Web Browsers Forensics
When doing forensics analysis, browsers are a gold mine with the amount of information they contain.
Often the source of incidents and malware can be traced down using the artifacts found inside of browsers. From the navigation history to downloaded files, browsers are a critical piece in any forensics analysis.
In this article, we’ll talk about the different browsers available today, where each one of them stores these artifacts and how to extract, understand and make sense of them.
Browsers Artifacts
When we talk about browser artifacts we talk about, navigation history, bookmarks, list of downloaded files, cache data…etc.
These artifacts are files stored inside of specific folders in the operating system.
Each browser stores its files in a different place than other browsers and they all have different names, but they all store (most of the time) the same type of data (artifacts).
Let us take a look at the most commun artifacts stored by browsers.
- Navigation History : Contains data about the navigation history of the user. Can be used to track down if the user has visited some malicious sites for example
- Autocomplete Data : This is the data that the browser suggest based on what you search the most. Can be used in tandem with the navigation history to get more insight.
- Bookmarks : Self Explanatory.
- Extensions and Addons : Self Explanatory.
- Cache : When navigating websites, the browser creates all sortes of cache data (images, javascript files…etc) for many reasons. For example to speed loading time of websites. These cache files can be a great source of data during a forensic investigation.
- Logins : Self Explanatory.
- Favicons : They are the little icons found in tabs, urls, bookmarks and the such. They can be used as another source to get more information about the website or places the user visited.
- Browser Sessions : Self Explanatory.
- Downloads :Self Explanatory.
- Form Data : Anything typed inside forms is often times stored by the browser, so the next time the user enters something inside of a form the browser can suggest previously entered data.
- Thumbnails : Self Explanatory.
With that said, let us dive right in.
Mozilla Firefox
- Profile Path : Contains the profile data and the majority of the artifacts.
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\C:\Users\XXX\AppData\Local\Mozilla\Firefox\Profiles\[profileID].default\
- Navigation History + Bookmarks [SQLite Database]
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\places.sqlite
- Bookmarks Backups [Folder / .jsonlz4 Files]
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\bookmarkbackups\
- Cookies [SQLite Database]
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\cookies.sqlite
- Cache [Multiple Types Of Data]
C:\Users\XXX\AppData\Local\Mozilla\Firefox\Profiles\[profileID].default\cache2\entriesC:\Users\XXX\AppData\Local\Mozilla\Firefox\Profiles\[profileID].default\startupCache
- Form History [SQLite Database]
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\formhistory.sqlite
- Addons + Extensions [SQLite Database] : Contains data about the installed addons in the browser.
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\addons.sqliteC:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\extensions.sqlite
- Favicons [SQLite Database]
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\favicons.sqlite
- Settings And Preferences
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\prefs.js
- Logins + Passwords [JSON File]
- LoginsC:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\logins.json- PasswordsC:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\key4.dbC:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\key3.db (Older Version)
- Sessions Data [jsonlz4 File] : A file that contain data about the current session (Tabs and Websites opened).
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\sessionstore.jsonlz4C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\sessionstore-backups\
- Downloads [SQLite Database] : List of downloaded files from Firefox
C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\downloads.sqlite
- Thumbnails: Folder containing the images shown when we open the “about:newtab” page.
C:\Users\XXX\AppData\Local\Mozilla\Firefox\Profiles\[profileID].default\thumbnails
Google Chrome
- Profile Path : Contains the profile data and the majority of the artifacts.
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\DefaultC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData
- Navigation History + Downloads + Search History [SQLite Database]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\HistoryC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\History
- Cookies [SQLite Database]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\CookiesC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Cookies
- Cache [Multiple Types]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\CacheC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Cache
- Bookmarks [JSON]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\BookmarksC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Bookmarks
- Form History [SQLite Database]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Web DataC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Web Data
- Favicons [SQLite Database]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\FaviconsC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Favicons
- Logins [SQLite Database]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Login Data
- Sessions Data
- Current Sessions / TabsC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Current SessionC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Current SessionC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Current TabsC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Current Tabs- Last (Previous) Sessions / TabsC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Last SessionC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Last SessionC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Last TabsC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Last Tabs
- Addons + Extensions [Folders]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Extensions\C:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\
- Thumbnails [SQLite Database]
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Top SitesC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Thumbnails (Older versions)
Microsoft Edge
- Profile Path
C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC
- History + Cookies + Downloads [ESE Database]
C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
- Settings + Bookmarks + Reading List [ESE Database]
C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb
- Cache
C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\#!XXX\MicrosoftEdge\Cache
- Sessions
- Last Active SessionC:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active
Internet Explorer [Coming Soon]
Opera [Coming Soon]
Safari [Coming Soon]
Tools
Now that we’ve seen the different artifacts that we can collect from a forensics point of view.
Let’s take a look at some of the tools that can help us make sens of this data.
- DB Browser for SQLite (Open “.sqlite” files)
- Nirsoft Web Browsers Tools (Contains a multitude of tools to open cache files, cookies and history data)
- BrowsingHistoryView
- ESEDatabaseView
- Session History Scrounger for Firefox (Opens “.jsonlz4” files)
- Sysinternals Strings
- OS Forensics
- Magnet IEF (Internet Evidence Finder)
- Browser History Viewer
- Browser History Examiner (Free Trial)
- Hindsight
- libsedb (Library to access the Extensible Storage Engine (ESE) Database File (EDB) format)
- Web Browser Addons View (Use to view installed extensions and addons)
- The LaZagne Project
- firepwd.py (open source tool to decrypt Mozilla protected passwords)
- Firefox Search Engine Extractor (Open ‘search.json.mozlz4’ files)
- Firefox Bookmark Backup Reader/Decompressor (Open ‘ jsonlz4’ files)
Resources
Below are some resources to read up more about these artifacts and browser forensics in general.
- Mozilla Firefox Forensics
- Mozilla Firefox Forensics — Usage of Sqlite File in Investigation
- Mozilla Firefox Cache Folder Analysis
- AN OVERVIEW OF WEB BROWSER FORENSICS
- Digital Forensics: Artifact Profile — Google Chrome
- Windows 10 — Microsoft Edge Browser Forensics
Thanks for reading.
I’ll be updating and adding more artifacts from other browsers periodically as i learn more about them. So please look forward to it.
If you have any suggestions or comments about anything mentioned here please feel free to hit me on twitter @nas_bench