🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page
  • Web Browsers and File Downloads:
  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Safari (macOS)
  • Purpose of Cache Files:
  • Why EDRs Might Detect Cache Files:
  • Practical Implications in Digital Forensics:

Was this helpful?

  1. Windows Artifacts
  2. File Download
  3. Web Browsing

Cache Files

Web browsers are essential tools for navigating the internet, often used to download files and access online content. Each browser has a default location for storing downloaded files and utilizes a cache system to optimize the browsing experience. Cache files, while beneficial for performance, can sometimes be flagged by EDR systems due to security concerns.

Web Browsers and File Downloads:

Google Chrome

  • Location:

    • %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Cache

    • ~/Library/Application Support/Google/Chrome/Default/Cache

Mozilla Firefox

  • Location:

    • %USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles\<profile.folder>\cache2

    • ~/Library/Application Support/Firefox/Profiles/<profile.folder>/cache2

Microsoft Edge

  • Location:

    • %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\Default\Cache on Windows.

Safari (macOS)

  • Location:

    • ~/Library/Caches/com.apple.Safari/Cache.db.

Purpose of Cache Files:

Cache files store web page elements such as images, scripts, and HTML files locally. This storage strategy serves multiple purposes:

  • Reduced Load Times: By storing copies of web content locally, browsers can load visited pages more quickly during subsequent visits.

  • Offline Content Access: Cached content can be accessed without an internet connection, allowing users to view previously visited pages offline.

  • Bandwidth Savings: Caching minimizes the need to re-download static content, conserving bandwidth.

Why EDRs Might Detect Cache Files:

EDR (Endpoint Detection and Response) systems are designed to monitor and respond to threats on endpoints. Cache files can be flagged by EDRs for several reasons:

  • Malware Detection: Malicious scripts or payloads can be stored in cache files when a user visits a compromised website.

  • Privacy Concerns: Cached files can contain sensitive information, posing a risk if accessed by unauthorized parties.

  • Anomalous Behavior: Sudden changes in cache size or content might indicate unauthorized downloads or malware activity, triggering alerts from EDR systems.

Practical Implications in Digital Forensics:

Understanding the default download and cache locations for web browsers is crucial in forensic investigations for several reasons:

  • Evidence Collection: Download and cache directories can contain files relevant to investigations, including malicious downloads or files indicative of user behavior.

  • Investigative Leads: Analysis of cache files can reveal visited websites, downloaded content, and timestamps, aiding in timeline construction and incident analysis.

  • Security Analysis: Identifying and examining cache files flagged by EDRs can uncover malware infection vectors and data exfiltration methods.

Forensic analysts leverage knowledge of browser behavior, including file downloads and caching mechanisms, to gather evidence, analyze user actions, and assess security threats. Understanding how and why browsers store files and how EDR systems interact with these files is key to comprehensive digital forensic and cybersecurity practices.

PreviousWeb BrowsingNextCrowdStrike Searches

Last updated 1 year ago

Was this helpful?