📔
HackTricks - Boitatech
  • HackTricks
  • About the author
  • Getting Started in Hacking
  • Pentesting Methodology
  • External Recon Methodology
    • Github Leaked Secrets
  • Phishing Methodology
    • Clone a Website
    • Detecting Phising
    • Phishing Documents
  • Exfiltration
  • Tunneling and Port Forwarding
  • Brute Force - CheatSheet
  • Search Exploits
  • Shells
    • Shells (Linux, Windows, MSFVenom)
      • MSFVenom - CheatSheet
      • Shells - Windows
      • Shells - Linux
      • Full TTYs
  • Linux/Unix
    • Checklist - Linux Privilege Escalation
    • Linux Privilege Escalation
      • PAM - Pluggable Authentication Modules
      • SELinux
      • Logstash
      • AppArmor
      • Containerd (ctr) Privilege Escalation
      • Docker Breakout
      • electron/CEF/chromium debugger abuse
      • Escaping from Jails
      • Cisco - vmanage
      • D-Bus Enumeration & Command Injection Privilege Escalation
      • Interesting Groups - Linux PE
        • lxd/lxc Group - Privilege escalation
      • ld.so exploit example
      • Linux Capabilities
      • NFS no_root_squash/no_all_squash misconfiguration PE
      • Payloads to execute
      • RunC Privilege Escalation
      • Seccomp
      • Splunk LPE and Persistence
      • SSH Forward Agent exploitation
      • Socket Command Injection
      • Wildcards Spare tricks
    • Useful Linux Commands
      • Bypass Bash Restrictions
    • Linux Environment Variables
  • MacOS
    • MacOS Security & Privilege Escalation
      • Mac OS Architecture
      • MacOS MDM
        • Enrolling Devices in Other Organisations
      • MacOS Protocols
      • MacOS Red Teaming
      • MacOS Serial Number
      • MacOS Apps - Inspecting, debugging and Fuzzing
  • Windows
    • Checklist - Local Windows Privilege Escalation
    • Windows Local Privilege Escalation
      • AppendData/AddSubdirectory permission over service registry
      • Create MSI with WIX
      • DPAPI - Extracting Passwords
      • SeImpersonate from High To System
      • Access Tokens
      • ACLs - DACLs/SACLs/ACEs
      • Dll Hijacking
      • From High Integrity to SYSTEM with Name Pipes
      • Integrity Levels
      • JAWS
      • JuicyPotato
      • Leaked Handle Exploitation
      • MSI Wrapper
      • Named Pipe Client Impersonation
      • PowerUp
      • Privilege Escalation Abusing Tokens
      • Privilege Escalation with Autoruns
      • RottenPotato
      • Seatbelt
      • SeDebug + SeImpersonate copy token
      • Windows C Payloads
    • Active Directory Methodology
      • Abusing Active Directory ACLs/ACEs
      • AD information in printers
      • ASREPRoast
      • BloodHound
      • Constrained Delegation
      • Custom SSP
      • DCShadow
      • DCSync
      • DSRM Credentials
      • Golden Ticket
      • Kerberos Authentication
      • Kerberoast
      • MSSQL Trusted Links
      • Over Pass the Hash/Pass the Key
      • Pass the Ticket
      • Password Spraying
      • Force NTLM Privileged Authentication
      • Privileged Accounts and Token Privileges
      • Resource-based Constrained Delegation
      • Security Descriptors
      • Silver Ticket
      • Skeleton Key
      • Unconstrained Delegation
    • NTLM
      • Places to steal NTLM creds
      • PsExec/Winexec/ScExec
      • SmbExec/ScExec
      • WmicExec
      • AtExec / SchtasksExec
      • WinRM
    • Stealing Credentials
      • Credentials Protections
      • Mimikatz
    • Authentication, Credentials, UAC and EFS
    • Basic CMD for Pentesters
    • Basic PowerShell for Pentesters
      • PowerView
    • AV Bypass
  • Mobile Apps Pentesting
    • Android APK Checklist
    • Android Applications Pentesting
      • Android Applications Basics
      • Android Task Hijacking
      • ADB Commands
      • APK decompilers
      • AVD - Android Virtual Device
      • Burp Suite Configuration for Android
      • content:// protocol
      • Drozer Tutorial
        • Exploiting Content Providers
      • Exploiting a debuggeable applciation
      • Frida Tutorial
        • Frida Tutorial 1
        • Frida Tutorial 2
        • Frida Tutorial 3
        • Objection Tutorial
      • Google CTF 2018 - Shall We Play a Game?
      • Inspeckage Tutorial
      • Intent Injection
      • Make APK Accept CA Certificate
