🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page
  • Browser History Artifacts
  • Download History Artifacts
  • Storage Locations
  • Firefox
  • Google Chrome
  • Microsoft Edge
  • Forensic Analysis
  • Challenges and Considerations

Was this helpful?

  1. Windows Artifacts
  2. Browser Usage

History & Downloads

PreviousBrowser UsageNextViewing History Files - DB Browser

Last updated 1 year ago

Was this helpful?

The analysis of browser history and download history is a fundamental aspect of digital forensics, especially when investigating the online activities of a user on a device. These artifacts can provide insights into user behavior, interests, and interactions with websites over time. Let's dive deep into the significance of these artifacts, their locations across different operating systems, and how they can be utilized in forensic investigations.

Browser History Artifacts

Browser history records include URLs visited, the date and time of each visit, the , and often the frequency of visits to each site. This information is crucial for building a timeline of user activity and can be pivotal in legal cases, corporate investigations, and security breach analyses.

Download History Artifacts

Download history tracks files downloaded through the browser, including the source URL, the file name, and when the download occurred. This can be critical for identifying malicious downloads, intellectual property theft, or unauthorized data exfiltration.

Storage Locations

Firefox

  • Windows XP: 

C:\Users\USER\Application Data\Mozilla\Firefox\Profiles\<randomtext>.default\places.sqlite

  • Windows 7 and later: 

C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\<random text>.default\places.sqlite

The places.sqlite file contains both the browser and download history in Firefox.

Google Chrome

  • Windows XP:

C:\Users\USER\Local Settings\Application Data\Google\Chrome\User Data\<Profile>\History

  • Windows 7 and later:

C:\Users\USER\AppData\Local\Google\Chrome\User Data\<Profile>\History

  • MacOS: 

/Users/USERNAME/Library/Application Support/Google/Chrome/default/history

Chrome stores its history in a file named History within the user's profile directory. Multiple profiles may exist, including "Default", "Profile 1", etc.

Microsoft Edge

  • Windows 7 and later: 

C:\Users\USER\AppData\Local\Microsoft\Edge\User Data\default\history

Edge, being a Chromium-based browser, similarly stores history in a History file within the user data directory of the user's profile.

Forensic Analysis

  1. User Activity Timeline: Browser and download history can be used to construct a timeline of a user's online activities, helping to establish when and how a computer was used.

  2. Investigative Leads: The examination of sites visited and files downloaded can generate leads in various investigations, including cybercrimes, fraud, and unauthorized access cases.

  3. Profile Identification: Multiple browser profiles can indicate different users or personas using the same device, each with distinct browsing habits and activities.

  4. Evidence of Malware: Downloads history can reveal the initial infection vector in malware investigations, pinpointing the source of malicious software.

  5. Cross-Referencing with Other Artifacts: Browser history can be cross-referenced with other forensic artifacts, such as log files and cached web content, to corroborate findings.

Challenges and Considerations

  • Privacy Concerns: Handling browser history data must comply with privacy laws and regulations, ensuring that investigations respect legal boundaries.

  • Data Volatility: Browser history can be easily cleared by users, making timely acquisition of digital evidence crucial.

  • Encryption and Access: Some modern browsers encrypt user data, requiring specific tools or credentials for access.

transition type