Internet Evidence

01
Understanding browsers
Topics 02
Distinguish locations that store web browsing artefacts.

2 27-Feb-23
 Understanding
01

browsers
3 27-Feb-23
Understanding
browsers

Understanding browsers
• A user can use a program or application to access websites

• The best browser is an ongoing debate and can be a very personal choice for a user.

• The user has options to personalize the browser to enhance their experience

• As a result, this creates many artifacts that any digital forensic investigator can use to
recreate the user's activity.

PG. 4 27-Feb-23
Suggested Browser Workflow

Web AutoFill/
Downloa Bookmar Session
History/ Login Cache Cookies Webkit
ds ks Data
Visits Data

PG. 5 27-Feb-23
Understanding
browsers

Exploring Google Chrome

• Google Chrome was released in 2008 and was very popular with users.

• It provided a fast and efficient user experience and experienced very few exploits.

PG. 6 27-Feb-23
Understanding
browsers

Understanding bookmarks
• The first artifact we will look at is the user's bookmarks.

• The bookmarks allow the user to save web pages they find interesting and may give
insight into the user's activity. Chrome stores its bookmarks in a plain text JavaScript
Object Notation (JSON) file named Bookmarks
• You can find the bookmarks file at the following path:

%USERS%/AppData/Local/Google/Chrome/User Data/Default/Bookmarks

PG. 7 27-Feb-23
Understanding
browsers

Understanding bookmarks

PG. 8 27-Feb-23
Understanding
browsers

Understanding bookmarks
• Here, we can see the following fields:

• Date added
• Last visited desktop
• The name of the bookmark
• The URL

PG. 9 27-Feb-23
Understanding
browsers

Understanding the Chrome history file

• The Google Chrome history file will be found at the following path:

%USERS%/AppData/Local/Google/Chrome/User Data/

SQLite database named : History

PG. 10 27-Feb-23
Understanding
browsers

Understanding the Chrome history file

• The history database contains quite a lot of information about the user's activity:

• Downloads
• Search terms that the user entered using the URL address bar.
• Typed URLs will track the URLs the user typed into the address bar.
• History

PG. 11 27-Feb-23
Understanding
browsers

Cookies
• A cookie is a file created by a website and stored on the user's system.
• Cookies are designed to track the user's activity, such as adding an item to a shopping
cart or recording the pages the user has visited.
• The Google Chrome cookie file can be found at the following path:

%USERS%/AppData/Local/Google/Chrome/User Data/Default
SQLite database named : Cookies stored in the profile folder

PG. 12 27-Feb-23
Understanding
browsers

Cookies

PG. 13 27-Feb-23
Understanding
browsers

Cookies

PG. 14 27-Feb-23
Understanding
browsers

Cache
Chrome stores its cache in three different folder locations, all of which are in the user
profile folder. Therefore, for the default profile the cached content is stored in the following
locations:
\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Cache\
\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\GPUCache\
\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Media Cache\
Chrome Cache View converts the data into a readable format.

PG. 15 27-Feb-23
Section name

Passwords
• Passwords can be key to unlocking files or encryption.
• User's previously used passwords can be a treasure trove of information.
• Chrome has the option for a user to save passwords.
• You will find the password information in the Logon Data file, which can be found at
the following path:

%USERS%/AppData/Local/Google/Chrome/User Data/Default

PG. 16 27-Feb-23
Understanding
browsers

Exploring Internet Explorer/Microsoft Edge (Legacy)

• Internet Explorer was the web browser of the Microsoft Windows operating system.

• Windows since 1995

• Current Version is the Edge browser based on Chromium

PG. 17 27-Feb-23
Understanding
browsers

Bookmarks
• Internet Explorer saves bookmarks in a URL format.

• The default path Internet Explorer keeps the bookmarks in is as follows:

%USER%/Favorites

PG. 18 27-Feb-23
Understanding
browsers

IE history
• Internet Explorer will track the user's activity for 20 days. This is the default setting and
can be changed by the user.

• Edge and Internet Explorer version 10 and higher use an ESE database called
WebCacheV01.dat that can be found at the following path:

%User%\AppData\Local\Microsoft\Windows\WebCache

PG. 19 27-Feb-23
Guess what! IE History also records local file access!

