Introduction
Web browsers are among the richest sources of forensic evidence on any computer. They record browsing history, cached content, cookies, downloads, form data, and much more. Understanding browser artifacts is essential for any investigation involving computer usage.
Learn to locate and analyze browser artifacts from Chrome, Firefox, and Edge. Understand private browsing limitations and recovery possibilities. Master browser forensic tools and analysis techniques.
Browser Artifact Types
Modern browsers store numerous types of data that are valuable for forensic investigation.
Browsing History
URLs visited, page titles, visit counts, timestamps of each visit.
Cache
Locally stored copies of web pages, images, scripts, and other resources.
Cookies
Session data, login tokens, tracking information, user preferences.
Search Terms
Queries entered in search engines and address bar searches.
Downloads
Downloaded files, source URLs, timestamps, and sometimes file content.
Form Data
Auto-fill data including names, addresses, and form field entries.
Google Chrome Forensics
Chrome is the most popular browser with over 65% market share. Its artifacts are stored in SQLite databases and various files.
Chrome Profile Locations
# Windows
C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\
# macOS
/Users/[username]/Library/Application Support/Google/Chrome/Default/
# Linux
/home/[username]/.config/google-chrome/Default/
# Multiple Profiles
...\User Data\Profile 1\
...\User Data\Profile 2\
Key Chrome Artifact Files
| File | Format | Contents |
|---|---|---|
| History | SQLite | URLs, visits, downloads, keyword searches |
| Cookies | SQLite | Cookie values, domains, expiration dates |
| Login Data | SQLite | Saved usernames and encrypted passwords |
| Web Data | SQLite | Autofill data, credit cards (encrypted) |
| Bookmarks | JSON | Bookmarked URLs with timestamps |
| Preferences | JSON | Browser settings, homepage, extensions |
| Cache/ | Custom | Cached web content |
| Favicons | SQLite | Website icons with associated URLs |
Chrome SQLite Database Queries
-- History Database: Get browsing history
SELECT
urls.url,
urls.title,
urls.visit_count,
datetime(visits.visit_time/1000000-11644473600, 'unixepoch', 'localtime') AS visit_time
FROM urls
JOIN visits ON urls.id = visits.url
ORDER BY visits.visit_time DESC;
-- History Database: Get downloads
SELECT
target_path,
tab_url,
datetime(start_time/1000000-11644473600, 'unixepoch', 'localtime') AS download_time,
total_bytes
FROM downloads;
-- Login Data: Get saved credentials
SELECT
origin_url,
username_value,
datetime(date_created/1000000-11644473600, 'unixepoch', 'localtime') AS created
FROM logins;
Chrome uses WebKit/Chrome timestamp format: microseconds since January 1, 1601. To convert: (timestamp / 1000000) - 11644473600 = Unix epoch. Tools like DB Browser for SQLite and specialized forensic tools handle this automatically.
Mozilla Firefox Forensics
Firefox stores its data in SQLite databases and files within profile folders. Each profile has a unique alphanumeric name.
