Web browsers are widely used to access different online platforms and services. Digital investigations pertaining to criminal cases, cybersecurity incidents, or other illicit actions require important insights into people’s online behaviour, which can be obtained through the analysis of browser artifacts. Cookies, cache files, downloaded files, and browsing histories are examples of browser artifacts that can be very useful as evidence in court. They can support the creation of a timeline of events, substantiate claims or alibis, and set other digital evidence in context. Examining browser data can assist incident response teams in understanding how an attack happened, what data may have been compromised, and whether the attacker left any evidence in the event of a security breach or cyberattack.

Browsers are a valuable resource for forensics investigation due to the amount of data they carry.

Using the artifacts found inside browsers, it is frequently possible to identify the origin of incidents and malware. A browser’s history and downloaded files are essential components of any forensics investigation.

This post will discuss the various modern browsers that are available, where these artifacts are stored, and how to extract, recognize, and make sense of them.

Browsers Artifacts

Browser artifacts include things like bookmarks, navigation history, downloaded file lists, cache data, and more. These artifacts are files kept in particular operating system directories.

Although the locations and titles of each browser’s files vary from one another, all of them (for the most part) store the same kinds of data (artifacts).

Let’s examine the most common objects that browsers save.

• Navigation History: Contains data about the user’s navigation history. Can be used to track down whether the user has visited some dangerous sites, for example.
• Autocomplete Data: This is the info that the browser suggests based on the most frequently searched keywords. Can be used combined with the navigation history to gain more understanding.
• Bookmarks: A bookmark is a web browser feature used to save a website’s URL address for future reference. Bookmarks save user and browser time, which is especially useful for Web pages with long URLs or accessing a specific part of the site that might not be the homepage for the site.
• Extensions and Add-ons: “Extensions,” sometimes also called “add-ons,” are an individual and optional supplement to an existing computer program. They are not stand-alone applications – they only work together with the primary software program.
• Cache: The browser generates cache data, such as photos and JavaScript files, for many reasons while browsing websites. For example, to improve the loading time of web pages. These cache files can be a valuable source of information during forensic investigations.
• Favicons: They are the small icons that appear in tabs, URLs, bookmarks, and so forth. They can be utilized as an additional source of information about the website or locations visited.
• Browser Sessions: The mechanism for recognizing multiple requests from the same browser is called a session. A session recognizes requests from the same browser. A session also supports the maintaining of a Web application state among multiple Web interactions within the same browser instance and with the Web server.
• Form Data: Anything typed inside forms is frequently saved by the browser, so the next time the user submits something inside a form, the browser can recommend previously entered material.
• Thumbnails: Website thumbnails are small images that are associated with a website and are usually displayed in the browser’s address bar, bookmarks, or tabs. They can also be used in search results on some search engines

Mozilla Firefox

Firefox is one of the most popular open source browsers. It runs on all platforms and has been developed by Mozilla Foundation.

Few salient features offered by Firefox – 

•  More secure
• Own extensions
• Advanced Incognito mood – User location tracking can be disabled

Following are the location of various artifacts one can have a look while doing forensics investigation on Firefox –

1) Profile Path – This contains the majority of the artifacts and profile data of the user.

Location –

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].default

C:UsersUSER_NAMEAppDataLocalMozillaFirefoxProfiles[profileID].default

2) Bookmarks + Navigation History – This is stored in SQLite Database form

Location –

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultplaces.sqlite

3) Bookmarks Backup – This is stored in a folder

Location –

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultbookmarkbackups

4) Cookies – This is also stored in SQLite Database form

Location –

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultcookies.sqlite

5) Cache

Location –

C:UsersUSER_NAMEAppDataLocalMozillaFirefoxProfiles[profileID].defaultcache2entries

C:UsersUSER_NAMEAppDataLocalMozillaFirefoxProfiles[profileID].defaultstartupCache

6) Form History – Stored in SQLite Database Form

Location –

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultfor mhistory.sqlite

7) Addons + Extensions – Stored in the form of Folders

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultaddons.sqlite

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultextensions.sqlite

8) Favicons  – Stored in SQLite Database Form

Location –

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultfavicons.sqlite

9) Settings and Preferences

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultprefs.js

10) Logins + Password – Stored in JSON Form

Location –

Logins

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultlogins.json

Passwords

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultkey4.db

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultkey3.db (Older Version)

