Analysing Web Browsers Forensic Artifacts

Browser Forensics is of no small importance in digital forensics for understanding how an attack on a computer or computer network began and finding the source of compromise. For example, if we investigate the web browser of a suspect and see that the suspect was downloading or searching online for information on steganography and encryption tools, this will give a clear sign that this user may employ such techniques to conceal secret data. Also, the main sources of malware/spyware/adware are e-mails in addition to social networking web sites, and all these resources are usually accessed using web browsers.

Web Browser Forensic Artifacts

Throughout the process of sending, receiving, processing, and presenting data, the browser creates many artifacts on a system. Nearly all web browsers maintain the following:

• History
• Cookies
• Cache
• Sessions
• Typed URLS
• Favourites
• Most visited sites
• Screenshots
• Form values (Searches, Autofills)
• Downloads
• Financial information

Difficulties of Web Browser Forensics

The following challenges may be encountered by a digital forensics examiner when analysing web browser artifacts:

• Many browsers, lots of data
• Encryption used to protect users' data
• Use of Private mode or Incognito mode by the suspect in which the examined computer does not contain web browser artifacts

Forensics Analysis of Web Browser

The focus of this post is on Windows systems, so we will begin with the Windows default web browser, Internet Explorer (IE), and its new successor, Microsoft Edge.

Internet Explorer

One of the most famous browsers in the web browser market is the Internet Explorer. Internet Explorer (IE) is a closed source web browser maintained by Microsoft. Microsoft purchased the underlying technology from Spyglass—the developers of the Mosaic web browser. IE is installed by default on the Windows OS and is typically the browser most supported in large-scale enterprises. 

In Windows 10, Microsoft replaced Internet Explorer with Microsoft Edge. Microsoft Edge (code name Spartan) is the default browser for Windows 10. This is a lightweight web browser that integrates with the Cortana feature available in Windows 10, allowing a user to complete many tasks (e.g., open web pages, conduct online searches) using voice commands only. Microsoft plans to replace Internet Explorer with Microsoft Edge on all devices, including Android and iOS mobile devices. Internet Explorer and Microsoft Edge can work in InPrivate mode without storing information about the web activities of the user.

Cookies

\Windows\Cookies\ (Windows 98) (Internet Explorer)

\Documents and Settings\Administrator\Cookies (Windows 2000, Windows XP) (Internet Explorer)

\Users\%userprofile%\AppData\Roaming\Microsoft\Windows\Cookies (Windows 7) (Internet Explorer)

\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies (Windows 7) (Internet Explorer)

\Users\%userprofile%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat (Microsoft EDGE, Windows)

\Users\%userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\XXXXXXXX.cookie (or XXXXXXXX.txt file) (Microsoft EDGE, Windows)

\Users\%userprofile%\AppData\Local\Microsof\Windows\INetCookies\ (Microsoft EDGE, Windows)

\Users\%userprofile%\AppData\Local\Microsof\Windows\INetCookies\Low\ (Microsoft EDGE, Windows)

\Users\%userprofile%\AppData\Local\Packages\microsof.microsofedge_8wekyb3d8bbwe\AC\#!121\MicrosofEdge\Cookies\ (Microsoft EDGE, Windows)

\Users\%userprofile%\AppData\Local\Packages\microsof.microsofedge_8wekyb3d8bbwe\AC\MicrosofEdge\Cookies\ (Microsoft EDGE, Windows)

\Users\%userprofile%\AppData\Local\Packages\microsof.microsofedge_8wekyb3d8bbwe\AC\#!002\MicrosofEdge\Cookies\ (Microsoft EDGE, Windows)

\Users\%userprofile%\AppData\Local\Packages\microsof.microsofedge_8wekyb3d8bbwe\AC\#!001\MicrosofEdge\Cookies\ (Microsoft EDGE, Windows)

\Users\%userprofile%\AppData\Local\Packages\Microsof.SkypeApp_kzf8qxf38zg5c\AC\INetCookies\

Cache

\Users\%userprofile%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat (Microsoft EDGE)

\Users\%userprofile%\AppData\Local\Packages\microsof.microsofedge_8wekyb3d8bbwe\AC\MicrosofEdge\Cache\xxxxxxxx\ (Microsoft EDGE)  

Favourites

\Users\%userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\ nouser1\120712-0049\BDStore (for later versions)  (Microsoft EDGE)

\Users\%userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Favorites (for early versions) (Microsoft EDGE)    

Session

\Users\%userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{07677C23-6987-4777-B133-5AC24BD039F5}.dat (Microsoft EDGE, Windows)

Session Recovery

\Users\%userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{A7D7A4FC-7458-11E6-9BCD-000C29566E3E}.dat (Microsoft EDGE)

Downloads

\Users\%userprofile%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat  (Microsoft EDGE)

URLs

\Users\%userprofile%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat (Microsoft EDGE)     

How These Data Are Stored

IE (version 9 and below) uses a file called index.dat; this is a database file used to improve the overall performance of IE by indexing various contents (e.g., store all the URLs you have visited using IE in addition to search queries, cookies, and recently opened files) in one place to offer a more customized experience for the user. For example, when a user wants to access a previously visited web page, IE can autocomplete the web address as the user types it in the browser address bar by retrieving browsing history from a particular index.dat file. 

