Web Browser

Web Browsers

One of the most common pieces of software used on a computer is the web browser. This tool is used every day for many different tasks: browsing the web, social media, email, shopping, streaming media, research, banking, and gaming. A web browser is vital in forensic investigations as it stores a ton of data (browsing history, cookies, cache files, bookmarks, saved credentials and downloaded files) that can be valuable in the investigation.

Most Common Web Browsers

It is important to know what the most common web browsers are as they are the ones that dominate the market share.

Google Chrome
Mozilla Firefox
Apple Safari
Microsoft Edge
Opera
Internet Explorer

Even though these browsers dominate the market share, you must also know that other browsers exist.

Brave
Vivaldi
Tor Browser
Arc
Pale Moon
Waterfox
Epic Privacy Browser

These browsers have a niche market share and are more focused on privacy, customization, or performance.

Determining Used Browser

While conducting a forensics investigation, we must always determine a user's browser. Nothing should be assumed, as this would not hold up in a legal proceeding. The first place to look to determine this information is the Windows Prefetch, which increases the efficiency of the Windows OS by optimizing the loading times of frequently used applications. Windows Prefetch only stores the last 128 applications that were used. The Windows Prefetch can be found at C:\Windows\Prefetch. This will not show a user by user usage but the entire system. So, if multiple users use the system, this information will not be 100% accurate.

Download NirSoft WinPrefetchView.

User Specific Browsers

User-specific information related to application execution can be found in the ntuser.dat file for each user profile. This file is located at \Users\‘username’\ntuser.dat. Using a tool called UserAssistView can quickly help use determine what browser(s) a user uses.

Web Browser History & cache

Once we've identified the browsers a user frequently uses, our next step in forensic investigation is to delve into their online activity. One of the most valuable sources of information is the browsing history. Browsing history keeps track of all the websites a user has visited, preserving this data for some time.

When you visit a web page, your browser temporarily stores files on your computer in a cache. This helps reduce bandwidth usage, server load, and lag. When you revisit a web page, these stored items can be quickly loaded from the cache instead of downloading them again.

We will focus on the most popular browsers, as we need more time to cover everyone. The top three browsers that run on Windows are Google Chrome (~66% market share), Microsoft Edge (~13% market share), and Mozilla Firefox (~7% market share), as this covers almost 86% of the total market share. Also, recall that Microsoft Edge is now based on Chromium.

FIrefox History & Cache

Mozilla Firefox history is stored in an SQLite database. This database has a file named places.sql. Firefox has a directory called cache2 to store cache data, and both items can be found at:

C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile folder>

Download MZCacheView.

Edge History & Cache

Microsoft Edge history is stored in an SQLite database. This database has a file named History. The Cache subdirectory is also in the same location, and both items can be found at:

C:\Users\<username>\AppData\Local\Microsoft\Edge\User Data\Default.

Download IECacheView.

Chrome History & Cache

Google Chrome history is stored in an SQLite database. This database has a file named History. The Cache subdirectory is also in the same location, and both items can be found at:

C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default

Download ChromeCacheView.

Tools

Now that we've grasped where the history and cache files are located, let's explore this data further. There are several tools available for analyzing this information. Below, I've included several tools that you should practice using to be more efficient in their usage.

Browsing History

There are specific tools that you can use for Firefox or Chrome, but this one is one tool that can provide you with the needed information. BrowsingHistoryView can read the data from the most popular web browsers and display this information in an easy-to-read table. The table includes the following information:

Visited URL
Title
Time of Visit
Number of Visits
The Web Browser Used
User Profile

Download BrowsingHistoryView.

Cookies

Cookies are tiny bits of data that websites store for the web browser's use. Cookies have several different uses, but we would be interested in the ones that help with session management (store login credentials, user preference, and login state). These cookies can help determine a user's online activities and websites visited.

Utilities that you can use to view cookies:

Internet Search History

People perform all types of Internet searches. Even though most people say, "Just Google that," there are a lot of other search engines besides Google, and some focus on privacy. Some of the most common search engines used today are:

Google
Bing
Yahoo!
DuckDuckGo
Yandex (Russian search engine)
Daidu (China search engine)
Naver (South Korea search engine)

It is crucial to determine what a user has performed Internet searches for, as this can help provide evidence in a case. The search history can also provide context for other digital evidence that might be collected during the investigation.

Mylastsearch

The MyLastSearch utility will scan the history and cache folders and locate all the search queries a user has completed on the most popular search engines and social media platforms.

Google Sites

Report abuse