SOC OperationsIncident ResponseWindows ForensicsLinux ForensicsKQL Investigations
Edit

Browser Forensics – DFIR Workflow & Cheatsheet

Quick Reference: Investigation Priority Matrix

Priority
Artifact
Key Questions Answered
Volatility

HIGH

History & Downloads

What sites? When? What files?

Medium

HIGH

Session Restore

Active tabs at incident time?

High

HIGH

Cache

What content viewed? Screenshots?

Medium

MEDIUM

Cookies

Session data? Authentication?

Low

MEDIUM

Auto-Complete Data

What was searched/typed?

Low

MEDIUM

Stored Credentials

What accounts accessed?

Low

LOW

Bookmarks

Sites of interest (may never visit)

Very Low

LOW

Extensions

Capabilities added? Malicious?

Very Low

Investigation Workflow

Phase 1: Initial Triage (High Priority)

Goal: Establish timeline and user activity scope

1.1 Browser History & Download History

What it tells you: Websites visited, frequency, downloaded files, timeline

Firefox Locations:

Chrome/Edge Locations:

Key Investigation Points:

  • ✓ Check ALL profiles (Default, Profile1, Profile2, etc.)

  • ✓ Visit frequency indicates user interest/habit

  • ✓ Download metadata: filename, size, source URL, referring page

  • ✓ Check both downloads and download_url_chains tables (Chromium)

  • ✓ Cross-reference with filesystem timestamps

SQLite Tables to Query:

  • urls - Browsing history

  • visits - Individual visit records with timestamps

  • downloads - Download metadata

  • download_url_chains - Redirect chains

1.2 Session Restore Files

What it tells you: Active browser state at crash/incident time

Firefox Locations:

Chrome/Edge Locations:

Key Investigation Points:

  • HIGHLY VOLATILE - Capture early in investigation

  • ✓ Shows tabs open at time of incident/crash

  • ✓ Includes referring URLs (how user got there)

  • ✓ May contain form data, JavaScript state

  • ✓ Browser window configuration (size, pinned tabs)

  • ✓ Tab transition types reveal navigation method

Phase 2: Content Analysis (Medium Priority)

Goal: Understand what content user actually viewed

2.1 Cache Files

What it tells you: Actual webpage content, images, media viewed

Firefox Locations:

Chrome/Edge Locations:

Key Investigation Points:

  • ✓ Provides "snapshot in time" of viewed content

  • ✓ Recover actual images, videos, documents

  • ✓ Timestamps: first cached AND last viewed

  • ✓ Can reconstruct pages even if history cleared

  • ✓ Tied to specific local user account

  • ✓ Use specialized tools (NirSoft ChromeCacheView, MZCacheView)

2.2 Media History (Chromium Only)

What it tells you: Audio/video played on websites

Chrome/Edge Locations:

Key Investigation Points:

  • ✓ Three primary tables: playback, playbackSession, origin

  • ✓ URLs of media played

  • ✓ Watch time duration

  • ✓ Last video position (where user stopped)

  • ✓ Last play time

  • ⚠️ Unclear persistence when other history cleared

Phase 3: User Behaviour & Intent (Medium Priority)

Goal: Understand user searches, inputs, and interests

3.1 Auto-Complete Data

What it tells you: User searches, form inputs, typed URLs

Firefox Locations:

Chrome/Edge Locations - By Data Type:

Search Terms:

Web Form Data:

Omnibox (URL Bar) Entries:

Keystroke-Level Recording:

Login Credentials:

Key Investigation Points:

  • ✓ Shows user knowledge and intent

  • ✓ Connects typed data to user account

  • ✓ Search terms reveal investigation targets

  • ✓ Network Action Predictor = keystroke logger

  • ✓ Form data may include PII, credentials

3.2 Cookies

What it tells you: Session data, authentication tokens, tracking

Firefox Locations:

Chrome/Edge Locations:

Key Investigation Points:

  • ✓ Confirms website visits

  • ✓ Session authentication tokens

  • ✓ User preferences and settings

  • ✓ Tracking/advertising IDs

  • ✓ Creation and expiration times

  • ✓ May persist after history clearing

Phase 4: Configuration & Credentials (Low-Medium Priority)

Goal: Understand browser setup and account access

4.1 Stored Credentials

What it tells you: Saved usernames/passwords for websites

Firefox Locations:

Chrome/Edge Locations:

Key Investigation Points:

  • Encrypted via Windows DPAPI

  • ✓ Firefox: JSON format with hostname, URL, creation time, last used

  • ✓ Chrome/Edge: SQLite with origin URL, username, date created/used

  • ⚠️ Win 10/11 Microsoft accounts: DPAPI uses 44-char random password

  • ✓ Metadata available even if passwords encrypted

  • Best retrieved on live system with user logged in

  • ✓ Shows accounts user accessed

4.2 Browser Preferences

What it tells you: Privacy settings, sync status, user engagement

Firefox Locations:

Chrome/Edge Locations:

