Browser Artifacts
Description: Web browsers leave behind browsing artifacts that can be utilized to profile a user browsing habits.
Location:
Internet Explorer
- Internet Explorer 8 - 9:
- C:\Users\<username>\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\index.dat
- Internet Explorer 10 - 11:
- C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
- C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
Firefox
- Firefox 3-25:
- C:\Users\<username>\AppData\Roaming\Mozilla\ Firefox\Profiles\
.default\downloads.sqlite
- C:\Users\<username>\AppData\Roaming\Mozilla\ Firefox\Profiles\
- Firefox 26+:
- C:\Users\<username>\AppData\Roaming\Mozilla\ Firefox\Profiles\
.default\places.sqliteTable:moz_annos
- C:\Users\<username>\AppData\Roaming\Mozilla\ Firefox\Profiles\
Chrome
- C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\History
Notes: Many sites in history will list the files that were opened from remote sites and downloaded to the local system. History will record the access to the file on the website that was accessed via a link.
Analysis: Modern web browsers store data related to
browsing history within databases located on the local file system. We can reference these databases to learn about a users browsing habits.
Rather than referencing multiple utilities to parse multiple database structures, we can use Nirsoft's BrowsingHistoryView to analyze browsing artifacts from multiple web browsers at once to simplify our analysis. Launch BrowsingHistoryView --> Configure the length of your query --> Select Load history from the specified history files --> Select the ellipses button to open a new dialog box --> Specify the file locations of the databases you would to analyze.
Some important data-points we can collect from BrowsingHistoryView's analysis include the URL, Visit Time, Visit Count and Visit Type.