      • Manual DeObfuscation
      • React Native Application
      • Reversing Native Libraries
      • Smali - Decompiling/[Modifying]/Compiling
      • Spoofing your location in Play Store
      • Webview Attacks
    • iOS Pentesting Checklist
    • iOS Pentesting
      • Basic iOS Testing Operations
      • Burp Suite Configuration for iOS
      • Extracting Entitlements From Compiled Application
      • Frida Configuration in iOS
      • iOS App Extensions
      • iOS Basics
      • iOS Custom URI Handlers / Deeplinks / Custom Schemes
      • iOS Hooking With Objection
      • iOS Protocol Handlers
      • iOS Serialisation and Encoding
      • iOS Testing Environment
      • iOS UIActivity Sharing
      • iOS Universal Links
      • iOS UIPasteboard
      • iOS WebViews
  • Pentesting
    • Pentesting Network
      • Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
      • Spoofing SSDP and UPnP Devices with EvilSSDP
      • Wifi Attacks
        • Evil Twin EAP-TLS
      • Pentesting IPv6
      • Nmap Summary (ESP)
      • Network Protocols Explained (ESP)
      • IDS and IPS Evasion
      • DHCPv6
    • Pentesting JDWP - Java Debug Wire Protocol
    • Pentesting Printers
      • Accounting bypass
      • Buffer Overflows
      • Credentials Disclosure / Brute-Force
      • Cross-Site Printing
      • Document Processing
      • Factory Defaults
      • File system access
      • Firmware updates
      • Memory Access
      • Physical Damage
      • Software packages
      • Transmission channel
      • Print job manipulation
      • Print Job Retention
      • Scanner and Fax
    • Pentesting SAP
    • Pentesting Kubernetes
      • Enumeration from a Pod
      • Hardening Roles/ClusterRoles
      • Pentesting Kubernetes from the outside
    • 7/tcp/udp - Pentesting Echo
    • 21 - Pentesting FTP
      • FTP Bounce attack - Scan
      • FTP Bounce - Download 2ºFTP file
    • 22 - Pentesting SSH/SFTP
    • 23 - Pentesting Telnet
    • 25,465,587 - Pentesting SMTP/s
      • SMTP - Commands
    • 43 - Pentesting WHOIS
    • 53 - Pentesting DNS
    • 69/UDP TFTP/Bittorrent-tracker
    • 79 - Pentesting Finger
    • 80,443 - Pentesting Web Methodology
      • 403 & 401 Bypasses
      • AEM - Adobe Experience Cloud
      • Apache
      • Artifactory Hacking guide
      • Buckets
        • Firebase Database
        • AWS-S3
      • CGI
      • Code Review Tools
      • Drupal
      • Flask
      • Git
      • Golang
      • GraphQL
      • H2 - Java SQL database
      • IIS - Internet Information Services
      • JBOSS
      • Jenkins
      • JIRA
      • Joomla
      • JSP
      • Laravel
      • Moodle
      • Nginx
      • PHP Tricks (SPA)
        • PHP - Useful Functions & disable_functions/open_basedir bypass
          • disable_functions bypass - php-fpm/FastCGI
          • disable_functions bypass - dl function
          • disable_functions bypass - PHP 7.0-7.4 (*nix only)
          • disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
          • disable_functions - PHP 5.x Shellshock Exploit
          • disable_functions - PHP 5.2.4 ionCube extension Exploit
          • disable_functions bypass - PHP <= 5.2.9 on windows
          • disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
          • disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
          • disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
          • disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
          • disable_functions bypass - PHP 5.2 - FOpen Exploit
          • disable_functions bypass - via mem
          • disable_functions bypass - mod_cgi
          • disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
      • Python
      • Special HTTP headers
      • Spring Actuators
      • Symphony
      • Tomcat
      • Uncovering CloudFlare
      • VMWare (ESX, VCenter...)
      • Web API Pentesting
      • WebDav
      • werkzeug
      • Wordpress
      • XSS to RCE Electron Desktop Apps
    • 88tcp/udp - Pentesting Kerberos
      • Harvesting tickets from Windows
      • Harvesting tickets from Linux
    • 110,995 - Pentesting POP
    • 111/TCP/UDP - Pentesting Portmapper
    • 113 - Pentesting Ident
    • 123/udp - Pentesting NTP
    • 135, 593 - Pentesting MSRPC
    • 137,138,139 - Pentesting NetBios
    • 139,445 - Pentesting SMB
