🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page
  • Importance of Browser Search Terms in Forensic Analysis
  • Location and Extraction of Browser History
  • Internet Explorer
  • Firefox
  • Chrome
  • Analyzing Search Terms for Physical Location
  • Forensic Considerations

Was this helpful?

  1. Windows Artifacts
  2. Physical Location

Browser Search Terms

Browser search terms, particularly those related to physical locations, offer a rich dataset for forensic analysts and security professionals. By examining the history of websites visited, including search engine queries, an analyst can gain insights into the user's interests, intentions, and physical movements. This information is stored locally for each user account, allowing for a detailed reconstruction of online activities.

Importance of Browser Search Terms in Forensic Analysis

  • Behavioral Analysis: Understanding the context and content of search terms can provide clues about a user's behavior, interests, or plans, including searches related to specific locations.

  • Timeline Reconstruction: By analyzing the date and time stamps associated with specific search terms or visited websites, an investigator can reconstruct a timeline of a user's activities.

  • Locational Insights: Searches that include addresses, place names, or directions can directly indicate places of interest to the user, potentially correlating with physical movements or intentions to visit those locations.

Location and Extraction of Browser History

Internet Explorer

  • Windows XP:

    • %userprofile%\Local Settings\History\History.IE5

  • Windows 7–10:

    • %userprofile%\AppData\Local\Microsoft\Windows\History\History.IE5

    • %userprofile%\AppData\Local\Microsoft\Windows\History\Low\History.IE5

For Internet Explorer, history is stored in index.dat files within these directories. Specialized tools are required to parse these files due to their proprietary format.

Firefox

  • Windows XP:

    • %userprofile%\Application Data\Mozilla\Firefox\Profiles\<random text>.default\places.sqlite

  • Windows 7–10:

    • %userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\<random text>.default\places.sqlite

Firefox stores history, bookmarks, and downloads in the places.sqlite SQLite database. This file can be queried directly with SQL commands using SQLite tools to extract detailed history and search terms.

Chrome

  • All Versions:

    • %userprofile%\AppData\Local\Google\Chrome\User Data\Default\History

Chrome's history is also stored in a SQLite database named History. It contains URLs, visit times, titles, and, most importantly for this context, search terms extracted from the URL itself for searches performed.

Analyzing Search Terms for Physical Location

  1. SELECT url, title, visit_count, last_visit_time FROM urls WHERE url LIKE '%q=%';

  2. Index.dat Viewer for IE: Use a specialized index.dat viewer tool for Internet Explorer to extract visited URLs and search terms. Look for patterns or specific keywords that suggest locational searches.

  3. Manual Inspection and Scripts: Manually inspecting the history through browser interfaces or writing scripts to automate the extraction and parsing of search terms can yield comprehensive insights, especially when looking for specific locational data.

Forensic Considerations

  • Privacy and Sensitivity: Be mindful of privacy considerations when accessing and analyzing browser history, especially when dealing with personal or sensitive locational information.

  • Data Integrity: Ensure that forensic copies of the databases or history files are used for analysis to maintain the integrity of the evidence.

  • Correlation with Other Artifacts: Correlate browser search terms with other digital artifacts (e.g., GPS data, photographs with geotags, calendar entries) to build a more complete picture of the user's activities and locations.

PreviousCookiesNextProgram Execution

Last updated 1 year ago

Was this helpful?

: For browsers that use SQLite databases (Firefox and Chrome), use SQL queries to extract search terms, focusing on URLs that contain known search engine domains (e.g., google.com, bing.com) and parsing the query parameters (e.g., q= for Google searches).

Querying Databases