Web Browser

Forensics
Thai Minh Tuan
([email protected])

Slides are adapted from:

[1] Guide to Computer Forensics and Investigations. Sixth Edition. Cengage Learning, 2018, ISBN-13: 978-1-337-56894-4
[2] Practical Guide to Digital Forensics Investigations, Pearson IT Certification, 2020, ISBN-13: 978-0789759917 1
Outline
● Determine what web browser(s) the suspect used
● Chromium-based Browsers Forensics
● Firefox Browsers Forensics

2
Determining what web browser is the suspect using
● The built-in browsers on the system
○ Microsoft Edge/Internet Explorer on Windows
○ Firefox/Chromium on Linux
○ Safari on Mac OS
● Determining user installed browsers
○ Windows: Registry information
○ Linux: apt/dnf/pacman logs and databases
● If the suspect uninstalled browsers, it is possible we could still see certain
configuration files on the system

3
Chromium-based Browsers Forensics
● Chromium-based browsers:
○ Google Chrome (covers around 65% Market)
○ MSEdge (9%)
■ December 2018, Microsoft start to port its Edge browser from its proprietary
EdgeHTML engine to Google’s Chromium
● Google Chrome stores user profiles in specific locations based on the
operating system:
○ Linux: ~/.config/google-chrome/
○ Windows: C:\Users\XXX\AppData\Local\Google\Chrome\User Data\
○ MacOS: /Users/$USER/Library/Application Support/Google/Chrome/
● Other Chromium-based browsers are just change of root director

4
Google Chrome Artifacts Overview
● History:
○ Contains URLs, downloads, and search keywords. On Windows, ChromeHistoryView can be used to read
the history. The "Transition Type" column has various meanings, including user clicks on links, typed
URLs, form submissions, and page reloads.
● Cookies:
○ Stores cookies. For inspection, ChromeCookiesView is available.
● Cache:
○ Holds cached data. To inspect, Windows users can utilize ChromeCacheView.
● Bookmarks:
○ User bookmarks.
● Web Data:
○ Contains form history.
● Favicons:
○ Stores website favicons.
● Login Data:
○ Includes login credentials like usernames and passwords.

5
Google Chrome Artifacts Overview
● Current Session/Current Tabs:
○ Data about the current browsing session and open tabs.
● Last Session/Last Tabs:
○ Information about the sites active during the last session before Chrome was closed.
● Extensions:
○ Directories for browser extensions and addons.
● Thumbnails:
○ Stores website thumbnails.
● Preferences:
○ A file rich in information, including settings for plugins, extensions, pop-ups, notifications, and
more.
● Browser’s built-in anti-phishing:
○ To check if anti-phishing and malware protection are enabled, run grep 'safebrowsing'
~/Library/Application Support/Google/Chrome/Default/Preferences. Look for {"enabled: true,"} in
the output.

6
Firefox Forensics
● Firefox organizes user data within profiles, stored in specific locations
based on the operating system:
○ Linux: ~/.mozilla/firefox/
○ MacOS: /Users/$USER/Library/Application Support/Firefox/Profiles/
○ Windows: %userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\
● A profiles.ini file within these directories lists the user profiles
○ Each profile's data is stored in a folder named in the Path variable within profiles.ini

7
Firefox Artifacts Overview
● places.sqlite:
○ Stores history, bookmarks, and downloads. Tools like BrowsingHistoryView on Windows can
access the history data.
○ Use specific SQL queries to extract history and downloads information.
● bookmarkbackups:
○ Contains backups of bookmarks.
● formhistory.sqlite:
○ Stores web form data.
● handlers.json:
○ Manages protocol handlers.
● persdict.dat:
○ Custom dictionary words.
● addons.json and extensions.sqlite:
○ Information on installed add-ons and extensions.

8
Firefox Artifacts Overview
● cookies.sqlite:
○ Cookie storage, with MZCookiesView available for inspection on Windows.
● cache2/entries or startupCache:
○ Cache data, accessible through tools like MozillaCacheView.
● favicons.sqlite:
○ Stores favicons.
● prefs.js:
○ User settings and preferences.
● downloads.sqlite:
○ Older downloads database, now integrated into places.sqlite.
● thumbnails:
○ Website thumbnails.
● logins.json:
○ Encrypted login information.
● key4.db or key3.db:
○ Stores encryption keys for securing sensitive information.

9
SQLite DB Data Analysis
● Both Chrome and Firefox use SQLite databases to store the data
○ Information is stored in SQlite format
● Tools:
○ sqlite3: terminal-based tool that lets you create and edit sqlite databases
○ sqlite browser (DB4S): high quality, visual, open source tool designed for people who want
to create, search, and edit SQLite database files
○ SQLECmd: find and process SQLite files according to your needs with maps

10