🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page
  • Popular Web Browsers and Their Download Mechanisms:
  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Safari
  • Opera
  • Forensic Analysis Considerations:
  • Practical Implications in Digital Forensics:

Was this helpful?

  1. Windows Artifacts
  2. File Download

Web Browsing

Some MacOS included in here as well

Web browsers are the gateways through which users access and download content from the Internet. Each browser has its own set of conventions for managing file downloads, including specified directories for saving files and temporary storage locations for files in transit. These details can be critical in forensic contexts, offering insights into user actions and the provenance of files.

Popular Web Browsers and Their Download Mechanisms:

Google Chrome

  • Process Name: chrome.exe

  • Default File Path for Downloads:

    • %USERPROFILE%\Downloads on Windows, ~/Downloads on macOS.

  • Temporary Folder:

    • %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Cache on Windows, ~/Library/Caches/Google/Chrome/Default/Cache on macOS for cached content.

Mozilla Firefox

  • Process Name: firefox.exe

  • Default File Path for Downloads:

    • %USERPROFILE%\Downloads on Windows, ~/Downloads on macOS.

  • Temporary Folder:

    • %USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles\<profile.folder>\cache2 on Windows, ~/Library/Caches/Firefox/Profiles/<profile.folder>/cache2 on macOS for cached downloads.

Microsoft Edge

  • Process Name: msedge.exe

  • Default File Path for Downloads:

    • %USERPROFILE%\Downloads on Windows.

  • Temporary Folder:

    • %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\Default\Cache on Windows for temporary files and cached content.

Safari

  • Process Name: Safari.exe (on Windows, though primarily used on macOS)

  • Default File Path for Downloads:

    • ~/Downloads on macOS.

  • Temporary Folder:

    • ~/Library/Caches/com.apple.Safari/Cache.db on macOS for caching web content.

Opera

  • Process Name: opera.exe

  • Default File Path for Downloads:

    • %USERPROFILE%\Downloads on Windows, ~/Downloads on macOS.

  • Temporary Folder:

    • %USERPROFILE%\AppData\Local\Opera Software\Opera Stable\Cache on Windows, ~/Library/Caches/Opera Software/Opera Stable/Cache on macOS for cached files.

Forensic Analysis Considerations:

  • Temporary Folders: These locations are vital for uncovering files that may not have been permanently saved by the user but were part of the browsing activity.

  • Download Histories: Apart from physical file locations, examining the browser's download history can provide a chronological account of user downloads.

  • Cache Analysis: Cached content can reveal accessed web pages, videos, images, and partially downloaded files, offering additional clues about user behavior and interactions.

Practical Implications in Digital Forensics:

The investigation of default download locations and temporary folders across browsers is crucial for identifying how, when, and what type of content was downloaded or accessed. This analysis aids in constructing user activity timelines, identifying evidence of illicit activities, and correlating downloaded content with potential security incidents.

PreviousMalvertisingNextCache Files

Last updated 1 year ago

Was this helpful?