Does not
mean file
was opened
in browser

Entries are show in the WebCacheV01.dat file as: Visited: [……]@file:///D:/surveyDAY.pptx

Understanding
browsers

IE history

PG. 21 27-Feb-23
Understanding
browsers

IE history

PG. 22 27-Feb-23
Understanding
browsers

Cache
• The WebCacheV01.dat file we analyzed in the IE history section also handles the cache
files.

• ESEDatabaseViewer
• Internet Explorer Cache Viewer

PG. 23 27-Feb-23
Understanding
browsers

Cache

PG. 24 27-Feb-23
Understanding
browsers

Cache
• The system stores these files in the following path(s):

• For a Windows 7-based system:

%USER%/AppData/Local/Microsoft/Windows/Temporary Internet Files\Content.IE5

• For a Windows 8/10-based system:

%USERS%/AppData/LocalLow/Microsoft/Windows/AppCache

• For the Microsoft Edge browser:

%USER%/AppData/Local/Packages/Microsoft.MicrosoftEdge_8wekyb3d8bbwe/AC

PG. 25 27-Feb-23
Understanding
browsers

Cookies
• Edge and Internet Explorer save the cookie files as simple text files.

• WebCacheV01.dat also tracks the cookie files

PG. 26 27-Feb-23
Understanding
browsers

Cookies

PG. 27 27-Feb-23
Understanding
browsers

Cookies
• The cookie files are stored in the following path(s):

• For Internet Explorer:

%USER%/AppData/Roaming/Microsoft/Windows/Cookies/

• For Microsoft Edge:

%USER%/AppData/Local/Packages/Microsoft.MicrosoftEdge_8wekyb3d8bbwe/AC/Micro
softEdge/Cookies

PG. 28 27-Feb-23
Understanding
browsers

Exploring Firefox
• Firefox is an open source browser developed by the Mozilla foundation.

• Mozilla released Firefox in 2004 and is a browser you may encounter during your
investigations.

PG. 29 27-Feb-23
Understanding
browsers

Profiles
• One feature offered by Firefox is the use of multiple profiles.

• A user has the option to create multiple profiles for the browser to segregate their
activity.

• The path where you can find the profiles is as follows:

%USER%/AppData/Local/Mozilla/Firefox

PG. 30 27-Feb-23
Understanding
browsers

Cache
• Firefox stores the cache files under each profile.

• The file path will remain the same, as we discussed in the previous section:

%USER%/AppData/Local/Mozilla/Firefox/Profiles/%Profile%

PG. 31 27-Feb-23
Understanding
browsers

Cookies
• Firefox uses a SQLite database to store this information.

• You can find the cookie database at the following path:

%USER%/AppData/Roaming/Mozilla/Firefox/Profiles/%Profile%

PG. 32 27-Feb-23
Understanding
browsers

History
• Mozilla Firefox tracks the browser history in the SQLite database file called
places.sqlite.

• You can find the history database at the following path:

%USER%/AppData/Roaming/Mozilla/Firefox/Profiles/%Profile%

PG. 33 27-Feb-23
Understanding
browsers

History

PG. 34 27-Feb-23
Understanding
browsers

History

PG. 35 27-Feb-23
Understanding
browsers

Passwords
• Firefox uses two files, key#.db and logins.json, to store the passwords in an encrypted
format

• You can find the files at the following path:

%USER%/AppData/Roaming/Mozilla/Firefox/Profiles/%Profile%

PG. 36 27-Feb-23
Understanding
browsers

Passwords

PG. 37 27-Feb-23
Understanding
browsers

Bookmarks
• Mozilla Firefox saves the user's bookmarks in an SQLite database file : places.sqlite.

• You can find the database file at the following path:

%USER%/AppData/Roaming/Mozilla/Firefox/Profiles/%Profile%

PG. 38 27-Feb-23
Understanding
browsers

Bookmarks

PG. 39 27-Feb-23
Cloud computing

Summary
• We have focused on what artifacts may be created by the user as they use a web
browser.

PG. 40 27-Feb-23
 Thanks
00

PG. 41 27-Feb-23