Browser Artifacts
[AD REMOVED]
Browsers Artifacts
Browser artifacts include various types of data stored by web browsers, such as navigation history, bookmarks, and cache data. These artifacts are kept in specific folders within the operating system, differing in location and name across browsers, yet generally storing similar data types.
Here's a summary of the most common browser artifacts:
- Navigation History: Tracks user visits to websites, useful for identifying visits to malicious sites.
- Autocomplete Data: Suggestions based on frequent searches, offering insights when combined with navigation history.
- Bookmarks: Sites saved by the user for quick access.
- Extensions and Add-ons: Browser extensions or add-ons installed by the user.
- Cache: Stores web content (e.g., images, JavaScript files) to improve website loading times, valuable for forensic analysis.
- Logins: Stored login credentials.
- Favicons: Icons associated with websites, appearing in tabs and bookmarks, useful for additional information on user visits.
- Browser Sessions: Data related to open browser sessions.
- Downloads: Records of files downloaded through the browser.
- Form Data: Information entered in web forms, saved for future autofill suggestions.
- Thumbnails: Preview images of websites.
- Custom Dictionary.txt: Words added by the user to the browser's dictionary.
Firefox
Firefox organizes user data within profiles, stored in specific locations based on the operating system:
- Linux:
~/.mozilla/firefox/
- MacOS:
/Users/$USER/Library/Application Support/Firefox/Profiles/
- Windows:
%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\
A profiles.ini
file within these directories lists the user profiles. Each profile's data is stored in a folder named in the Path
variable within profiles.ini
, located in the same directory as profiles.ini
itself. If a profile's folder is missing, it may have been deleted.
Within each profile folder, you can find several important files:
- places.sqlite: Stores history, bookmarks, and downloads. Tools like BrowsingHistoryView on Windows can access the history data.
- Use specific SQL queries to extract history and downloads information.
- bookmarkbackups: Contains backups of bookmarks.
- formhistory.sqlite: Stores web form data.
- handlers.json: Manages protocol handlers.
- persdict.dat: Custom dictionary words.
- addons.json and extensions.sqlite: Information on installed add-ons and extensions.
- cookies.sqlite: Cookie storage, with MZCookiesView available for inspection on Windows.
- cache2/entries or startupCache: Cache data, accessible through tools like MozillaCacheView.
- favicons.sqlite: Stores favicons.
- prefs.js: User settings and preferences.
- downloads.sqlite: Older downloads database, now integrated into places.sqlite.
- thumbnails: Website thumbnails.
- logins.json: Encrypted login information.
- key4.db or key3.db: Stores encryption keys for securing sensitive information.
Additionally, checking the browser’s anti-phishing settings can be done by searching for browser.safebrowsing
entries in prefs.js
, indicating whether safe browsing features are enabled or disabled.
To try to decrypt the master password, you can use https://github.com/unode/firefox_decrypt\ With the following script and call you can specify a password file to brute force:
```bash:brute.sh
!/bin/bash
./brute.sh top-passwords.txt 2>/dev/null | grep -A2 -B2 "chrome:"
passfile=$1 while read pass; do echo "Trying $pass" echo "$pass" | python firefox_decrypt.py done < $passfile ```
Google Chrome
Google Chrome stores user profiles in specific locations based on the operating system:
- Linux:
~/.config/google-chrome/
- Windows:
C:\Users\XXX\AppData\Local\Google\Chrome\User Data\
- MacOS:
/Users/$USER/Library/Application Support/Google/Chrome/
Within these directories, most user data can be found in the Default/ or ChromeDefaultData/ folders. The following files hold significant data:
- History: Contains URLs, downloads, and search keywords. On Windows, ChromeHistoryView can be used to read the history. The "Transition Type" column has various meanings, including user clicks on links, typed URLs, form submissions, and page reloads.
- Cookies: Stores cookies. For inspection, ChromeCookiesView is available.
- Cache: Holds cached data. To inspect, Windows users can utilize ChromeCacheView.
- Bookmarks: User bookmarks.
- Web Data: Contains form history.
- Favicons: Stores website favicons.
- Login Data: Includes login credentials like usernames and passwords.
- Current Session/Current Tabs: Data about the current browsing session and open tabs.
- Last Session/Last Tabs: Information about the sites active during the last session before Chrome was closed.
- Extensions: Directories for browser extensions and addons.
- Thumbnails: Stores website thumbnails.
