Browser Info - Analyst

VSCode

Created: 12.10.2020

Many browsers are based on Chromium engine, that’s why they will have similar artifacts: Chrome, Opera, new Edge, Brave, Vivaldi. Also, there are lots of Electron applications that share some artifacts with them. Chrome is the point of convergence for all these application. On Magnet Summit it was suggested to explore and learn Chrome and it’s artifacts as well as OS common artifacts due to its popularity and reusing some of its components. Electron is a framework that is available for building applications, cross-platform. You’re creating a web-application that can be used as a desktop one (implementing both back- and frontend). Backend - node.js, and frontend - Chrome. So, a lot of artifacts can be shared with Chrome and buddies. It’s in wide use. For example, ⚠️ WhatsApp and Skype use it.

On Windows hiberfil.sys, pagefile.sys and swapfile.sys can also be used to retrieve this evidence from “RAM-on-disk”. Belkasoft EC can parse these files for browser artifacts.

Firefox

🛠 Tools: Web Historian (dat, cookies and tmp), Firefox Forensics (cookies, download list and history), NetAnalysis 💰 (history), CacheBack (cookies and history), Encase 💰 (cookies, history and bookmarks), FTK 💰(cookies, history and bookmarks), Autopsy (cookies, history and bookmarks).

Path: C: \Users\\*\AppData\ Roaming\Mozilla\Firefox\Profiles\\*.default\places.sqlite\*
Path: C: \Users\|*\AppData\ Roaming\Mozilla\Firefox\Profiles\\*. default\downloads. sqlite|*
Path: C: \Users\\*\AppData\ Roaming \Mozilla\Firefox\Profiles\ |*. default| formhistory.sqlite|*
Path: C: \Users\|*\AppData\Roaming\Mozilla\Firefox\Profiles\\*. default\cookies. sqlite|*
Path: C: \Users\\*\AppData\Roaming\Mozilla\Firefox\Profiles\ \*.default\signons. sqlite|*
Path: C:\Users\ |* AppData\ Roaming\ Mozilla Firefox| Profiles |*. default| webappstore.sqlite|*
Path: C:\Users\ |* AppData\ Roaming\ Mozilla\Firefox| Profiles |*. default| favicons.sqlite|*
Path: C: \Users\\*\ AppData\Roaming\Mozilla\Firefox\Profiles\|*.default\addons.sqlite|*
Path: C: \Users\ \*\AppData\Roaming \Mozilla\Firefox\Profiles\|*. default\search.sqlite|*

Most information is stored here: C:\Documents and Settings\%Username%\Application Data\Mozilla\Firefox (Windows XP), C:\Users\%Username%\AppData\Roaming\Mozilla\Forefox\Profiles\%Profile%.default (Windows Vista+), /Library/Application Support/Firefox/Profiles (macOS), .mozilla/firefox/ for Linux. Use any SQLite DB Viewer to examine *.default files or any forensic platform. These profiles contain user activity such as searches, bookmarks, tabs etc.

artifact	Information
`Localstore.rdf`	No real value for the examiner here, since it contains customized data on the interface. Can be cleared in the GUI with “Reset toolbars and controls” option. [1]
`addons.json`	I think, the file name speaks for itself. It contains all the data for installed addons.

Chrome

Most information is stored here: C:\Documents and Settings\%Username%\Local Setting\Application Data\Google\Chrome (Windows XP), C:\Users\%Username%\AppData\Local\Google\Chrome. On Windows machine leveldb is stored here: C:\%Username%\AppData\Local\Google\Chrome\User Data\Default\IndexedDB. Contains multiple folders, one for each domain. Usually have the extension leveldb. The LevelDB store for a particular domain will be found in the IndexedDB folder with a name in the form: [host with concurrent separators replaced an underscore]_[dbid].indexeddb.leveldb. IndexedDB is just an API to use, while LevelDB is the artefact that’s creted when this API is used.

