Browser forensics shows up in lots of investigations. From insider threat, data exfiltration, phishing analysis, etc.
Chrome, Edge, and Firefox all store their artifacts as SQLite databases, which means the analysis methodology is consistent once one knows the schema.
Here's a breakdown of where the databases live, what tables matter, and how to extract them:
Google Chrome
Profile directory: C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\
(Multi-profile installs use Profile 1, Profile 2, etc. instead of Default)
| Artifact | File Path | Key Table / Notes |
|---|---|---|
| Browsing History | Default\History | urls, visits tables; timestamps in WebKit epoch (microseconds since 1601-01-01) |
| Downloads | Default\History | downloads, downloads_url_chains tables; records full local save path |
| Cookies | Default\Network\Cookies | cookies table; values encrypted with DPAPI on Windows |
| Cache | Default\Cache\Cache_Data\ | Binary cache blocks; use ChromeCacheView (NirSoft) to parse |
| Bookmarks | Default\Bookmarks | JSON format; no SQLite needed |
| Login Data | Default\Login Data | logins table; passwords DPAPI-encrypted |
| Web Data | Default\Web Data | Autofill, form data, credit card metadata (no raw PAN) |
| Favicons | Default\Favicons | icon_mapping table; can reveal sites visited even if history was cleared |
| Sessions / Tabs | Default\Sessions\ | SNSS format; use ChromeSessionParser |
| Extensions | Default\Extensions\ | Subdirectories per extension ID; check manifests for suspicious permissions |
Timestamp note: Chrome uses WebKit time (microseconds since January 1, 1601). To convert: subtract 11644473600000000 microseconds to get Unix epoch. Most tools handle this automatically, but knowing the raw format matters when you're writing custom queries.
Microsoft Edge (Chromium)
Profile directory: C:\Users\<username>\AppData\Local\Microsoft\Edge\User Data\Default\
Edge Chromium uses the same underlying SQLite schema as Chrome — identical table names, identical timestamp format. The only differences are the profile path and some Edge-specific databases:
| Artifact | File Path | Notes |
|---|---|---|
| History | Default\History | Identical schema to Chrome |
| Cookies | Default\Network\Cookies | DPAPI encrypted |
| Collections | Default\Collections\collectionsSQLite | Edge-specific "Collections" feature; tracks saved web content |
| Edge Shopping | Default\EdgeShopping\ | Coupons, price comparisons — can reveal purchasing intent |
Mozilla Firefox
Profile directory: C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile-id>.default-release\
The profile ID is a random alphanumeric string. List all profiles by reading C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\profiles.ini.
| Artifact | File Path (relative to profile dir) | Key Table / Notes |
|---|---|---|
| Browsing History | places.sqlite | moz_places, moz_historyvisits; timestamps in microseconds since Unix epoch |
| Downloads | places.sqlite | moz_annos with annotation type downloads/ |
| Bookmarks | places.sqlite | moz_bookmarks table |
| Cookies | cookies.sqlite | moz_cookies; stored in plaintext (unlike Chrome) |
| Form History / Autofill | formhistory.sqlite | moz_formhistory table |
| Login Data | logins.json + key4.db | Passwords encrypted with NSS; key4.db holds the decryption key |
| Cache | cache2\entries\ | Binary format; use MozillaCacheView (NirSoft) |
| Session Restore | sessionstore-backups\ | JSON files; records open tabs and history at time of last session |
| Extensions | extensions.json | JSON; list of installed add-ons with installation date |
Analysis Methods
Direct SQLite querying: DB Browser for SQLite lets you open these databases directly and run custom queries.
Example query for Chrome — URLs visited in a specific time range:
SELECT urls.url, urls.title, datetime((visits.visit_time/1000000)-11644473600, 'unixepoch') AS visit_time
FROM visits
JOIN urls ON visits.url = urls.id
WHERE visits.visit_time BETWEEN 13370000000000000 AND 13380000000000000
ORDER BY visits.visit_time ASC;Automated parsing tools:
- Hindsight — Chrome/Chromium-focused; outputs timeline CSV, JSON, or XLSX. Handles Chrome's evolving schema versions well.
- Browser History Viewer — free GUI tool supporting Chrome, Firefox, Edge, IE, Safari
- Browser Reviewer — portable tool for analyzing user activity across Firefox and Chrome-based browsers
- KAPE with the
BrowserArtifactscompound target — collects all browser profile directories in one triage pass
Anti-Forensic Considerations
A few things to keep in mind when browser artifacts appear clean or sparse:
- Incognito/Private mode doesn't write to the History database — but the DNS cache, Windows Event Logs (network connections), and proxy logs may still capture the activity
- History deletion removes records from
urlsandvisitsbut the Favicons database often retains entries — favicon records for visited sites persist independently and don't get purged with standard history clearing - Cache survives many "clear history" operations depending on what checkboxes the user selected — always check the cache directory even when history is empty
- SQLite WAL files (
History-wal,places.sqlite-wal) may contain recently written but not yet checkpointed records — always grab these alongside the main database
No comments:
Post a Comment