# Browser Artifacts
đ Breached Write Content Wednesdays
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**đŹ**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**đŚ**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
%20\(1\)%20\(2\).png)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="" %}
## Browsers Artifacts
When we talk about browser artifacts we talk about, navigation history, bookmarks, list of downloaded files, cache data, etc.
These artifacts are files stored inside specific folders in the operating system.
Each browser stores its files in a different place than other browsers and they all have different names, but they all store (most of the time) the same type of data (artifacts).
Let us take a look at the most common artifacts stored by browsers.
* **Navigation History:** Contains data about the navigation history of the user. Can be used to track down if the user has visited some malicious sites for example
* **Autocomplete Data:** This is the data that the browser suggests based on what you search for the most. Can be used in tandem with the navigation history to get more insight.
* **Bookmarks:** Self Explanatory.
* **Extensions and Add ons:** Self Explanatory.
* **Cache:** When navigating websites, the browser creates all sorts of cache data (images, javascript filesâŚetc) for many reasons. For example to speed the loading time of websites. These cache files can be a great source of data during a forensic investigation.
* **Logins:** Self Explanatory.
* **Favicons:** They are the little icons found in tabs, urls, bookmarks and the such. They can be used as another source to get more information about the website or places the user visited.
* **Browser Sessions:** Self Explanatory.
* **Downloads**: Self Explanatory.
* **Form Data:** Anything typed inside forms is oftentimes stored by the browser, so the next time the user enters something inside of a form the browser can suggest previously entered data.
* **Thumbnails:** Self Explanatory.
* **Custom Dictionary.txt**: Words added to the dictionary by the user.
## Firefox
Firefox create the profiles folder in \~/***.mozilla/firefox/*** (Linux), in **/Users/$USER/Library/Application Support/Firefox/Profiles/** (MacOS), ***%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\\*** (Windows)***.***\
Inside this folder, the file ***profiles.ini*** should appear with the name(s) of the user profile(s).\
Each profile has a "**Path**" variable with the name of the folder where its data is going to be stored. The folder should be **present in the same directory where the \_profiles.ini**\_\*\* exist\*\*. If it isn't, then, probably it was deleted.
Inside the folder **of each profile** (*\~/.mozilla/firefox/\/*) path you should be able to find the following interesting files:
* ***places.sqlite*** : History (moz\_\_places), bookmarks (moz\_bookmarks), and downloads (moz\_\_annos). In Windows the tool [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_view.html) can be used to read the history inside ***places.sqlite***.
* Query to dump history: `select datetime(lastvisitdate/1000000,'unixepoch') as visit_date, url, title, visit_count, visit_type FROM moz_places,moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;`
* Note that a link type is a number that indicates:
* 1: User followed a link
* 2: User wrote the URL
* 3: User used a favorite
* 4: Loaded from Iframe
* 5: Accessed via HTTP redirect 301
* 6: Accessed via HTTP redirect 302
* 7: Downloaded file
* 8: User followed a link inside an Iframe
* Query to dump downloads: `SELECT datetime(lastModified/1000000,'unixepoch') AS down_date, content as File, url as URL FROM moz_places, moz_annos WHERE moz_places.id = moz_annos.place_id;`
*
* ***bookmarkbackups/*** : Bookmarks backups
* ***formhistory.sqlite*** : **Web form data** (like emails)
* ***handlers.json*** : Protocol handlers (like, which app is going to handle *mailto://* protocol)
* ***persdict.dat*** : Words added to the dictionary
* ***addons.json*** and \_**extensions.sqlite** \_ : Installed addons and extensions
* ***cookies.sqlite*** : Contains **cookies.** [**MZCookiesView**](https://www.nirsoft.net/utils/mzcv.html) can be used in Windows to inspect this file.
* ***cache2/entries*** or ***startupCache*** : Cache data (\~350MB). Tricks like **data carving** can also be used to obtain the files saved in the cache. [MozillaCacheView](https://www.nirsoft.net/utils/mozilla_cache_viewer.html) can be used to see the **files saved in the cache**.
Information that can be obtained:
* URL, fetch Count, Filename, Content type, File size, Last modified time, Last fetched time, Server Last Modified, Server Response
* ***favicons.sqlite*** : Favicons
* ***prefs.js*** : Settings and Preferences
* ***downloads.sqlite*** : Old downloads database (now it's inside places.sqlite)
* ***thumbnails/*** : Thumbnails
* ***logins.json*** : Encrypted usernames and passwords
* **Browserâs built-in anti-phishing:** `grep 'browser.safebrowsing' ~/Library/Application Support/Firefox/Profiles/*/prefs.js`
* Will return âsafebrowsing.malware.enabledâ and âphishing.enabledâ as false if the safe search settings have been disabled
* ***key4.db*** or ***key3.db*** : Master key?