C:\%Username%\AppData\Local\Google\Chrome\User Data\Default\
- Bookmarks
- Cookies
- Current Session
- Current Tabs
- Favicons
- History
- Last Session
- Last Tabs
- Preferences
- Shortcuts
- Top Sites
- Bookmarks
- Visited Links
- Web Data

Tools ⚒️: Magnet AXIOM 💰, Chrome Analyser (cookies, history, download list, bookmarks), NetAnalysis 💰 (history), CacheBack (cookies and history), Autopsy (cookies, history and bookmarks), KAPE.

Edge

Tools 🛠: Belkasoft Evidence Center 💰

IE

Microsoft Internet Explorer uses a database file called ‘index.dat’ to store web history information in a format known as MS IE Cache File Format. These database files can be examined with specialised tools. 1

Path: C: \Users\ \*\AppData Roaming \Microsoft\office Recent\index.dat
Path: C:| Users \* AppData\ Local\Microsoft Windows WebCache\WebCacheVO1.dat
Path: C: \Windows\ System32 \config\ systemprofile\AppData(Local|Microsoft\Internet Explorer\ Recovery
Path: C: \Windows\System32\config\systemprofile\AppData\ Local\Microsoft Windows\ History
Path: C: \Windows\ System32\ config\ systemprofile\ AppData\ Roaming\Microsoft Windows\ Cookies\
Path:C: \Windows\ System32\config\systemprofile\AppData\Roaming(Microsoft\Windows\ WebCache\
Path: C: Windows\ System32\ config| systemprofile AppData\Local\Microsoft|Windows Temporary Internet Files
Path: C:| Users)
|*| AppData\ Local\ Packages \Microsoft.MicrosoftEdge\_\*\AC\MicrosoftEdge\User\ Default| DataStore\Data\ nouser1\120712-0049 \ DBSto
Path: C: \Users |* MicrosoftEdgeBackups\ backups\MicrosoftEdgeBackup\*\DatastoreBackup\spartan.edb
|*|AppData\Local\Packages\Microsoft.MicrosoftEdge\_\*\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBSto
InternetExplorer: Path: C:| Users\ |*\MicrosoftEdgeBackups\ backups MicrosoftEdgeBackup\*\DatastoreBackup\spartan.edb

C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.IE5, C:\Documents and Settings\%username%\Local Settings\History\History.IE5, C:\Documents and Settings\%username%\Cookies for Windows 2000.

Since Windows 7 C:\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5. However, IE plugins can’t access it and OS created virtual folders for cached data unaccessible to general user. Cookies: C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Cookies and C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Cookies\Low for low-privileged access if protected mode is enabled.

There is also some data in registry for this browser: HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\TYPEDURLs and HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TYPEDURLs contains search terms. If autocomplete was used, the final search term will be recorded.

Tools 🛠. There is a huge amount of sowtware capable of parsing and collecting this information. Probably all of the forensic platforms can do it. At least, Autopsy and Magnet can. Also, free NirSoft software for web browser history parsing is available. Also, Web Historian can be used. Pasco (dat), Web Historian (dat, cookies, temp), Magnet AXIOM 💰, Index.dat Analyser (dat), NetAnalysis 💰 (history), CacheBack (cookies and history), Encase💰 (cookies, history and bookmarks), FTK💰 (cookies, history and bookmarks), Autopsy (cookies, history and bookmarks).

Opera

Tools 🛠: Magnet AXIOM 💰❓, NetAnalysis 💰 (history), CacheBack (cookies and history), Encase💰 (cookies, history and bookmarks), FTK💰 (cookies, history and bookmarks), Autopsy (cookies, history and bookmarks)❓.

On macOS:

/Users/%username%/Library/Application Support/Google/Chrome/Default
/Users/%username%/Library/Caches/Chrome/Default
/Users/%username%/Library/Application Support/Firefox/Profile
/Users/%username%/Library/Caches/Firefox/Profile
/Users/%username%/Library/Application Support/Opera/
/Users/%username%/Library/Caches/Opera/
/Users/%username%/Library/Application Support/Safari/
/Users/%username%/Library/Caches/com.apple.Safari

On Windows:

# Chrome
\Users\%username%\AppData\Local\Google\Chrome\User Data\Default
# Firefox
\Users\%username%\AppData\Local\Mozilla\Forefox\Profiles
# Chromium
\Users\%username%\AppData\Local\*Chromium*\

