Web browser history is a vital part of any forensic investigation to determine what activity was carried out online, such as websites visited, searches performed and files downloaded.
Most web browsers provide the ability to create multiple browser profiles, with each profile storing history separately. Therefore, browser history investigations may involve history from multiple profiles and multiple browsers.
We'll review some of the main desktop browser artifacts below:
- Website Visits
- Cache
- Searches
- Downloads
- Timestamps
- Chromium Apps
- File Location and Formats
- Browser Forensic Tools
Website Visits
By default web browsers log every website a user visits to a database on the user's computer. How long this data is retained for depends on the browser and it's settings:
- Chromium based browsers such as Google Chrome and Microsoft Edge will store up to 90 days of website history locally.
- Mozilla Firefox stores a maximum number of website visits rather than a time limit. The maximum number of records is determined by the computer’s performance.
- Apple Safari on macOS stores website visits for up to a year.
All browser's record the following information for each web page visited:
- Date/Time of the visit
- Title of the web page
- URL of the web page
It should be noted that if Private Browsing/Incognito mode is used then no website visits will be recorded by the browser. It's also possible for the user to manually delete browsing history at any point.
Visit Type
Chrome, Edge and Firefox record a "Visit Type", which describes how the user visited a web page. The main visit types are:
- Link – the user clicked a link to the web page
- Typed – the user typed the URL into the address bar
- Bookmark – the user clicked a bookmark to the web page
- Other – the web page was visited by another means, such as a redirect
This can be useful for determining whether a user intentionally visited a particular web page or not.
Visit Source
Another useful data point stored by Chrome and Edge is the "Visit Source" which describes if the website visit record was generated from somewhere other than the user navigating in the browser. Visit sources can be:
- Synced – synchronised from another device
- Extension – added by an extension
- Imported – imported from another browser
Identifying if a website visit was synchronised from another device can be extremely important in providing context to the browser history.
Local Files
On a Windows computer, files that are opened via Windows Explorer get logged in the Internet Explorer history database (WebCacheV01.dat). These records can be easily identified as the URL will start with file:///. Being able to review what files were opened by a user can be a useful addition to any investigation.
Cache
The cache is where web browsers temporarily store files from visited web pages, in order to load the web page faster on subsequent visits.
Cached Images
Images that are displayed on a web page get stored by the browser. Alongside the image file the browser will store metadata such as the URL of the image. Some points to consider when analysing cached images:
- It's common for an image to be hosted on a different domain to the website it was displayed on. For example, images displayed on twitter.com may be loaded from pbs.twimg.com. Therefore, identifying the website an image was viewed on can sometimes be difficult.
- Images may not have been loaded directly by the web page a user has visited. For example, they may have been loaded by an advert embedded within the web page.
Cached HTML
Depending on the HTTP headers returned by a web page, the actual HTML of the web page may get stored by the browser. The HTML on its own isn’t that useful, but it can be used in combination with other files stored in the cache to rebuild the web page, allowing it to be viewed in the state it was originally seen by the user. This can be a great insight into what the user was viewing in the browser at that point in time.
Searches
The phrases a user has been searching for online can be extremely useful in understanding the intent of the user’s web browsing. For example, it’s harder for a user to claim they accidentally clicked a link to a website, if they were actively searching for the particular topic of the website beforehand.
Chromium based browsers such as Google Chrome and Microsoft Edge explicitly store the searches carried out on the most popular websites. We can also find searches a user has been making in any of the URLs recorded within the browser history. The search terms are often stored within the URL query string, and can be automatically parsed out to provide access to many more search terms.
Downloads
All browser's record the following information for each file downloaded:
- URL the file was downloaded from
- Local path the file was saved to
- Date/Time of the download
- Number of bytes download or if the download was completed
Google Chrome and Microsoft Edge store the following additional data:
- The URL of the web page where the download was initiated from
- If the user opened the downloaded file from the web browser
Download history can be useful in various types of investigations including security incidents such as determining how malware may have originally infected a machine/network.
Timestamps
Most browser history artifacts will have one or more timestamps associated with them. These timestamps are usually stored as the units of time that have passed since a particular date (known as the epoch). For example, a common format used is the number of seconds that have passed since 01/01/1970 00:00:00 (known as Unix time).
Once a timestamp has been converted to a human readable format, it should be noted that the timezone will be in UTC. Converting all timestamps to your local time zone may make your investigation easier. Not only do we need to consider the time zone but also if daylight saving time (DST) is in effect.
Chromium Apps
There are many desktop apps that use the Chromium browser engine in the background via frameworks such as Electron and WebView2. These apps generate similar artifacts as Chromium based web browsers such as Google Chrome and Microsoft Edge. We can therefore apply browser forensics techniques to analyse data from other types of desktop apps. These apps include Discord, Signal, Skype, Microsoft Teams and Slack.
File Location and Formats
An overview of where the main artifacts are stored and in which format can be found for each browser below:
Many browser artifacts are stored using known data formats such as SQLite, JSON, ESE, PLIST and LevelDB. It’s therefore possible to manually analyse browser artifacts using a combination of tools, for example using a tool such as SQLite Examiner to analyse the various SQLite databases.
We provide a number of specialist tools for performing web browser forensics: