Web Browser Forensics: Uncovering the Hidden Evidence in your Browser

A friend tells you, ‘Hey I was downloading some animation software the other day and now my computer is acting up! I keep seeing these advertisements that my computer is infected by a virus and that I need to install a virus removal tool. What shall I do?’. You suspect that your friend may have inadvertently downloaded some malicious software. But where has this software come from? Since when has this abnormal activity been seen? This is when you put on your Web Browser Forensics hat and work your magic.

This blog post gives you an introduction to the forensic artifacts generated by web browsers and their significance. Most of the activity we do on our computers involves using browsers. Web browsers store data about user activity by default, which come in handy during forensic investigations.

What are the significant web browser artifacts for digital forensics?

Here is a list of the web browser artifacts that play an important role during a forensic investigation:

Browser History: This includes the list of websites visited by a user, along with other information like: number of times a site had been visited, latest timestamp of when a site was visited, etc.

Downloads: This includes the list of files downloaded by the user. Information about the downloaded file, timestamp of when it was downloaded, folder location where it was downloaded to, etc. can be found.

Login Data: Have you noticed when you enter login credentials a window pops up asking if those credentials can be saved? In case the user has chosen to save login data, you can find that information. It gives insight into the websites a user has registered an account in.

Autofill Data: Every time you use a search engine or fill form data, that data is stored by web browsers.

Bookmarks: A user typically bookmarks frequently visited sites or ones they consider important to them.

Cookies: A cookie is an indicator that a user has visited a particular website.

Add-ons/Extensions: These are indicative of the customisations a user has performed on a web browser. It is useful to understand how a user may have utilised the browser.

Cache: Browsers typically store data in a cache to speed up processing. Looking through cache data may provide clues about recent browser activity.

Session Data: A session refers to browser related activity occurring over a particular time period.

How to approach web browser forensics in an investigation?

There are many web browsers available for use. The most commonly used ones are Google Chrome, Mozilla Firefox, Safari, Opera and Microsoft Edge.

All these browsers maintain the significant artifacts mentioned above, but they are all stored differently by each browser. The data may be stored in different paths on the computer, depending on the operating system.

For example, browser history data generated by Firefox is typically found at C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles on a Windows computer. History data generated by Chrome is typically found at C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History on a Windows computer.

History data generated by Firefox on a Linux-based computer, is typically found within a hidden folder called .mozilla in a user’s home directory.

There are many forensic tools available to acquire and parse web browser related artifacts from a system. In some cases, you may have to acquire the artifacts manually and process them. Let’s say you intend to look at Firefox data on a Windows computer. Manual acquisition typically involves taking a copy of the C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles folder. History data is typically stored as an SQLite database file. You can use an appropriate tool like DB Browser for SQLite to view the Firefox history. Within this database file, it is even possible to identify how many times a user had visited a website in the past.

Project Idea

Now you know what the significant web browser artifacts are. Depending on the browser type and operating system on which it is found, the location of the artifacts would vary. Wouldn’t it be easy to have a ‘list’ of locations in which browser artifacts can be found?

Your next project could be to create a Cheat Sheet for web browser artifacts. Here is a template idea for your cheat sheet.

ARTIFACTS Firefox Chrome Safari Opera
  • You can include the other relevant artifacts
  • Fill the template relevant to the three most used operating systems – Windows, Linux-based, Mac

Once your cheat sheet is ready, you can use it to uncover artifacts about the abnormal activity on your friend’s computer.

Want to learn practical Digital Forensics and Incident Response skills? Enrol in MDFIR - Certified DFIR Specialist