The location of index.dat files is different for each version of Windows; for instance, index.dat files in Windows 7 can be found at the following locations.

\Users\%userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

\Users\%userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat

Other locations of index.dat files in various Windows versions can be found here. 

Newer versions of IE (versions 10 and 11), which come preinstalled with Windows 8 and 10, do not have index.dat files; instead, they use a file called “WebCacheV01.dat” to store all user browsing information (the information that was previously handled by the index.dat file). This file can be found at

\Users\%userprofile%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Edge browser storage relies on an ESE database named spartan.edb and WebCacheV01.dat to store its configuration settings; the database is located at

\Users\%userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\
MicrosoftEdge\User\Default\DataStore\Data\nouser1\xxxx-xxx\DBStore\spartan.edb

Google Chrome

Another popular web browser is Google Chrome. This is the fastest and most used web browser on desktop computers worldwide today; most digital forensics examiners will likely come across this browser in one of their investigations.

Google published much of the browser’s source code as part of the open-source Chromium project. Google uses Chromium as the base source code and adds in branding and a few features, including a Flash player, PDF viewer, and an auto-updater, before releasing it as Chrome.

Third-party developers have created a huge number of web browsers based on the Chrome Engine, such as: 360 Extreme Explorer, Avast SafeZone, Chromium, Comodo Dragon, CoolNovo, Cốc Cốc, Epic Browser, Flock, Vivaldi, Rockmelt, Sleipnir, SRWare Iron, Titan Browser, Torch Browser, Yandex.Browser, Opera, Orbitum, Breach, Nihrome, Perk, QIP Surf, Baidu Spark, Uran, Chromodo, Sputnik, Amigo, etc.

Most web browsers that are based on the Chromium project are going to store data in a similar way; this fact allows examiners to use the same investigative techniques used with Google Chrome to investigate these browsers, making investigating Google Chrome act as a standard template for most Chromium-based web browsers.

Google Chrome store most of its configuration settings and user private information in SQLite databases; these databases are files without extensions, so do not get confused on how to open them when using SQLite browser. Manual analysis of these databases and carving will allow you to extract the maximum amount of data.

The Google Chrome profile is where Google Chrome stores its configuration settings, apps, bookmarks, and extensions. Google Chrome can have more than one profile; however, there is also a default profile that can be found at:

\Users\%userprofile%\AppData\Local\Google\Chrome\User Data\Default

If there is more than one profile in Google Chrome, each profile will have its own folder where browser settings and user (profile owner) private data (e.g., passwords, browsing history, bookmarks, etc.) is stored. Google Chrome does not name any additional profile according to its username; instead, it uses a generic name (e.g., Profile 1, Profile 2, and so on). The location of additional Chrome profiles can be found here:

\Users\%userprofile%\AppData\Local\Google\Chrome\User Data\Profile x
#(x could be any positive integer number beginning from 1)

We can browse target sqlite database tables and their content using DB Browser for SQLite.

Firefox

Firefox is a free, open-source web browser developed by Mozilla; it is considered among the most used web browsers among security and privacy experts. Mozilla and Chrome have a number of similarities in the way they store data. Mozilla, like Chrome, stores nearly all of its data in files, and Mozilla uses SQLite and JSON formats for most of its data storage.

For a given operating system user, Firefox can maintain multiple profiles—although most users generally have only one. The data for each Firefox profile is stored in an eight-character randomly named directory with an extension of “.default” under the Profiles directory—for example, e91fmfjw.default. In Windows and OS X, Firefox places these profile directories in a sub-directory named “Profiles.” Under Linux, the Firefox profile directories are in the “firefox” directory—there is no additional Profiles directory layer. One nice thing about Firefox data is that, in general, a given version of Firefox uses the same file names across all operating systems. In addition, the file names have been the same since around the time Firefox version 5 was released.

File Name	Format	Purpose
cookies.sqlite	SQLite	Stores cookie data
places.sqlite	SQLite	It stores web history, download history, and bookmarks.
formhistory.sqlite	SQLite	Stores form history for autocomplete features
downloads.sqlite	SQLite	Stores download information
prefs.js	JS	Stores Firefox user configuration preferences
key4.db and logins.json	DB, JSON	Saves user passwords. (Older versions of Firefox use the name key3.db for the key database file; beginning from Firefox version 58, the name changed to Key4.db while the logins.json file name—which stores passwords in encrypted format—remain as it is.)
addons.json	JSON	Views installed add-ons on Firefox.
extension-data	Folder	data generated by installed extensions (add-ons).

You can access the profile of the suspect at the following location:

\Users\%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\
\Users\%userprofile%\AppData\Local\Mozilla\Firefox\Profiles\

We can browse target sqlite database tables and their content using DB Browser for SQLite.

In this post, we shed light on how to perform a manual forensic analysis of major web browser artifacts. Please keep in mind that commercial forensics suites have the ability to analyse and extract information contained in various web browsers automatically. As we always repeat, consult a computer forensic tool’s features list for the ability to investigate different web browsers’ data before buying it.