HackTricks
Search…
Pentesting
Powered By GitBook
Browser Artifacts

Browsers Artefacts

When we talk about browser artefacts we talk about, navigation history, bookmarks, list of downloaded files, cache data…etc.
These artefacts are files stored inside of specific folders in the operating system.
Each browser stores its files in a different place than other browsers and they all have different names, but they all store (most of the time) the same type of data (artefacts).
Let us take a look at the most common artefacts stored by browsers.
    Navigation History : Contains data about the navigation history of the user. Can be used to track down if the user has visited some malicious sites for example
    Autocomplete Data : This is the data that the browser suggest based on what you search the most. Can be used in tandem with the navigation history to get more insight.
    Bookmarks : Self Explanatory.
    Extensions and Addons : Self Explanatory.
    Cache : When navigating websites, the browser creates all sorts of cache data (images, javascript files…etc) for many reasons. For example to speed loading time of websites. These cache files can be a great source of data during a forensic investigation.
    Logins : Self Explanatory.
    Favicons : They are the little icons found in tabs, urls, bookmarks and the such. They can be used as another source to get more information about the website or places the user visited.
    Browser Sessions : Self Explanatory.
    Downloads :Self Explanatory.
    Form Data : Anything typed inside forms is often times stored by the browser, so the next time the user enters something inside of a form the browser can suggest previously entered data.
    Thumbnails : Self Explanatory.

Firefox

Firefox use to create the profiles folder in ~/.mozilla/firefox/ (Linux), in /Users/$USER/Library/Application Support/Firefox/Profiles/ (MacOS), %userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\ (Windows). Inside this folder, the file profiles.ini should appear with the name(s) of the used profile(s). Each profile has a "Path" variable with the name of the folder where it's data is going to be stored. The folder should be present in the same directory where the profiles.ini exist. If it isn't, then, probably it was deleted.
Inside the folder of each profile (~/.mozilla/firefox/<ProfileName>/) path you should be able to find the following interesting files:
    places.sqlite : History (moz_places), bookmarks (moz_bookmarks), and downloads (moz_annos). In windows the tool BrowsingHistoryView can be used to read the history inside places.sqlite.
      Query to dump history: select datetime(lastvisitdate/1000000,'unixepoch') as visit_date, url, title, visit_count, visit_type FROM moz_places,moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;
        Note that the link type is a number that indicates:
          1: User followed a link
          2: User wrote the URL
          3: User used a favorite
          4: Loaded from Iframe
          5: Accessed via HTTP redirect 301
          6: Accessed via HTTP redirect 302
          7: Downloaded file
          8: User followed a link inside an Iframe
      Query to dump downloads: SELECT datetime(lastModified/1000000,'unixepoch') AS down_date, content as File, url as URL FROM moz_places, moz_annos WHERE moz_places.id = moz_annos.place_id;
    bookmarkbackups/ : Bookmarks backups
    formhistory.sqlite : Web form data (like emails)
    handlers.json : Protocol handlers (like, which app is going to handle mailto:// protocol)
    persdict.dat : Words added to the dictionary
    addons.json and extensions.sqlite : Installed addons and extensions
    cookies.sqlite : Contains cookies. MZCookiesView can be used in Windows to inspect this file.
    cache2/entries or startupCache : Cache data (~350MB). Tricks like data carving can also be used to obtain the files saved in the cache. MozillaCacheView can be used to see the files saved in the cache.
    Information that can be obtained:
      URL, fetch Count, Filename, Content type, FIle size, Last modified time, Last fetched time, Server Last Modified, Server Response
    favicons.sqlite : Favicons
    prefs.js : Settings and Preferences
    downloads.sqlite : Old downloads database (now it's inside places.sqlite)
    thumbnails/ : Thumbnails
    logins.json : Encrypted usernames and passwords
    Browser’s built-in anti-phishing: grep 'browser.safebrowsing' ~/Library/Application Support/Firefox/Profiles/*/prefs.js
      Will return “safebrowsing.malware.enabled” and “phishing.enabled” as false if the safe search settings have been disabled
    key4.db or key3.db : Master key ?
In order to try to decrypt the master password you can use https://github.com/unode/firefox_decrypt With the following script and call you can specify a password file to bruteforce:
brute.sh
1
#!/bin/bash
2
3
#./brute.sh top-passwords.txt 2>/dev/null | grep -A2 -B2 "chrome:"
4
passfile=$1
5
while read pass; do
6
echo "Trying $pass"
7
echo "$pass" | python firefox_decrypt.py
8
done < $passfile
Copied!