- Preferences: A file rich in information, including settings for plugins, extensions, pop-ups, notifications, and more.
- Browser’s built-in anti-phishing: To check if anti-phishing and malware protection are enabled, run
grep 'safebrowsing' ~/Library/Application Support/Google/Chrome/Default/Preferences
. Look for{"enabled: true,"}
in the output.
SQLite DB Data Recovery
As you can observe in the previous sections, both Chrome and Firefox use SQLite databases to store the data. It's possible to recover deleted entries using the tool sqlparse or sqlparse_gui.
Internet Explorer 11
Internet Explorer 11 manages its data and metadata across various locations, aiding in separating stored information and its corresponding details for easy access and management.
Metadata Storage
Metadata for Internet Explorer is stored in %userprofile%\Appdata\Local\Microsoft\Windows\WebCache\WebcacheVX.data
(with VX being V01, V16, or V24). Accompanying this, the V01.log
file might show modification time discrepancies with WebcacheVX.data
, indicating a need for repair using esentutl /r V01 /d
. This metadata, housed in an ESE database, can be recovered and inspected using tools like photorec and ESEDatabaseView, respectively. Within the Containers table, one can discern the specific tables or containers where each data segment is stored, including cache details for other Microsoft tools such as Skype.
Cache Inspection
The IECacheView tool allows for cache inspection, requiring the cache data extraction folder location. Metadata for cache includes filename, directory, access count, URL origin, and timestamps indicating cache creation, access, modification, and expiry times.
Cookies Management
Cookies can be explored using IECookiesView, with metadata encompassing names, URLs, access counts, and various time-related details. Persistent cookies are stored in %userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies
, with session cookies residing in memory.
Download Details
Downloads metadata is accessible via ESEDatabaseView, with specific containers holding data like URL, file type, and download location. Physical files can be found under %userprofile%\Appdata\Roaming\Microsoft\Windows\IEDownloadHistory
.
Browsing History
To review browsing history, BrowsingHistoryView can be used, requiring the location of extracted history files and configuration for Internet Explorer. Metadata here includes modification and access times, along with access counts. History files are located in %userprofile%\Appdata\Local\Microsoft\Windows\History
.
Typed URLs
Typed URLs and their usage timings are stored within the registry under NTUSER.DAT
at Software\Microsoft\InternetExplorer\TypedURLs
and Software\Microsoft\InternetExplorer\TypedURLsTime
, tracking the last 50 URLs entered by the user and their last input times.
Microsoft Edge
Microsoft Edge stores user data in %userprofile%\Appdata\Local\Packages
. The paths for various data types are:
- Profile Path:
C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC
- History, Cookies, and Downloads:
C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
- Settings, Bookmarks, and Reading List:
C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb
- Cache:
C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC#!XXX\MicrosoftEdge\Cache
- Last Active Sessions:
C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active
Safari
Safari data is stored at /Users/$User/Library/Safari
. Key files include:
- History.db: Contains
history_visits
andhistory_items
tables with URLs and visit timestamps. Usesqlite3
to query. - Downloads.plist: Information about downloaded files.
- Bookmarks.plist: Stores bookmarked URLs.
- TopSites.plist: Most frequently visited sites.
- Extensions.plist: List of Safari browser extensions. Use
plutil
orpluginkit
to retrieve. - UserNotificationPermissions.plist: Domains permitted to push notifications. Use
plutil
to parse. - LastSession.plist: Tabs from the last session. Use
plutil
to parse. - Browser’s built-in anti-phishing: Check using
defaults read com.apple.Safari WarnAboutFraudulentWebsites
. A response of 1 indicates the feature is active.
Opera
Opera's data resides in /Users/$USER/Library/Application Support/com.operasoftware.Opera
and shares Chrome's format for history and downloads.
- Browser’s built-in anti-phishing: Verify by checking if
fraud_protection_enabled
in the Preferences file is set totrue
usinggrep
.
These paths and commands are crucial for accessing and understanding the browsing data stored by different web browsers.
References
- https://nasbench.medium.com/web-browsers-forensics-7e99940c579a
- https://www.sentinelone.com/labs/macos-incident-response-part-3-system-manipulation/
- https://books.google.com/books?id=jfMqCgAAQBAJ\&pg=PA128\&lpg=PA128\&dq=%22This+file
- Book: OS X Incident Response: Scripting and Analysis By Jaron Bradley pag 123
[AD REMOVED]