    • 143,993 - Pentesting IMAP
    • 161,162,10161,10162/udp - Pentesting SNMP
      • SNMP RCE
    • 194,6667,6660-7000 - Pentesting IRC
    • 264 - Pentesting Check Point FireWall-1
    • 389, 636, 3268, 3269 - Pentesting LDAP
    • 500/udp - Pentesting IPsec/IKE VPN
    • 502 - Pentesting Modbus
    • 512 - Pentesting Rexec
    • 513 - Pentesting Rlogin
    • 514 - Pentesting Rsh
    • 515 - Pentesting Line Printer Daemon (LPD)
    • 548 - Pentesting Apple Filing Protocol (AFP)
    • 554,8554 - Pentesting RTSP
    • 623/UDP/TCP - IPMI
    • 631 - Internet Printing Protocol(IPP)
    • 873 - Pentesting Rsync
    • 1026 - Pentesting Rusersd
    • 1080 - Pentesting Socks
    • 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
    • 1433 - Pentesting MSSQL - Microsoft SQL Server
    • 1521,1522-1529 - Pentesting Oracle TNS Listener
      • Oracle Pentesting requirements installation
      • TNS Poison
      • Remote stealth pass brute force
      • Oracle RCE & more
    • 1723 - Pentesting PPTP
    • 1883 - Pentesting MQTT (Mosquitto)
    • 2049 - Pentesting NFS Service
    • 2301,2381 - Pentesting Compaq/HP Insight Manager
    • 2375, 2376 Pentesting Docker
    • 3128 - Pentesting Squid
    • 3260 - Pentesting ISCSI
    • 3299 - Pentesting SAPRouter
    • 3306 - Pentesting Mysql
    • 3389 - Pentesting RDP
    • 3632 - Pentesting distcc
    • 3690 - Pentesting Subversion (svn server)
    • 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
    • 5000 - Pentesting Docker Registry
    • 5353/UDP Multicast DNS (mDNS)
    • 5432,5433 - Pentesting Postgresql
    • 5601 - Pentesting Kibana
    • 5671,5672 - Pentesting AMQP
    • 5800,5801,5900,5901 - Pentesting VNC
    • 5984,6984 - Pentesting CouchDB
    • 5985,5986 - Pentesting WinRM
    • 6000 - Pentesting X11
    • 6379 - Pentesting Redis
    • 8009 - Pentesting Apache JServ Protocol (AJP)
    • 8089 - Splunkd
    • 9000 - Pentesting FastCGI
    • 9001 - Pentesting HSQLDB
    • 9042/9160 - Pentesting Cassandra
    • 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
    • 9200 - Pentesting Elasticsearch
    • 10000 - Pentesting Network Data Management Protocol (ndmp)
    • 11211 - Pentesting Memcache
    • 15672 - Pentesting RabbitMQ Management
    • 27017,27018 - Pentesting MongoDB
    • 44818/UDP/TCP - Pentesting EthernetIP
    • 47808/udp - Pentesting BACNet
    • 50030,50060,50070,50075,50090 - Pentesting Hadoop
  • Pentesting Web
    • Web Vulnerabilities Methodology
    • Reflecting Techniques - PoCs and Polygloths CheatSheet
      • Web Vulns List
    • 2FA/OTP Bypass
    • Abusing hop-by-hop headers
    • Bypass Payment Process
    • Captcha Bypass
    • Cache Poisoning and Cache Deception
    • Clickjacking
    • Client Side Template Injection (CSTI)
    • Command Injection
    • Content Security Policy (CSP) Bypass
    • Cookies Hacking
    • CORS - Misconfigurations & Bypass
    • CRLF (%0D%0A) Injection
    • Cross-site WebSocket hijacking (CSWSH)
    • CSRF (Cross Site Request Forgery)
    • Dangling Markup - HTML scriptless injection
    • Deserialization
      • NodeJS - __proto__ & prototype Pollution
      • Java JSF ViewState (.faces) Deserialization
      • Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
      • Basic Java Deserialization (ObjectInputStream, readObject)
      • CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
      • Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
      • Exploiting __VIEWSTATE knowing the secrets
      • Exploiting __VIEWSTATE without knowing the secrets
    • Domain/Subdomain takeover
    • Email Header Injection
    • File Inclusion/Path traversal
      • phar:// deserialization
    • File Upload
      • PDF Upload - XXE and CORS bypass
    • Formula Injection
    • HTTP Request Smuggling / HTTP Desync Attack
    • H2C Smuggling
    • IDOR
    • JWT Vulnerabilities (Json Web Tokens)
    • NoSQL injection
    • LDAP Injection
    • Login Bypass
      • Login bypass List
    • OAuth to Account takeover
    • Open Redirect
    • Parameter Pollution
    • PostMessage Vulnerabilities
    • Race Condition
    • Rate Limit Bypass
    • Registration Vulnerabilities
    • Regular expression Denial of Service - ReDoS
    • Reset/Forgotten Password Bypass
    • SAML Attacks
      • SAML Basics