Google Chrome

Google Chrome creates the profile inside the home of the user ~/.config/google-chrome/ (Linux), in C:\Users\XXX\AppData\Local\Google\Chrome\User Data\ (Windows), or in /Users/$USER/Library/Application Support/Google/Chrome/ (MacOS). Most of the information will be saved inside the Default/ or ChromeDefaultData/ folders inside the paths indicated before. Inside here you can find the following interesting files:
    History : URLs, downloads and even searched keywords. In Windows you can use the tool ChromeHistoryView to read the history. The "Transition Type" column means:
      Link: User clicked on a link
      Typed: The url was written
      Auto Bookmark
      Auto Subframe: Add
      Start page: Home page
      Form Submit: A form was filled and sent
      Reloaded
    Cookies : Cookies. ChromeCookiesView can be used to inspect the cookies.
    Cache : Cache. In Windows you can use the tool ChromeCacheView to inspect the ca
    Bookmarks : Bookmarks
    Web Data : Form History
    Favicons : Favicons
    Login Data : Login information (usernames, passwords...)
    Current Session and Current Tabs : Current session data and current tabs
    Last Session and Last Tabs : These files hold sites that were active in the browser when Chrome was last closed.
    Extensions/ : Extensions and addons folder
    Thumbnails : Thumbnails
    Preferences: This file contains a plethora of good information such as plugins, extensions, sites using geolocation, popups, notifications, DNS prefetching, certificate exceptions, and much more. If you’re trying to research whether or not a specific Chrome setting was enabled, you will likely find that setting in here.
    Browser’s built-in anti-phishing: grep 'safebrowsing' ~/Library/Application Support/Google/Chrome/Default/Preferences
      You can simply grep for “safebrowsing” and look for {"enabled: true,"} in the result to indicate anti-phishing and malware protection is on.

SQLite DB Data Recovery

As you can observe in the previous sections, both Chrome and Firefox use SQLite databases to store the data. It's possible to recover deleted entries using the tool sqlparse or sqlparse_gui.

Internet Explorer 11

Internet Explorer stores data and metadata in different locations. The metadata will allow to find the data.
The metadata can be found in the folder%userprofile%\Appdata\Local\Microsoft\Windows\WebCache\WebcacheVX.data where VX can be V01, V16 o V24. In the previous folder you can also find the file V01.log. In case the modified time of this file and the WebcacheVX.data file are different you may need to run the command esentutl /r V01 /d to fix possible incompatibilities.
Once recovered this artifact (It's an ESE database, photorec can recover it with the options Exchange Database or EDB) you can use the program ESEDatabaseView to open it. Once opened, go to the table "Containers".
Inside this table you can find in which other tables or containers each part of the stored information is saved. Following that you can find the locations of the data stored by the browsers and metadata about that data inside the .
Note that this table indicate also metadadata of the cache of other Microsoft tools also (e.g. skype)

Cache

You can use the tool IECacheView to inspect the cache. You need to indicate the folder where you have extracted the cache date.

Metadata

The metadata information about the cache stores:
    Filename in the disc
    SecureDIrectory: Location of the file inside the cache directories
    AccessCount: Number of times it was saved in the cache
    URL:The url origin
    CreationTime: First time it was cached
    AccessedTime: Time when the cache was used
    ModifiedTime: Last webpage version
    ExpiryTime: Time when the cache will expire

Files

The cache information can be found in %userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 and %userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\low
The information inside these folders is a snapshot of what the user was seeing. The caches has a size of 250 MB and the timestamps indicate when the page was visited (first time, creation date of the NTFS, last time, modification time of the NTFS).