Firefox Profile Locations
# Windows
C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[random].default-release\
# macOS
/Users/[username]/Library/Application Support/Firefox/Profiles/[random].default-release/
# Linux
/home/[username]/.mozilla/firefox/[random].default-release/
# Profile list
...\Mozilla\Firefox\profiles.ini
Key Firefox Artifact Files
| File | Format | Contents |
|---|---|---|
| places.sqlite | SQLite | History, bookmarks, downloads |
| cookies.sqlite | SQLite | Cookies and session data |
| formhistory.sqlite | SQLite | Form autofill data, search terms |
| logins.json | JSON | Encrypted saved passwords |
| key4.db | SQLite | Master password and encryption keys |
| sessionstore.jsonlz4 | Compressed JSON | Open tabs, windows, session state |
| favicons.sqlite | SQLite | Website icons |
Firefox SQLite Queries
-- places.sqlite: Get browsing history
SELECT
moz_places.url,
moz_places.title,
moz_places.visit_count,
datetime(moz_historyvisits.visit_date/1000000, 'unixepoch', 'localtime') AS visit_time
FROM moz_places
JOIN moz_historyvisits ON moz_places.id = moz_historyvisits.place_id
ORDER BY visit_time DESC;
-- places.sqlite: Get downloads
SELECT
moz_places.url,
moz_annos.content AS download_path,
datetime(moz_annos.dateAdded/1000000, 'unixepoch', 'localtime') AS download_time
FROM moz_annos
JOIN moz_places ON moz_annos.place_id = moz_places.id
WHERE moz_annos.anno_attribute_id =
(SELECT id FROM moz_anno_attributes WHERE name = 'downloads/destinationFileURI');
-- formhistory.sqlite: Get search terms and form data
SELECT
fieldname,
value,
datetime(firstUsed/1000000, 'unixepoch', 'localtime') AS first_used,
datetime(lastUsed/1000000, 'unixepoch', 'localtime') AS last_used,
timesUsed
FROM moz_formhistory
ORDER BY lastUsed DESC;
Microsoft Edge Forensics
Microsoft Edge (Chromium-based) uses a similar structure to Chrome since it's built on the same engine. Legacy Edge (EdgeHTML) had a different structure.
Edge Profile Locations
# Edge Chromium (Current)
C:\Users\[username]\AppData\Local\Microsoft\Edge\User Data\Default\
# Legacy Edge (Windows 10 pre-Chromium)
C:\Users\[username]\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\
AC\MicrosoftEdge\User\Default\
Edge Chromium Artifacts
Edge Chromium uses the same database structure as Chrome:
- History: SQLite database with same schema as Chrome
- Cookies: SQLite with same structure
- Login Data: Saved credentials in SQLite
- Web Data: Autofill information
- Bookmarks: JSON format
Since Edge is Chromium-based, the same forensic tools and queries used for Chrome work for Edge. The main difference is the file path location. Chrome tools like Hindsight, BrowsingHistoryView, and DB Browser for SQLite all work with Edge artifacts.
Private Browsing Analysis
Private browsing (Incognito, InPrivate, Private Window) is designed to not leave traces on the local system. However, forensic evidence may still be recoverable.
What Private Browsing Does NOT Store
- Browsing history in permanent databases
- Cookies after session ends
- Form data and search history
- Download history (but downloaded files remain)
- Cache (deleted after session)
Where Private Browsing Evidence MAY Exist
| Location | Evidence Type | Recovery Method |
|---|---|---|
| RAM | Active session data, URLs, content | Memory forensics (if system not rebooted) |
| Page/Swap File | Memory pages written to disk | Pagefile.sys / swap partition analysis |
| Prefetch | Browser execution with private flag | Prefetch file analysis |
| DNS Cache | Resolved domain names | ipconfig /displaydns |
| Downloaded Files | Actual files on disk | File system analysis |
| Network Logs | Router, proxy, firewall logs | Network device forensics |
| Crash Reports | Memory dumps if browser crashed | Crash dump analysis |
Memory forensics is the most effective method for recovering private browsing activity. Tools like Volatility can extract browser history from RAM dumps. The window of opportunity is limited - evidence is lost when the browser is closed and system is rebooted.
Browser Forensic Tools
Hindsight
Open-source tool for Chrome/Chromium-based browser analysis. Parses history, cache, cookies, and more.
BrowsingHistoryView
NirSoft tool for viewing history from multiple browsers in one interface.
DB Browser for SQLite
General SQLite viewer for direct database examination.
Autopsy
Comprehensive forensic platform with browser analysis modules.
- Browser artifacts include history, cache, cookies, downloads, form data, and credentials
- Chrome and Edge (Chromium) use SQLite databases with WebKit timestamps
- Firefox uses SQLite with Unix-style microsecond timestamps
- Private browsing reduces local artifacts but evidence may exist in RAM, pagefile, DNS cache
- Memory forensics is key for recovering private browsing activity
- Downloaded files persist even when download history is cleared or private mode is used