Downloads

Description: Firefox and IE have built-in download manager applications which keep a history of every file downloaded by the user. Although Google Chrome doesn't have a seperate download manager, the structure of their history database makes it simple to track file downloads. These browser artifacts can provide excellent information about what sites a user has been visiting and what kinds of files they have been downloading from them.

Location:
Firefox:

  • Firefox 3 - 25:
    • C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<random text>.default\downloads.sqlite
  • Firefox 26+:
    • C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<random text>.default\places.sqlite

Internet Explorer:

  • Internet Explorer 8 - 9:
    • C:\Users\<username>\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\
  • Internet Explorer 10 - 11:
    • C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat

Chrome

  • C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\History

Notes: Depending on the web browser you are analyzing, download managers may include a wealth of information assciated with a file download:

  • File Name, File Size, File Type, and the File Save Location
  • Download URL and HTTP Referer URL
  • Download Start and End Times

Analysis: Modern web browsers store data related to browsing history within databases located on the local file system. We can reference these databases to learn about a users browsing habits.

Firefox stores it's browser information inside of SQLite databases. We can use DB Browser for SQLite to open the databases and review their structure. I'm running Firefox 75 so my download history is stored within the places.sqlite database. To review my download history, let's load my places.sqlite database within DB Browser for SQLite and take note of following tables that contain information related to download history: moz_anno_attributes, moz_annos, and moz_places.



Navigate to Browse Data and select moz_anno_attributes from the table dropdown. The id describes the meta-data captured by the next table: moz_annos.



Select moz_annos from the table dropdown. The meta-data referenced by moz_anno_attributes can be seen in the content column. This table identifies the file name, file size, file type and the directory the file was downloaded too. To continue the analysis, notate the decimal value of place_id and select moz_places from the table down. Search for the id referenced in the previous dataset to find even more data related to the file download, including the download url, website title, file host, and vist count of the referenced site.



Google Chrome also stores it's browsing history within an SQLite database and perhaps unsurprisingly it's one of easiest web browsers to analyze in addition to boasting one of the most complete data-set. Simply load Google Chrome's History database within DB Browser for SQLite and select downloads from the table dropdown. This database contains almost every piece of meta-data you could ask for when analyzing browsing history.



The versions of Internet Explorer that you are most likely to encounter, IE 10 - 11, store their browser information inside of an ESE database. Unfortunately, the database isn't structured in a way that makes it easy to navigate with a tool like Nirsoft's ESEDatabaseView. Instead I found it simplier to rely on another Nirsoft utility: BrowsingHistoryView to parse the data found within WebCacheV01.dat.

Using BrowsingHistoryView, we can analyze the WebCacheV01.dat file. Unfortunatly even with this utility organizing the ESE database, there are still a number of key meta-data fields missing from our output that assist us with identifying file downloads, specifically the Visit Type field that would normally notate downloads. We may still be able to spot file downloads by reviewing the URL but we can't identify it as quickly as we could if downloads were properly notated.



To illistrate the ideal output for BrowsingHistoryView, lets compare our previous results with the same Firefox SQLite database we analyzed manually earlier. Notice how the value of Visit Type is Download. We can utilize that field to quickly filter for only Downloaded files, improving the speed of our investigation.