🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page
  • Firefox Session Restore
  • Location in Older Versions
  • Location in Newer Versions
  • Chrome Session Restore
  • Location in Older Versions
  • Location in Newer Versions
  • Microsoft Edge Session Restore
  • Location in Older Versions
  • Location in Newer Versions
  • Forensic Analysis of Session Restore Data
  • Tools and Techniques for Analysis

Was this helpful?

  1. Windows Artifacts
  2. Browser Usage

Session Restore

Session Restore functionality, integral to modern web browsers, significantly enhances user experience by saving the state of all open tabs and windows. In the event of a crash, update, or deliberate closure, this feature allows users to resume their browsing session seamlessly. From a forensic perspective, the data stored by session restore mechanisms can provide a wealth of information about a user's browsing habits, including visited websites, session times, and more.

Firefox Session Restore

Location in Older Versions

  • Windows 7 and Later: %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\sessionstore.js

Location in Newer Versions

  • Windows 7 and Later:

    • Main File: %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\sessionstore.jsonlz4

    • Backups: %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\sessionstore-backups\

Firefox has transitioned from using the .js extension for session store files to a compressed format .jsonlz4, enhancing storage efficiency and security. These files contain data about open tabs, window configurations, URLs, and, in some cases, form data and page states.

Chrome Session Restore

Location in Older Versions

  • %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\

Location in Newer Versions

  • %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Sessions

Chrome stores session information in the Sessions directory for newer versions. This includes snapshots of open tabs and windows, facilitating a quick recovery of the browsing session.

Microsoft Edge Session Restore

Location in Older Versions

  • %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\

Location in Newer Versions

  • %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Sessions

Similar to Chrome, Edge (being Chromium-based) stores session data in the Sessions directory for newer versions, allowing users to restore their previous sessions.

Forensic Analysis of Session Restore Data

Analyzing session restore files can unveil:

  • Historical Websites: Lists of URLs opened in each tab, providing a timeline of user activity.

  • Referring Websites: Information about how the user navigated to each site, which can be used to trace a user's browsing path.

  • Session Timings: Data on when sessions started and ended, offering insights into browsing habits.

  • Page Content: HTML, JavaScript, XML, and form data might be stored, revealing what information the user viewed or submitted.

  • Browser State: Additional details like transition types, browser window sizes, and whether tabs were pinned, offering context on user preferences and behaviors.

Tools and Techniques for Analysis

  1. Accessing Files: Navigate to the session restore directories based on the browser and OS version.

  2. Decompression and Decoding: For Firefox's .jsonlz4 files, use specialized tools or scripts to decompress and decode the contents.

  3. Analysis Software: Utilize digital forensics tools capable of parsing browser artifacts to analyze session data. Custom scripts may also be written to extract specific information.

  4. Manual Inspection: In some cases, manually inspecting the session restore files in a text editor can provide immediate insights, though this is less efficient for larger data sets.

PreviousPrivate BrowsingNextStored Credentials

Last updated 1 year ago

Was this helpful?