🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page
  • Common Transition Types
  • 1. Link
  • 2. Typed
  • 3. Manual Subframe
  • 4. Generated
  • 5. Auto Bookmark
  • 6. Auto Top-Level
  • 7. Reload
  • 8. Keyword
  • 9. Keyword Generated
  • Qualifiers
  • Other Transition Types

Was this helpful?

  1. Windows Artifacts
  2. Browser Usage
  3. History & Downloads

Transition Types

Transition types in web browsers are used to describe how a navigation to a webpage occurred. Understanding these types is crucial in digital forensics and cybersecurity, as they can provide insights into user behavior, track how content is reached, and detect potentially malicious activities. Below is a deep dive into the common transition types and qualifiers found in browser history databases, particularly in browsers like Google Chrome and Firefox.

Common Transition Types

1. Link

  • Description: The user navigated to the page by clicking on a hyperlink.

  • Significance: Indicates direct user interaction with web content, often reflecting intentional browsing behavior.

2. Typed

  • Description: The user manually entered the URL in the address bar.

  • Significance: Suggests purposeful navigation to a specific webpage, potentially highlighting sites of particular interest to the user.

3. Manual Subframe

  • Description: A subframe (e.g., an iframe) was manually navigated to by the user.

  • Significance: Less common, but can indicate user interaction within complex web applications.

4. Generated

  • Description: The URL was automatically generated based on past navigation patterns, such as using the forward or backward buttons, or opening a new tab.

  • Significance: Reflects user's browsing habits and the use of browser features to navigate web sessions.

5. Auto Bookmark

  • Description: The URL was triggered from a bookmark.

  • Significance: Indicates preferred or frequently visited sites saved by the user.

6. Auto Top-Level

  • Description: Navigation to a top-level URL occurred via an automated process, not directly initiated by the user (e.g., JavaScript, meta refresh, or redirects).

  • Significance: Can be a regular part of web navigation or indicate redirection by ads or potentially malicious content.

7. Reload

  • Description: The user reloaded the page, either from a menu option or by using a keyboard shortcut.

  • Significance: May suggest interest in the page content or issues with page loading.

8. Keyword

  • Description: The URL was loaded by using a search engine with keywords.

  • Significance: Demonstrates use of search engines to find content, can indicate interests or topics of research.

9. Keyword Generated

  • Description: The URL was generated from a replaceable keyword other than the default search provider.

  • Significance: Shows customized search engine use or specialized search methods.

Qualifiers

Qualifiers provide additional context to the basic transition types:

  • Client Redirect: Navigation occurred via client-side redirection (e.g., JavaScript, HTML meta tags).

  • Server Redirect: Occurs due to server-side redirection (HTTP 301/302 responses).

  • Forward Back: User navigated using the browser's forward or back buttons.

  • From Address Bar: Indicates direct entry of the URL in the address bar, overlapping with the Typed transition type.

Other Transition Types

  • Reset: Navigation is incoming, initialized by the browser or scripts.

  • Reload Ignore Cache: The user forces a reload that bypasses the cache, often to retrieve the most up-to-date content.

  • Form Submit: Indicates navigation through form submission, common in web applications for login pages, searches, or data entry.

  • Named Outbound: A new named window or tab is created and navigated by another window, often via JavaScript.

PreviousViewing History Files - DB BrowserNextAuto-Complete Data

Last updated 1 year ago

Was this helpful?