    • Server Side Inclusion/Edge Side Inclusion Injection
    • SQL Injection
      • MSSQL Injection
      • Oracle injection
      • PostgreSQL injection
        • dblink/lo_import data exfiltration
        • PL/pgSQL Password Bruteforce
        • Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
        • Big Binary Files Upload (PostgreSQL)
        • RCE with PostgreSQL Extensions
      • MySQL injection
        • Mysql SSRF
      • SQLMap - Cheetsheat
        • Second Order Injection - SQLMap
    • SSRF (Server Side Request Forgery)
    • SSTI (Server Side Template Injection)
      • EL - Expression Language
    • Reverse Tab Nabbing
    • Unicode Normalization vulnerability
    • Web Tool - WFuzz
    • XPATH injection
    • XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
    • XXE - XEE - XML External Entity
    • XSS (Cross Site Scripting)
      • PDF Injection
      • DOM XSS
      • Server Side XSS (Dynamic PDF)
      • XSS Tools
    • XSSI (Cross-Site Script Inclusion)
    • XS-Search
  • Forensics
    • Basic Forensic Methodology
      • Baseline Monitoring
      • Anti-Forensic Techniques
      • Docker Forensics
      • Image Adquisition & Mount
      • Linux Forensics
      • Malware Analysis
      • Memory dump analysis
        • Volatility - CheatSheet
      • Partitions/File Systems/Carving
        • EXT
        • File/Data Carving & Recovery Tools
        • NTFS
      • Pcap Inspection
        • DNSCat pcap analysis
        • USB Keystrokes
        • Wifi Pcap Analysis
        • Wireshark tricks
      • Specific Software/File-Type Tricks
        • .pyc
        • Browser Artifacts
        • Desofuscation vbs (cscript.exe)
        • Local Cloud Storage
        • Office file analysis
        • PDF File analysis
        • PNG tricks
        • Video and Audio file analysis
        • ZIPs tricks
      • Windows Artifacts
        • Windows Processes
        • Interesting Windows Registry Keys
  • A.I. Exploiting
    • BRA.I.NSMASHER Presentation
      • Basic Bruteforcer
      • Basic Captcha Breaker
      • BIM Bruteforcer
      • Hybrid Malware Classifier Part 1
  • Blockchain
    • Blockchain & Crypto Currencies
  • Courses and Certifications Reviews
    • INE Courses and eLearnSecurity Certifications Reviews
  • Cloud Security
    • Cloud security review
    • AWS Security
  • Physical attacks
    • Physical Attacks
    • Escaping from KIOSKs
      • Show file extensions
  • Reversing
    • Reversing Tools & Basic Methods
      • Angr
        • Angr - Examples
      • Z3 - Satisfiability Modulo Theories (SMT)
      • Cheat Engine
      • Blobrunner
    • Common API used in Malware
    • Cryptographic/Compression Algorithms
      • Unpacking binaries
    • Word Macros
  • Exploiting
    • Linux Exploiting (Basic) (SPA)
      • Format Strings Template
      • ROP - call sys_execve
      • ROP - Leaking LIBC address
        • ROP - Leaking LIBC template
      • Bypassing Canary & PIE
      • Ret2Lib
      • Fusion
    • Exploiting Tools
      • PwnTools
    • Windows Exploiting (Basic Guide - OSCP lvl)
  • Cryptography
    • Certificates
    • Cipher Block Chaining CBC-MAC
    • Crypto CTFs Tricks
    • Electronic Code Book (ECB)
    • Hash Length Extension Attack
    • Padding Oracle
    • RC4 - Encrypt&Decrypt
  • BACKDOORS
    • Merlin
    • Empire
    • Salseo
    • ICMPsh
  • Stego
    • Stego Tricks
    • Esoteric languages
  • MISC
    • Basic Python
      • venv
      • Bypass Python sandboxes
      • Magic Methods
      • Web Requests
      • Bruteforce hash (few chars)
    • Other Big References
  • TODO
    • More Tools
    • MISC
    • Pentesting DNS
  • Burp Suite
  • Other Web Tricks
  • Interesting HTTP
  • Emails Vulnerabilities
  • Android Forensics
  • TR-069
  • 6881/udp - Pentesting BitTorrent
  • CTF Write-ups
    • challenge-0521.intigriti.io
    • Try Hack Me
      • hc0n Christmas CTF - 2019
      • Pickle Rick
  • 1911 - Pentesting fox
  • Online Platforms with API
  • Stealing Sensitive Information Disclosure from a Web
  • Post Exploitation
Powered by GitBook
On this page
  • Browsers Artefacts
  • Firefox
  • Google Chrome
  • SQLite DB Data Recovery
  • Internet Explorer 11
  • Cache
  • Cookies
  • Downloads
  • History
  • Typed URLs
  • Microsoft Edge
  • Safari
  • Opera