To try to decrypt the master password, you can use \
With the following script and call you can specify a password file to brute force:
{% code title="brute.sh" %}
```bash
#!/bin/bash
#./brute.sh top-passwords.txt 2>/dev/null | grep -A2 -B2 "chrome:"
passfile=$1
while read pass; do
echo "Trying $pass"
echo "$pass" | python firefox_decrypt.py
done < $passfile
```
{% endcode %}
.png)
## Google Chrome
Google Chrome creates the profile inside the home of the user ***\~/.config/google-chrome/*** (Linux), in ***C:\Users\XXX\AppData\Local\Google\Chrome\User Data\\*** (Windows), or in \_**/Users/$USER/Library/Application Support/Google/Chrome/** \_ (MacOS).\
Most of the information will be saved inside the ***Default/*** or ***ChromeDefaultData/*** folders inside the paths indicated before. Here you can find the following interesting files:
* ***History***: URLs, downloads and even searched keywords. In Windows, you can use the tool [ChromeHistoryView](https://www.nirsoft.net/utils/chrome_history_view.html) to read the history. The "Transition Type" column means:
* Link: User clicked on a link
* Typed: The url was written
* Auto Bookmark
* Auto Subframe: Add
* Start page: Home page
* Form Submit: A form was filled and sent
* Reloaded
* ***Cookies***: Cookies. [ChromeCookiesView](https://www.nirsoft.net/utils/chrome_cookies_view.html) can be used to inspect the cookies.
* ***Cache***: Cache. In Windows, you can use the tool [ChromeCacheView](https://www.nirsoft.net/utils/chrome_cache_view.html) to inspect the ca
* ***Bookmarks***: Bookmarks
* ***Web Data***: Form History
* ***Favicons***: Favicons
* ***Login Data***: Login information (usernames, passwords...)
* ***Current Session*** and ***Current Tabs***: Current session data and current tabs
* ***Last Session*** and ***Last Tabs***: These files hold sites that were active in the browser when Chrome was last closed.
* ***Extensions***: Extensions and addons folder
* **Thumbnails** : Thumbnails
* **Preferences**: This file contains a plethora of good information such as plugins, extensions, sites using geolocation, popups, notifications, DNS prefetching, certificate exceptions, and much more. If youâre trying to research whether or not a specific Chrome setting was enabled, you will likely find that setting in here.
* **Browserâs built-in anti-phishing:** `grep 'safebrowsing' ~/Library/Application Support/Google/Chrome/Default/Preferences`
* You can simply grep for â**safebrowsing**â and look for `{"enabled: true,"}` in the result to indicate anti-phishing and malware protection is on.
## **SQLite DB Data Recovery**
As you can observe in the previous sections, both Chrome and Firefox use **SQLite** databases to store the data. It's possible to **recover deleted entries using the tool** [**sqlparse**](https://github.com/padfoot999/sqlparse) **or** [**sqlparse\_gui**](https://github.com/mdegrazia/SQLite-Deleted-Records-Parser/releases).
## **Internet Explorer 11**
Internet Explorer stores **data** and **metadata** in different locations. The metadata will allow finding the data.
The **metadata** can be found in the folder `%userprofile%\Appdata\Local\Microsoft\Windows\WebCache\WebcacheVX.data` where VX can be V01, V16, or V24.\
In the previous folder, you can also find the file V01.log. In case the **modified time** of this file and the WebcacheVX.data file **are different** you may need to run the command `esentutl /r V01 /d` to **fix** possible **incompatibilities**.
Once **recovered** this artifact (It's an ESE database, photorec can recover it with the options Exchange Database or EDB) you can use the program [ESEDatabaseView](https://www.nirsoft.net/utils/ese_database_view.html) to open it. Once **opened**, go to the table named "**Containers**".
.png)
Inside this table, you can find in which other tables or containers each part of the stored information is saved. Following that, you can find the **locations of the data** stored by the browsers and the **metadata** that is inside.
**Note that this table indicates metadata of the cache for other Microsoft tools also (e.g. skype)**
### Cache
You can use the tool [IECacheView](https://www.nirsoft.net/utils/ie_cache_viewer.html) to inspect the cache. You need to indicate the folder where you have extracted the cache date.
#### Metadata
The metadata information about the cache stores:
* Filename in the disc
* SecureDIrectory: Location of the file inside the cache directories
* AccessCount: Number of times it was saved in the cache
* URL: The url origin
* CreationTime: First time it was cached
* AccessedTime: Time when the cache was used
* ModifiedTime: Last webpage version
* ExpiryTime: Time when the cache will expire
#### Files
The cache information can be found in ***%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5*** and ***%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\low***
The information inside these folders is a **snapshot of what the user was seeing**. The caches have a size of **250 MB** and the timestamps indicate when the page was visited (first time, creation date of the NTFS, last time, modification time of the NTFS).