Key Investigation Points:

  • ✓ Firefox: Sync status, last sync time, artifacts synced

  • ✓ Chrome/Edge: JSON format

    • per_host_zoom_levels - Sites frequently visited

    • media-engagement - Media interaction scores

    • site_engagement - Overall site interaction

  • ✓ Edge: account_info, clear_data_on_exit, sync settings

  • ✓ Privacy settings (anti-tracking, cookie policies)

  • Sync can move artifacts across devices - check timestamps carefully

Phase 5: Supporting Artifacts (Low Priority)

5.1 Bookmarks

What it tells you: Sites of interest (not necessarily visited)

Firefox Locations:

Chrome/Edge Locations:

Key Investigation Points:

  • ✓ JSON format (Firefox backups, all Chromium)

  • ✓ Shows intent/interest, not necessarily activity

  • ⚠️ Not all bookmarks are user-generated (defaults exist)

  • ⚠️ Can bookmark without visiting

  • ✓ Firefox: Multiple backup copies in bookmarkbackups folder

  • ✓ Check .bak files for deleted bookmarks

5.2 Extensions & Add-ons

What it tells you: Added capabilities, potential malware vector

Firefox Locations:

Chrome/Edge Locations:

Key Investigation Points:

  • ✓ Firefox: Name, source, install time, last update, status

  • ✓ Chrome/Edge: Each extension in GUID-named folder

    • Folder creation time = installation time

    • manifest.json = name, URL, permissions, version

  • ✓ Check Preferences file for additional extension data

  • ⚠️ Extensions can sync across devices (affects timestamp interpretation)

  • ✓ Look for suspicious permissions (screen capture, keylogging, etc.)

  • ✓ Cross-reference with known malicious extensions

Critical Investigation Tips

Multi-Profile Awareness

Timestamp Interpretation

Data Persistence Hierarchy

Anti-Forensics Detection

Live System vs. Dead Disk

Essential DFIR Tools

SQLite Browsers

  • DB Browser for SQLite - View/query .sqlite files

  • SQLite Forensic Explorer - Deleted record recovery

Browser-Specific Tools

  • Hindsight - Chrome/Chromium timeline analysis

  • NirSoft BrowsingHistoryView - Multi-browser history

  • NirSoft ChromeCacheView - Cache file extraction

  • NirSoft MZCacheView - Firefox cache extraction

  • Firefox Forensics Toolkit

Comprehensive Suites

  • Magnet AXIOM - Full browser artifact processing

  • X-Ways Forensics - Browser artifact templates

  • Autopsy - Open-source browser modules

  • KAPE - Browser artifact collection targets

Manual Analysis

Quick Command Reference

Identify Browser Profiles

Collect All Browser Artifacts (PowerShell)

Hash Browser Databases (Before Analysis)

Investigation Checklist

Initial Response

  • [ ] Identify all user accounts on system

  • [ ] Identify all browsers installed

  • [ ] Document current date/time and timezone

  • [ ] Check if users currently logged in (live system)

  • [ ] Capture volatile session restore files FIRST

Data Collection

  • [ ] Collect all browser profiles (not just Default)

  • [ ] Hash all databases before opening

  • [ ] Document sync settings and last sync times

  • [ ] Check for browser backup/cleaning tools

  • [ ] Capture browser process memory (if live)

Analysis

  • [ ] Establish baseline timeline from history

  • [ ] Correlate downloads with filesystem artifacts

  • [ ] Cross-reference cookies with history

  • [ ] Check auto-complete for searches related to incident

  • [ ] Review extensions for malicious/suspicious capabilities

  • [ ] Analyse session restore for incident timeframe

  • [ ] Examine cache for evidence of viewed content

Reporting

  • [ ] Timeline of relevant browsing activity

  • [ ] Downloads tied to incident

  • [ ] Search terms indicating intent

  • [ ] Websites accessed related to case

  • [ ] Evidence of anti-forensics

  • [ ] Account credentials discovered

  • [ ] Screenshots/content from cache

File Path Environment Variables

Notes & Gotchas

  1. Chrome Timestamp Format: Microseconds since January 1, 1601 (Windows FILETIME)

  2. Firefox JSONLZ4: Requires special decompression (mozlz4 library)

  3. DPAPI Encryption: Tied to user account; decrypt on live system while logged in

  4. Profile Sync: Can move artifacts between devices - verify device origin

  5. Private/Incognito: Leaves NO browser artifacts (check RAM, pagefile, network logs)

  6. Extensions Storage: Some extensions have their own databases with user data

  7. Service Workers: May cache data outside standard cache locations

  8. Browser Version Matters: Artifact locations change between major versions

  9. Chromium Variants: Brave, Opera, Vivaldi use similar structures to Chrome

  10. Mobile Browsers: Different artifact locations (not covered here)

PreviousFile Download and Browser Activity Investigation GuideNextDeleted Files & File Knowledge—DFIR Workflow & Cheatsheet

Last updated