11) Sessions Data – Jsonlz4 File

Location –

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultsessionstore.jsonlz4

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultsessionstore-backups

12) Downloads –

Location –

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultdownloads.sqlite

13) Thumbnails – Stored in SQLite Database Form

Location –

C:UsersUSER_NAMEAppDataLocalMozillaFirefoxProfiles[profileID].defaultthumbnails

Google Chrome

Google Chrome stores user profiles in specific locations based on the operating system:

• Linux: ~/.config/google-chrome/
• Windows: C:\Users\XXX\AppData\Local\Google\Chrome\User Data\
• MacOS: /Users/$USER/Library/Application Support/Google/Chrome/

Within these directories, most user data can be found in the Default/ or ChromeDefaultData/ folders. The following files hold significant data:

• History: Contains URLs, downloads, and search keywords. On Windows, ChromeHistoryView can be used to read the history. The “Transition Type” column has various meanings, including user clicks on links, typed URLs, form submissions, and page reloads.
• Cookies: Stores cookies. For inspection, ChromeCookiesView is available.
• Cache: Holds cached data. To inspect, Windows users can utilize ChromeCacheView.
• Bookmarks: User bookmarks.
• Web Data: Contains form history.
• Favicons: Stores website favicons.
• Login Data: Includes login credentials like usernames and passwords.
• Current Session/Current Tabs: Data about the current browsing session and open tabs.
• Last Session/Last Tabs: Information about the sites active during the last session before Chrome was closed.
• Extensions: Directories for browser extensions and add-ons.
• Thumbnails: Stores website thumbnails.
• Preferences: A file rich in information, including settings for plugins, extensions, pop-ups, notifications, and more.
• Browser’s built-in anti-phishing: To check if anti-phishing and malware protection are enabled, run grep 'safebrowsing' ~/Library/Application Support/Google/Chrome/Default/Preferences. Look for {"enabled: true,"} in the output.

Following are the location of various artifacts one can have a look while doing forensics investigation on google crome –

• Profile Path: Contains the profile data and the majority of the artifacts.

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\DefaultC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData

• Navigation History + Downloads + Search History [SQLite Database]

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\HistoryC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\History

• Cookies [SQLite Database]

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\CookiesC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Cookies

• Cache [Multiple Types]

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\CacheC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Cache

• Bookmarks [JSON]

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\BookmarksC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Bookmarks

• Form History [SQLite Database]

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Web DataC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Web Data

• Favicons [SQLite Database]

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\FaviconsC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Favicons

• Logins [SQLite Database]

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Login Data

• Sessions Data

– Current Sessions / TabsC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Current SessionC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Current SessionC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Current TabsC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Current Tabs

– Last (Previous) Sessions / TabsC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Last SessionC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Last SessionC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Last TabsC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Last Tabs

• Addons + Extensions [Folders]

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Extensions\C:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\

• Thumbnails [SQLite Database]

C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Top SitesC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Thumbnails (Older versions)

Microsoft Edge

Microsoft Edge stores user data in %userprofile%\Appdata\Local\Packages. The paths for various data types are:

• Profile Path: C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC
• History, Cookies, and Downloads: C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
• Settings, Bookmarks, and Reading List: C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb
• Cache: C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC#!XXX\MicrosoftEdge\Cache
• Last Active Sessions: C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active

Now that we’ve seen the different artifacts that we can collect from a forensics point of view.

Let’s look at some of the tools available to assist us make sense of this data.

• DB Browser for SQLite (Open “.sqlite” files)
• Nirsoft Web Browsers Tools (Contains a multitude of tools to open cache files, cookies and history data)
• BrowsingHistoryView
• ESEDatabaseView
• Session History Scrounger for Firefox (Opens “.jsonlz4” files)
• Sysinternals Strings
• OS Forensics
• Magnet IEF (Internet Evidence Finder)
• Browser History Viewer
• Browser History Examiner (Free Trial)
• Hindsight
• libsedb (Library to access the Extensible Storage Engine (ESE) Database File (EDB) format)
• Web Browser Addons View (Use to view installed extensions and add-ons)
• The LaZagne Project
• firepwd.py (open source tool to decrypt Mozilla-protected passwords)
• Firefox Search Engine Extractor (Open ‘search.json.mozlz4’ files)
• Firefox Bookmark Backup Reader/Decompressor (Open ‘ jsonlz4’ files)