Web browsers artefacts are often located under:
- %LocalAppData%: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local.
- %AppData%: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming.
Internet Explorer
----------------------
Browsing history, downloads, cache, cookies metadata: %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat.
Cookies: %AppData%\Microsoft\Windows\Cookies.
Sessions: %LocalAppData%\Microsoft\Internet Explorer\Recovery\*.dat.
Edge (Legacy)
-------------------
Browsing history, downloads, cache, cookies metadata: %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat;
User profiles: %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC.
Cache: <USER_PROFILE>\MicrosoftEdge\Cache.
Sessions: <USER_PROFILE>\MicrosoftEdge\User\Default\Recovery\Active.
Settings: <USER_PROFILE>\User\Default\DataStore\Data
ouser1\XXX\DBStore\spartan.edb.
Edge (Chronium-based)
--------------------------------
User profiles: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>.
Browsing history: <USER_PROFILE>\History.
Cookies: <USER_PROFILE>\Cookies.
Cache: <USER_PROFILE>\Cache.
Sessions: <USER_PROFILE>\Sessions.
Settings: <USER_PROFILE>\Preferences.
Google Chrome
----------------------
User profiles: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>.
Browsing history: <USER_PROFILE>\History.
Cookies: <USER_PROFILE>\Cookies.
Cache: <USER_PROFILE>\Cache.
Sessions: <USER_PROFILE>\Sessions.
Settings: <USER_PROFILE>\Preferences.
Mozilla Firefox
--------------------
User profiles: %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release.
Browsing history, downloads, bookmarks: <USER_PROFILE>\places.sqlite.
Cookies: <USER_PROFILE>\cookies.sqlite.
Cache: <USER_PROFILE>\cache2\*.
Sessions: <USER_PROFILE>\sessionstorebackups\*.
Settings: <USER_PROFILE>\prefs.js.
- %LocalAppData%: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local.
- %AppData%: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming.
Internet Explorer
----------------------
Browsing history, downloads, cache, cookies metadata: %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat.
Cookies: %AppData%\Microsoft\Windows\Cookies.
Sessions: %LocalAppData%\Microsoft\Internet Explorer\Recovery\*.dat.
Edge (Legacy)
-------------------
Browsing history, downloads, cache, cookies metadata: %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat;
User profiles: %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC.
Cache: <USER_PROFILE>\MicrosoftEdge\Cache.
Sessions: <USER_PROFILE>\MicrosoftEdge\User\Default\Recovery\Active.
Settings: <USER_PROFILE>\User\Default\DataStore\Data
ouser1\XXX\DBStore\spartan.edb.
Edge (Chronium-based)
--------------------------------
User profiles: %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>.
Browsing history: <USER_PROFILE>\History.
Cookies: <USER_PROFILE>\Cookies.
Cache: <USER_PROFILE>\Cache.
Sessions: <USER_PROFILE>\Sessions.
Settings: <USER_PROFILE>\Preferences.
Google Chrome
----------------------
User profiles: %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>.
Browsing history: <USER_PROFILE>\History.
Cookies: <USER_PROFILE>\Cookies.
Cache: <USER_PROFILE>\Cache.
Sessions: <USER_PROFILE>\Sessions.
Settings: <USER_PROFILE>\Preferences.
Mozilla Firefox
--------------------
User profiles: %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release.
Browsing history, downloads, bookmarks: <USER_PROFILE>\places.sqlite.
Cookies: <USER_PROFILE>\cookies.sqlite.
Cache: <USER_PROFILE>\cache2\*.
Sessions: <USER_PROFILE>\sessionstorebackups\*.
Settings: <USER_PROFILE>\prefs.js.
Overview
The web browsers related artefacts can be split in the following categories:
-
User profile: web browsers, such as
Chronium-based browsers andFirefox, implement a profile feature to store user’s settings, history, favorites, etc. The databases and files that store these information are usually stored under a user specific profile folder. -
History: web browsing history and download history.