Was this helpful?

  1. Forensics
  2. Basic Forensic Methodology
  3. Specific Software/File-Type Tricks

Browser Artifacts

Browsers Artefacts

When we talk about browser artefacts we talk about, navigation history, bookmarks, list of downloaded files, cache data…etc.

These artefacts are files stored inside of specific folders in the operating system.

Each browser stores its files in a different place than other browsers and they all have different names, but they all store (most of the time) the same type of data (artefacts).

Let us take a look at the most common artefacts stored by browsers.

  • Navigation History : Contains data about the navigation history of the user. Can be used to track down if the user has visited some malicious sites for example

  • Autocomplete Data : This is the data that the browser suggest based on what you search the most. Can be used in tandem with the navigation history to get more insight.

  • Bookmarks : Self Explanatory.

  • Extensions and Addons : Self Explanatory.

  • Cache : When navigating websites, the browser creates all sorts of cache data (images, javascript files…etc) for many reasons. For example to speed loading time of websites. These cache files can be a great source of data during a forensic investigation.

  • Logins : Self Explanatory.

  • Favicons : They are the little icons found in tabs, urls, bookmarks and the such. They can be used as another source to get more information about the website or places the user visited.

  • Browser Sessions : Self Explanatory.

  • Downloads :Self Explanatory.

  • Form Data : Anything typed inside forms is often times stored by the browser, so the next time the user enters something inside of a form the browser can suggest previously entered data.

  • Thumbnails : Self Explanatory.

Firefox

Firefox use to create the profiles folder in ~/.mozilla/firefox/ (Linux), in /Users/$USER/Library/Application Support/Firefox/Profiles/ (MacOS), %userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\ (Windows). Inside this folder, the file profiles.ini should appear with the name(s) of the used profile(s). Each profile has a "Path" variable with the name of the folder where it's data is going to be stored. The folder should be present in the same directory where the profiles.ini exist. If it isn't, then, probably it was deleted.

Inside the folder of each profile (~/.mozilla/firefox/<ProfileName>/) path you should be able to find the following interesting files:

    • Query to dump history: select datetime(lastvisitdate/1000000,'unixepoch') as visit_date, url, title, visit_count, visit_type FROM moz_places,moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;

      • Note that the link type is a number that indicates:

        • 1: User followed a link

        • 2: User wrote the URL

        • 3: User used a favorite

        • 4: Loaded from Iframe

        • 5: Accessed via HTTP redirect 301

        • 6: Accessed via HTTP redirect 302

        • 7: Downloaded file

        • 8: User followed a link inside an Iframe

    • Query to dump downloads: SELECT datetime(lastModified/1000000,'unixepoch') AS down_date, content as File, url as URL FROM moz_places, moz_annos WHERE moz_places.id = moz_annos.place_id;