Cookies

You can use the tool IECookiesView to inspect the cookies. You need to indicate the folder where you have extracted the cookies.

Metadata

The metadata information about the cookies stores:
    Cookie name in the filesystem
    URL
    AccessCount: Number of times the cookies has been sent to terhe serv
    CreationTime: First time the cookie was created
    ModifiedTime: Last time the cookie was modifued
    AccessedTime: Last time the cookie was accesed
    ExpiryTime: Time of expiration of the cookie

Files

The cookies data can be found in %userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies and %userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies\low
Session cookies will reside in memory and persistent cookie in the disk.

Downloads

Metadata

Checking the tool ESEDatabaseView you can find the container with the metadata of the downloads:
Getting the information of the column "ResponseHeaders" you can transform from hex that information and obtain the URL, the file type and the location of the downloaded file.

Files

Look in the path %userprofile%\Appdata\Roaming\Microsoft\Windows\IEDownloadHistory

History

The tool BrowsingHistoryView can be used to read the history. But first you need to indicate the browser in advanced options and the location of the extracted history files.

Metadata

    ModifiedTime: First time a URL is found
    AccessedTime: Last time
    AccessCount: Number of times accessed

Files

Search in userprofile%\Appdata\Local\Microsoft\Windows\History\History.IE5 and userprofile%\Appdata\Local\Microsoft\Windows\History\Low\History.IE5

Typed URLs

This information can be found inside the registry NTDUSER.DAT in the path:
    Software\Microsoft\InternetExplorer\TypedURLs
      Stores the last 50 URLs typed by the user
    Software\Microsoft\InternetExplorer\TypedURLsTime
      last time the URL was typed

Microsoft Edge

For analyzing Microsoft Edge artifacts all the explanations about cache and locations from the previous section (IE 11) remain valid with the only difference that the base locating in this case is %userprofile%\Appdata\Local\Packages (as can be observed in the following paths):
    Profile Path: C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC
    History, Cookies and Downloads: C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
    Settings, Bookmarks, and Reading List: C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb
    Cache: C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC#!XXX\MicrosoftEdge\Cache
    Last active sessions: C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active

Safari

The databases can be found in /Users/$User/Library/Safari
    History.db: The tables history_visits and history_items contains information about the history and timestamps.
      sqlite3 ~/Library/Safari/History.db "SELECT h.visit_time, i.url FROM history_visits h INNER JOIN history_items i ON h.history_item = i.id"
    Downloads.plist: Contains the info about the downloaded files.
    Book-marks.plist: URLs bookmarked.
    TopSites.plist: List of the most visited websites that the user browses to.
    Extensions.plist: To retrieve an old-style list of Safari browser extensions.
      plutil -p ~/Library/Safari/Extensions/Extensions.plist| grep "Bundle Directory Name" | sort --ignore-case
      pluginkit -mDvvv -p com.apple.Safari.extension
    UserNotificationPermissions.plist: Domains that are allowed to push notifications.
      plutil -p ~/Library/Safari/UserNotificationPermissions.plist | grep -a3 '"Permission" => 1'
    LastSession.plist: Tabs that were opened the last time the user exited Safari.
      plutil -p ~/Library/Safari/LastSession.plist | grep -iv sessionstate
    Browser’s built-in anti-phishing: defaults read com.apple.Safari WarnAboutFraudulentWebsites
      The reply should be 1 to indicate the setting is active

Opera

The databases can be found in /Users/$USER/Library/Application Support/com.operasoftware.Opera
Opera stores browser history and download data in the exact same format as Google Chrome. This applies to the file names as well as the table names.
    Browser’s built-in anti-phishing: grep --color 'fraud_protection_enabled' ~/Library/Application Support/com.operasoftware.Opera/Preferences
      fraud_protection_enabled should be true
Last modified 1mo ago