
IE11
%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookies
- WebStorage
%USERPROFILE%\AppData\Local\Microsoft\Internet Explorer\DOMStore
Summary
After obtaining the evidence mentioned above, you may analyze them using SQLite browser and ESE Viewer. Finding the relation between different sources may helps solve the case. Because of the dynamic nature of web browsers, developing software that covers all of these sources is challenging. Sometimes, working directly with files and databases is not a bad idea. However, the mindmap I draw with Xmind software provides some valuable tools.
This post will be updated soon and cover the web browser artifacts on Linux and Mac OS.