### Cookies
You can use the tool [IECookiesView](https://www.nirsoft.net/utils/iecookies.html) to inspect the cookies. You need to indicate the folder where you have extracted the cookies.
#### **Metadata**
The metadata information about the cookies stored:
* Cookie name in the filesystem
* URL
* AccessCount: Number of times the cookies have been sent to the server
* CreationTime: First time the cookie was created
* ModifiedTime: Last time the cookie was modified
* AccessedTime: Last time the cookie was accessed
* ExpiryTime: Time of expiration of the cookie
#### Files
The cookies data can be found in ***%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies*** and ***%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies\low***
Session cookies will reside in memory and persistent cookie in the disk.
### Downloads
#### **Metadata**
Checking the tool [ESEDatabaseView](https://www.nirsoft.net/utils/ese_database_view.html) you can find the container with the metadata of the downloads:
.png)
Getting the information of the column "ResponseHeaders" you can transform from hex that information and obtain the URL, the file type and the location of the downloaded file.
#### Files
Look in the path ***%userprofile%\Appdata\Roaming\Microsoft\Windows\IEDownloadHistory***
### **History**
The tool [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_view.html) can be used to read the history. But first, you need to indicate the browser in advanced options and the location of the extracted history files.
#### **Metadata**
* ModifiedTime: First time a URL is found
* AccessedTime: Last time
* AccessCount: Number of times accessed
#### **Files**
Search in ***userprofile%\Appdata\Local\Microsoft\Windows\History\History.IE5*** and ***userprofile%\Appdata\Local\Microsoft\Windows\History\Low\History.IE5***
### **Typed URLs**
This information can be found inside the registry NTDUSER.DAT in the path:
* ***Software\Microsoft\InternetExplorer\TypedURLs***
* Stores the last 50 URLs typed by the user
* ***Software\Microsoft\InternetExplorer\TypedURLsTime***
* last time the URL was typed
## Microsoft Edge
For analyzing Microsoft Edge artifacts all the **explanations about cache and locations from the previous section (IE 11) remain valid** with the only difference that the base locating, in this case, is ***%userprofile%\Appdata\Local\Packages*** (as can be observed in the following paths):
* Profile Path: ***C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC***
* History, Cookies and Downloads: ***C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat***
* Settings, Bookmarks, and Reading List: ***C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb***
* Cache: ***C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC#!XXX\MicrosoftEdge\Cache***
* Last active sessions: ***C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active***
## **Safari**
The databases can be found in `/Users/$User/Library/Safari`
* **History.db**: The tables `history_visits` *and* `history_items` contains information about the history and timestamps.
* `sqlite3 ~/Library/Safari/History.db "SELECT h.visit_time, i.url FROM history_visits h INNER JOIN history_items i ON h.history_item = i.id"`
* **Downloads.plist**: Contains the info about the downloaded files.
* **Book-marks.plis**t: URLs bookmarked.
* **TopSites.plist**: List of the most visited websites that the user browses to.
* **Extensions.plist**: To retrieve an old-style list of Safari browser extensions.
* `plutil -p ~/Library/Safari/Extensions/Extensions.plist| grep "Bundle Directory Name" | sort --ignore-case`
* `pluginkit -mDvvv -p com.apple.Safari.extension`
* **UserNotificationPermissions.plist**: Domains that are allowed to push notifications.
* `plutil -p ~/Library/Safari/UserNotificationPermissions.plist | grep -a3 '"Permission" => 1'`
* **LastSession.plist**: Tabs that were opened the last time the user exited Safari.
* `plutil -p ~/Library/Safari/LastSession.plist | grep -iv sessionstate`
* **Browserâs built-in anti-phishing:** `defaults read com.apple.Safari WarnAboutFraudulentWebsites`
* The reply should be 1 to indicate the setting is active
## Opera
The databases can be found in `/Users/$USER/Library/Application Support/com.operasoftware.Opera`
Opera **stores browser history and download data in the exact same format as Google Chrome**. This applies to the file names as well as the table names.
* **Browserâs built-in anti-phishing:** `grep --color 'fraud_protection_enabled' ~/Library/Application Support/com.operasoftware.Opera/Preferences`
* **fraud\_protection\_enabled** should be **true**
%20\(1\)%20\(2\).png)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="" %}
đ Breached Write Content Wednesdays
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**đŹ**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**đŚ**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://breached.gitbook.io/dashboard/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.