Linux

Web Browsing Activity on Linux locations

• /home/%username%/.config/google-chrome/ • /home/%username%/.mozilla/Firefox/
• /home/%username%/.config/Opera/
• /home/%username%/.cache/

macOS

Safari

plutil -p "/Users/username/Library/Safari/RecentlyClosedTabs.plist" gives closed date and time

Apple Safari uses a macOS .plist file to store history under a user’s home directory. 1 p. 144

./0/root/Users/hansel.apricot/Library/Safari/History.db-lock

./0/root/Users/hansel.apricot/Library/Safari/CloudAutoFillCorrections.db-wal

./0/root/Users/hansel.apricot/Library/Safari/PerSitePreferences.db

./0/root/Users/hansel.apricot/Library/Safari/CloudAutoFillCorrections.db

./0/root/Users/hansel.apricot/Library/Safari/History.db-wal

./0/root/Users/hansel.apricot/Library/Safari/History.db-shm

./0/root/Users/hansel.apricot/Library/Safari/History.db

./0/root/Users/hansel.apricot/Library/Safari/AutoFillCorrections.db

./0/root/Users/hansel.apricot/Library/Safari/AutoFillCorrections.db-wal

./0/root/Users/hansel.apricot/Library/Safari/Touch Icons Cache/TouchIconCacheSettings.db-shm

./0/root/Users/hansel.apricot/Library/Safari/Touch Icons Cache/TouchIconCacheSettings.db-wal

./0/root/Users/hansel.apricot/Library/Safari/Touch Icons Cache/TouchIconCacheSettings.db

./0/root/Users/hansel.apricot/Library/Safari/History.db.FileSlack

./0/root/Users/hansel.apricot/Library/Safari/CloudAutoFillCorrections.db.FileSlack

./0/root/Users/hansel.apricot/Library/Safari/Favicon Cache/favicons.db-lock

./0/root/Users/hansel.apricot/Library/Safari/Favicon Cache/favicons.db

./0/root/Users/hansel.apricot/Library/Safari/Favicon Cache/favicons.db.FileSlack

./0/root/Users/hansel.apricot/Library/Safari/Favicon Cache/favicons.db-shm

./0/root/Users/hansel.apricot/Library/Safari/Favicon Cache/favicons.db-wal

./0/root/Users/hansel.apricot/Library/Safari/PerSitePreferences.db-shm

./0/root/Users/hansel.apricot/Library/Safari/PerSitePreferences.db-wal

./0/root/Users/hansel.apricot/Library/Safari/CloudTabs.db-wal

./0/root/Users/hansel.apricot/Library/Safari/CloudTabs.db-shm

./0/root/Users/hansel.apricot/Library/Safari/CloudTabs.db

Android

Chrome Browser Data

• /data/data/com.android.chrome/app_chrome/Default/ Web Data

/data/data/com.android.chrome/app_chrome/Default/ Cookies
/data/data/com.android.chrome/app_chrome/Default/ Favicons
/data/data/com.android.chrome/app_chrome/Default/ History
/data/data/com.android.chrome/cache/Cache/
/data/data/com.android.chrome/app_chrome/Default/

Top Sites
/data/data/com.android.chrome/app_chrome/Default/

Sync Data/SyncData.sqlite3
/data/data/com.android.chrome/app_tabs/custom_tabs/
/data/data/com.google.android.captiveportallogin/app_

webview/Default/Cookies
/data/com.android.browser/browser.db/dbdata/

databases/com.android.browser/browser.db

iOS

Safari Browser Data

• /private/var/mobile/Library/History.db

HomeDomain-Library/Sarfary/History.db
/private/var/mobile/Library/Safari/CloudTabs.db
/private/var/mobile/Containers/Data/Application/

[APPGUID]/Library/Safari/Downloads/Downloads.plist
AppDomain-com.apple.mobilesafari/Library/Safari/

Downloads/Downloads.plist

References

1

Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 144). BCS Learning & Development Limited. Kindle Edition.