🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page
  • Mozilla Firefox
  • Location of AutoComplete Data:
  • Google Chrome and Microsoft Edge
  • History:
  • Web Data (Chrome and Edge):
  • Forensic Implications

Was this helpful?

  1. Windows Artifacts
  2. Browser Usage

Auto-Complete Data

AutoComplete data in web browsers provides a rich source of information for digital forensics and incident response professionals. This data, generated by users as they fill out forms and search fields on the web, is stored locally by browsers to enhance the user experience by predicting and filling in information in similar forms in the future. Here's an overview of how AutoComplete data is stored across different browsers and its forensic implications.

Mozilla Firefox

Location of AutoComplete Data:

  • Form History: %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\formhistory.sqlite

  • Places Database: %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\places.sqlite

The formhistory.sqlite database stores information that users have entered into web forms, while places.sqlite contains records of URLs, including those typed into the address bar, enhancing the browser's ability to autocomplete URLs based on partial user inputs.

Google Chrome and Microsoft Edge

History:

  • Chrome: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\History

  • Edge: %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\History

These History files contain URLs that have been visited, search queries, and may also include titles of visited web pages, facilitating a predictive typing feature for URLs and search queries.

Web Data (Chrome and Edge):

  • %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Web Data

  • %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Web Data

The Web Data file is critical for storing AutoComplete information related to web forms, including names, addresses, search terms, and other entries made by the user.

  • Shortcuts and Network Action Predictor:

    • These files store information related to frequently visited websites and are used to predict user actions based on their browsing habits.

  • Login Data:

    • Chrome: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Login Data

    • Edge: %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Login Data

The Login Data files are particularly sensitive, as they contain information related to websites where the user has entered a username and password, potentially including encrypted passwords.

Forensic Implications

The forensic analysis of AutoComplete data can reveal:

  • User behavior and interaction with specific websites.

  • Potential credentials and sensitive personal information.

  • Patterns that may help in understanding a user's habits or intentions.

Analyzing these files requires specialized tools and knowledge of database structures to interpret the data correctly. It's crucial to handle this data with care due to its potential sensitivity and the ethical and legal considerations involved in accessing personal information. A tutorial is coming soon!

PreviousTransition TypesNextBookmarks

Last updated 1 year ago

Was this helpful?