Web browsers artefacts are often located under:
- %LocalAppData%: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local.
- %AppData%: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming.

Internet Explorer
----------------------
Browsing history, downloads, cache, cookies metadata: %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat.
Cookies: %AppData%\Microsoft\Windows\Cookies.
Sessions: %LocalAppData%\Microsoft\Internet Explorer\Recovery\*.dat.

Edge (Legacy)
-------------------
Browsing history, downloads, cache, cookies metadata: %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat;
User profiles: %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC.
Cache: <USER_PROFILE>\MicrosoftEdge\Cache.
Sessions: <USER_PROFILE>\MicrosoftEdge\User\Default\Recovery\Active.
Settings: <USER_PROFILE>\User\Default\DataStore\Data
ouser1\XXX\DBStore\spartan.edb.

Edge (Chronium-based)
--------------------------------
User profiles: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>.
Browsing history: <USER_PROFILE>\History.
Cookies: <USER_PROFILE>\Cookies.
Cache: <USER_PROFILE>\Cache.
Sessions: <USER_PROFILE>\Sessions.
Settings: <USER_PROFILE>\Preferences.

Google Chrome
----------------------
User profiles: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>.
Browsing history: <USER_PROFILE>\History.
Cookies: <USER_PROFILE>\Cookies.
Cache: <USER_PROFILE>\Cache.
Sessions: <USER_PROFILE>\Sessions.
Settings: <USER_PROFILE>\Preferences.

Mozilla Firefox
--------------------
User profiles: %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release.
Browsing history, downloads, bookmarks: <USER_PROFILE>\places.sqlite.
Cookies: <USER_PROFILE>\cookies.sqlite.
Cache: <USER_PROFILE>\cache2\*.
Sessions: <USER_PROFILE>\sessionstorebackups\*.
Settings: <USER_PROFILE>\prefs.js.

Overview

The web browsers related artefacts can be split in the following categories:

  • User profile: web browsers, such as Chronium-based browsers and Firefox, implement a profile feature to store user’s settings, history, favorites, etc. The databases and files that store these information is usually stored under a user specific profile folder.

  • History: web browsing history and download history.

  • Cookies: web browsing cookies (session tokens).

  • Cache: cache of resources downloaded from accessed websites (images, text content, HTML, CSS, Javascript files, etc.).

  • Sessions: tabs and windows from a browsing session.

  • Settings: configuration settings.

These files are often located under %LocalAppData% (%SystemDrive%:\Users\<USERNAME>\AppData\Local\) and %AppData% (%SystemDrive%:\Users\<USERNAME>\AppData\Roaming\).

Artefacts

Internet Explorer

Type Description Location
Browsing history

Downloads

Cache

Cookies metadata
The WebCacheV01.dat is an ESE database, with information about Internet Explorer browsing activity split across multiple tables:

- Browsing history: History table.

- Downloads: iedownload table.

- Cache: content table.

- Cookies metadata: Cookies table.

Local files accessed, not necessarily through the web browser, may also appear in the WebCacheV01.dat database.
%LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat
Cookies - %AppData%\Microsoft\Windows\Cookies
Sessions - %LocalAppData%\Microsoft\Internet Explorer\Recovery\*.dat

Edge (Legacy)

Type Description Location
User profile(s) - %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC
Browsing history

Downloads

Cache

Cookies metadata
Shared with Microsoft Internet Explorer. %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat
Cache - %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC#!XXX\MicrosoftEdge\Cache
Sessions - %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active
Settings - %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb

Edge (Chronium-based)

Since Edge version v79 (January 2020), Microsoft Edge uses a Chronium backend and shares similar artefacts to Google Chrome.

Type Description Location
User profile(s) - %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\*

With X ranging from one to n.
Browsing history - %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\History
Cookies - %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Network\Cookies
Cache - %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Cache
Sessions - %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Sessions
Settings - %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Preferences

Google Chrome

Type Description Location
User profile(s) - %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\*

With X ranging from one to n.
History - %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\History
Cookies - %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Network\Cookies
Cache - %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Cache
Sessions - %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Sessions
Settings - %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Preferences

Mozilla Firefox

Type Description Location
User profile(s) - %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\*
Browsing history

Downloads

Bookmarks
- %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\places.sqlite
Cookies - %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cookies.sqlite
Cache - %LocalAppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cache2\*
Sessions - %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\sessionstorebackups\*
Settings - %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\prefs.js

Tool(s)

The NirSoft's BrowsingHistoryView utility (NirSoft_BrowsingHistoryView KAPE module) can be used to parse a number of browsers artefacts to extract browsing history information.

BrowsingHistoryView can be used either as a graphical application or as a command-line utility to export the parsing result (for instance in the CSV format).

# /HistorySource 3: Load history from the specified profiles folder (specified using /HistorySourceFolder).
# /HistorySourceFolder <USER_PROFILES_FOLDER> example: "C:\Users" or "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users" (for shadow copy).
# /VisitTimeFilterType 1: Load history dating back to any time.
# /ShowTimeInGMT 1: Converts timestamps to UTC-0 (default to the local timezone).

browsinghistoryview.exe /HistorySource 3 /HistorySourceFolder "<USER_PROFILES_FOLDER>" /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma <OUTPUT_CSV>

References



View on GitHub