-
Cookies: web browsing cookies (session tokens).
-
Cache: cache of resources downloaded from accessed websites (images, text content,
HTML,CSS,Javascriptfiles, etc.). -
Sessions: tabs and windows from a browsing session.
-
Settings: configuration settings.
These files are often located under %LocalAppData%
(%SystemDrive%:\Users\<USERNAME>\AppData\Local\) and
%AppData% (%SystemDrive%:\Users\<USERNAME>\AppData\Roaming\).
Artefacts
Internet Explorer
| Type | Description | Location |
|---|---|---|
| Browsing history Downloads Cache Cookies metadata |
The WebCacheV01.dat is an ESE database, with information about Internet Explorer browsing activity split across multiple tables: - Browsing history: History table. - Downloads: iedownload table. - Cache: content table. - Cookies metadata: Cookies table. Local files accessed, not necessarily through the web browser, may also appear in the WebCacheV01.dat database. |
%LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat |
| Cookies | - | %AppData%\Microsoft\Windows\Cookies |
| Sessions | - | %LocalAppData%\Microsoft\Internet Explorer\Recovery\*.dat |
Edge (Legacy)
| Type | Description | Location |
|---|---|---|
| User profile(s) | - | %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC |
| Browsing history Downloads Cache Cookies metadata |
Shared with Microsoft Internet Explorer. |
%LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat |
| Cache | - | %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC#!XXX\MicrosoftEdge\Cache |
| Sessions | - | %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active |
| Settings | - | %LocalAppData%\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb |
Edge (Chronium-based)
Since Edge version v79 (January 2020), Microsoft Edge uses a Chronium
backend and shares similar artefacts to Google Chrome.
| Type | Description | Location |
|---|---|---|
| User profile(s) | - | %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\* With X ranging from one to n. |
| Browsing history | - | %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\History |
| Cookies | - | %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Network\Cookies |
| Cache | - | %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Cache |
| Sessions | - | %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Sessions |
| Settings | - | %LocalAppData%\Microsoft\Edge\User Data\<Default | Profile X>\Preferences |
Google Chrome
| Type | Description | Location |
|---|---|---|
| User profile(s) | - | %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\* With X ranging from one to n. |
| History | - | %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\History |
| Cookies | - | %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Network\Cookies |
| Cache | - | %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Cache |
| Sessions | - | %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Sessions |
| Settings | - | %LocalAppData%\Google\Chrome\User Data\<Default | Profile X>\Preferences |
Mozilla Firefox
| Type | Description | Location |
|---|---|---|
| User profile(s) | - | %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\* |
| Browsing history Downloads Bookmarks |
- | %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\places.sqlite |
| Cookies | - | %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cookies.sqlite |
| Cache | - | %LocalAppData%\Mozilla\Firefox\Profiles\<ID>.default-release\cache2\* |
| Sessions | - | %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\sessionstorebackups\* |
| Settings | - | %AppData%\Mozilla\Firefox\Profiles\<ID>.default-release\prefs.js |
Tool(s)
The NirSoft's BrowsingHistoryView
utility (NirSoft_BrowsingHistoryView KAPE module) can be used to parse a
number of browsers artefacts to extract browsing history information.
BrowsingHistoryView can be used either as a graphical application or as a
command-line utility to export the parsing result (for instance in the CSV
format).
# /HistorySource 3: Load history from the specified profiles folder (specified using /HistorySourceFolder).
# /HistorySourceFolder <USER_PROFILES_FOLDER> example: "C:\Users" or "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users" (for shadow copy).
# /VisitTimeFilterType 1: Load history dating back to any time.
# /ShowTimeInGMT 1: Converts timestamps to UTC-0 (default to the local timezone).
browsinghistoryview.exe /HistorySource 3 /HistorySourceFolder "<USER_PROFILES_FOLDER>" /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma <OUTPUT_CSV>
References
View on GitHub