Firstly, I want to thank HackIT team for providing some good stuff to complete this post. this interesting post is about browser artifacts , the main reason behind this post is to explain the entries which we can retrieve while working on a browser , I found many tools which will discover passwords,installed addons ,dowloads cookies and more from a browser ( mostly FireFox ), Here in this post i am trying to explain the methods / places to retrieve those details manually without any self prepared scripts but of course using a little handy tool.
What all are browsers are mostly used , and why ?
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. Some of the web browsers are Mozilla,chrome,IE and many more
What kind of Activities we can find from the browser artifacts ?
Internet browsing history,keyword search,uname ,passwords,mail id’s and downloads ,user details from forms ,profile based user login and add-on installed.
How it helps in Forensics investigations ?
We can judge the suspect’s ideology / usage of the target machine. Using History,Keyword search / chat history and more.
Where we can find them ?
By default when we install the programme it makes entry in program files and every user have their own profile in the user directories ,we can find some kind of database entries in user profile directories.
Different browsers different directories ?
Mozilla Firefox –….\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\
IE — index.dat,temp ,cookies,and history
What sort of data can be retrieved ?
|addons.sqlite||installed addons listed|
|Chromeappstore.sqlite||mostly used snippets|
|Downloads.sqlite||history||Downloads done by the browser|
|Extensions.sqlite||Extensions installed (ad-dons, plug-ins..)|
|Formhistory.sqlite||Web Data||Details filled in a form|
|Permissions.sqlite||Quota Manager||Permissions for ad-dons, plug-ins and password remembering|
|Places.sqlite||history,Top sites,Web Data||Browser activities such as bookmark , visits and keyword search|
|search.sqlite||Search engine prefernce history|
|Signons.sqlite||logindata||Uname password stored in the browser cache|
|cert8.db||Stores security certificates|
|key3.db||logindata||Key value for the stored passwords|
|localstore.rdf||Stores the customizations of browsers if any|
|mimetype.rdf||Stores default actions with the known file types|
|Favicons||Web favicons (can be observed on saving a shortcut / web page)|
|Topsites||Stores thumbnails and redirections of thumbnails|
|Bookmark backups||Bookmarks,bookmarks.bak||Bookmarks backup|
|minidumps||on browser crash dumps will be generated (most of the times these are empty 🙂|
|cache,media cache,local storage||Works as history entries|
for index.dat ,history and other file analysis we can use third party toosl like Pasco you can check it in coming articles
What is .SQLite?
SQLite is an embedded SQL database engine.SQLite reads and writes directly to ordinary disk files. A complete SQL database with multiple tables, indices, triggers, and views, is contained in a single disk file. The database file format is cross-platform – you can freely copy a database between 32-bit and 64-bit systems.SQLite a popular database engine choice on memory constrained gadgets such as smart phones, PDAs, and MP3 players.Its primary usage can be
- Simple to administer
- Simple to operate
- Simple to embed in a larger program
- Simple to maintain and customize
For more details please visit
What is BLOB ?
While Working with Chrome files in sqlite i found that they had declared BLOB as a data type for password , BLOB is a short form of Binary Large OBjects . BLOB is a data type which is used to declare the objects in images, audio or other multimedia objects.Originally “blob” was used as a term for moving large amounts of data from one database to another without filters or error correction.
|For More details Visit
What is .Db
Don’t get confused with .db extension because it is implemented for four types here we talk about generic database file that stores data in a structured format, typically with an arrangement of tables, table fields, field data types, and field values can be created by various database programs and exported into different formats, such as .CSV files may also be imported by multiple database programs.
|For More details Visit
What is .dat
Generic data file created by a specific application, typically accessed only by the application that created the file; may contain data in text or binary format, text-based DAT files can be viewed in a text editor.
Pasco is a tool which we can use to retrieve data from .dat files
What is .json ?
|To know more about Json
Different tools used to determine the traces from the above mentioned file types ?
There are many tools to retrieve the information but as of know i used the below listed tools
- SQLite Database Browser
How to Use SQLite ?
SQLite can be added as a add-on for FireFox , after installing the addon You can observe it in tools>SQLite Manager
Even we can use a package of SQLite browser , can download the package from Here
It is similar as the SQLite Manager to use , but we need the dependent dll’s which is present in the folder to work 🙂 SQLite can be used to create ,add , retrieve and delete the entries in the database table.You can check more details and usage of SQLite in my coming posts.
Open database files in sqlite using open option , Database can be accessed when the browser is closed , if we are using SQLite manager for analysis we can see the database files listed in the top drop down list shown in fig.we can change the default path to our custom directories if any. Selecting the table in the left frame we can access the entries,We can add duplicates,delete and edit the entries with the options.
Using Execute SQL tab we can execute custom sql commands to create , edit , or delete the tables. we can add user defined functions by using the User-Defined Functions tab which is by default hidden, visible on clicking f(x) button .
For justifying any activity with in the evidence one most important way we follow is MAC table(Modified ,access and Created time) and event check. Compare the time stamps for the form history, url visited and Login record , we can justify with the time schedules in this case. where as some time we cannot retrieve the time stamp for form history / other , in that case we can go for local system activity.
Backup / delete of a profile data
Users can always backup there entries(Bookmarks, stored passwords and video files from cache) ,User can copy the respective files from the profiles and restore them afterwards.Just need to restart the browser once replaced . Loss of data is for sure if user data folder is deleted while User is deleted.
How to backup a user profile
chrome — http://www.chromium.org/developers/creating-and-using-profiles
FireFox — Copy the files from user profile path and restore them when needed
How this works for a normal user
This methods can be used to get stuff from your administrator profile / user profile which you are restricted to login , sometime admins usually store Router WebUI passwords in the history.
We have some tools which provide you this details in a single click one of them are Firepassword from security exploded
Comments and suggestions accepted, any new points to be included please comment