Browser Usage
History and Download History
Description: History and Download History records websites visited by date and time.
Location:
Firefox
Chrome/Edge
Interpretation:
Web browser artifacts are stored for each local user account
Most browsers also record the number of times visited (frequency)
Look for multiple profiles in Chromium browsers, including “Default”, and “Profile1”, etc.
Media History
Description: Media History tracks media usage (audio and video played) on visited websites (Chromium browsers).
Location:
Chrome/Edge
Interpretation:
Three primary tables: playback session, origin, playback
Includes URLs, last play time, watch time duration, and last video position
Not clear when other history data is cleared
Auto-Complete Data
Description: Many databases store data that a user has typed into the browser.
Location:
Firefox
Chrome/Edge
Items typed into web forms
Items typed in the Chrome URL address bar (Omnibox)
Records what was typed, letter by letter
Interpretation:
Stores inputted user credentials
Includes typed-in data, as well as data types
Connects typed data and knowledge to a user account
Browser Preferences
Description: Configuration data associated with the browser application, including privacy settings and synchronization preferences.
Location:
Firefox
Chrome/Edge
Interpretation:
Firefox prefs.js shows the sync status, last sync time, and artifacts selected to sync
Chrome uses JSON format
per_host_zoom_levels, media-engagement, and site_engagement can help to show user interaction
Contains synchronization status, last sync time and artifacts selected to syn
Edge preferences include account_info, clear_data_on_exit, and sync settings
Cache
Description: The cache is where web page components can be stored locally to speed up subsequent visits.
Location:
Firefox Firefox 31-
Firefox 32+
Chrome/Edge
Interpretation:
It gives the investigator a “snapshot in time” of what a user was looking at online.
Identifies websites which were visited
Provides the actual files the user viewed on a given website
Similar to all browser artifacts, cached files are tied to a specific local user account
Timestamps show when the site was first saved and last viewed
Bookmarks
Description: Bookmarks include default items and those the user chose to save for future reference.
Location:
Firefox 3+
Chrome/Edge
Interpretation:
Provides the website of interest and the specific URL that was saved
Firefox bookmark backup folder can contain multiple backup copies of bookmarks in JSON format.
Chromium Bookmark files are in JSON format.
Note: not all bookmarks are user-generated; it is possible to bookmark a site and never visit it
Stored Credentials
Description: Browser-based credential storage typically uses Windows DPAPI encryption. If the login account is a Microsoft Cloud account in Windows 10 or 11, DPAPI uses a 44-character randomly generated password in lieu of the account password.
Location:
Firefox
Chrome/Edge
Interpretation:
Firefox stores the hostname and URL, creation time, last used time, times used, and time of last password change in JSON format.
Chromium-based browsers use an SQLite database, including the origin URL, action URL, username, date created, and date last used.
Credential metadata can be available even if actual credentials are encrypted. Actual credentials are easiest to retrieve on a live system with the user account logged in.
Browser Downloads
Description: Modern browsers include built-in download manager applications capable of keeping a history of every file downloaded by the user. This browser artifact can provide excellent information about websites visited and corresponding items downloaded.
Location:
Firefox 3-25
Firefox 26+
Chrome/Edge
Downloads and download_url_chains tables Interpretation Download metadata includes:
Filename, size, and type
Source website and referring page
Download start and end times
The file system saves the location
State information, including success and failure
Extensions
Description: Browser functionality can be extended through extensions or browser plugins.
Location:
Firefox 4-25
Firefox 26+
Chrome/Edge
Interpretation:
The newer Firefox JSON format stores more information than in older versions
Extension name, installation source, installation time, last update, and plugin status
Chrome/Edge extensions each have their folder on the local system, named with a GUID, containing the code and metadata.
The creation time of the folder indicates the installation time for the extension. Beware that extensions can be synced across devices affecting the interpretation of this timestamp.
A manifest.json file provides plugin details, including name, URL, permissions, and version.
The preferences file can also include additional extension data
Session Restore
Description: Automatic crash recovery features are built into the browser.
Location:
Firefox (older versions)
Firefox (newer versions)
Chrome/Edge (older versions)
Restore files = Current Session, Current Tabs, Last Session, Last Tabs Chrome/Edge (newer versions)
Interpretation:
Historical websites viewed in each tab
Referring websites
Time session started or ended
HTML, JavaScript, XML, and form data from the page
Other artifacts, such as transition type, browser window size and pinned tabs
Cookies
Description: Cookies provide insight into what websites have been visited and what activities might have occurred there.
Location:
Firefox
Chrome/Edge
Last updated