  • bookmarkbackups/ : Bookmarks backups

  • formhistory.sqlite : Web form data (like emails)

  • handlers.json : Protocol handlers (like, which app is going to handle mailto:// protocol)

  • persdict.dat : Words added to the dictionary

  • addons.json and extensions.sqlite : Installed addons and extensions

  • Information that can be obtained:

    • URL, fetch Count, Filename, Content type, FIle size, Last modified time, Last fetched time, Server Last Modified, Server Response

  • favicons.sqlite : Favicons

  • prefs.js : Settings and Preferences

  • downloads.sqlite : Old downloads database (now it's inside places.sqlite)

  • thumbnails/ : Thumbnails

  • logins.json : Encrypted usernames and passwords

  • Browser’s built-in anti-phishing: grep 'browser.safebrowsing' ~/Library/Application Support/Firefox/Profiles/*/prefs.js

    • Will return “safebrowsing.malware.enabled” and “phishing.enabled” as false if the safe search settings have been disabled

  • key4.db or key3.db : Master key ?

brute.sh
#!/bin/bash

#./brute.sh top-passwords.txt 2>/dev/null | grep -A2 -B2 "chrome:"
passfile=$1
while read pass; do
  echo "Trying $pass"
  echo "$pass" | python firefox_decrypt.py
done < $passfile

Google Chrome

Google Chrome creates the profile inside the home of the user ~/.config/google-chrome/ (Linux), in C:\Users\XXX\AppData\Local\Google\Chrome\User Data\ (Windows), or in /Users/$USER/Library/Application Support/Google/Chrome/ (MacOS). Most of the information will be saved inside the Default/ or ChromeDefaultData/ folders inside the paths indicated before. Inside here you can find the following interesting files:

    • Link: User clicked on a link

    • Typed: The url was written

    • Auto Bookmark

    • Auto Subframe: Add

    • Start page: Home page

    • Form Submit: A form was filled and sent

    • Reloaded

  • Bookmarks : ** Bookmarks

  • Web Data : Form History

  • Favicons : Favicons

  • Login Data : Login information (usernames, passwords...)

  • Current Session and Current Tabs : Current session data and current tabs

  • Last Session and Last Tabs : These files hold sites that were active in the browser when Chrome was last closed.

  • Extensions/ : Extensions and addons folder

  • Thumbnails : Thumbnails

  • Preferences: This file contains a plethora of good information such as plugins, extensions, sites using geolocation, popups, notifications, DNS prefetching, certificate exceptions, and much more. If you’re trying to research whether or not a specific Chrome setting was enabled, you will likely find that setting in here.

  • Browser’s built-in anti-phishing: grep 'safebrowsing' ~/Library/Application Support/Google/Chrome/Default/Preferences

    • You can simply grep for “safebrowsing” and look for {"enabled: true,"} in the result to indicate anti-phishing and malware protection is on.

SQLite DB Data Recovery

Internet Explorer 11

Internet Explorer stores data and metadata in different locations. The metadata will allow to find the data.

The metadata can be found in the folder%userprofile%\Appdata\Local\Microsoft\Windows\WebCache\WebcacheVX.data where VX can be V01, V16 o V24. In the previous folder you can also find the file V01.log. In case the modified time of this file and the WebcacheVX.data file are different you may need to run the command esentutl /r V01 /d to fix possible incompatibilities.

Inside this table you can find in which other tables or containers each part of the stored information is saved. Following that you can find the locations of the data stored by the browsers and metadata about that data inside the .

Note that this table indicate also metadadata of the cache of other Microsoft tools also (e.g. skype)

Cache

Metadata

The metadata information about the cache stores:

  • Filename in the disc

  • SecureDIrectory: Location of the file inside the cache directories

  • AccessCount: Number of times it was saved in the cache

  • URL:The url origin

  • CreationTime: First time it was cached

  • AccessedTime: Time when the cache was used

  • ModifiedTime: Last webpage version

  • ExpiryTime: Time when the cache will expire

Files

The cache information can be found in %userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 and %userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\low

The information inside these folders is a snapshot of what the user was seeing. The caches has a size of 250 MB and the timestamps indicate when the page was visited (first time, creation date of the NTFS, last time, modification time of the NTFS).

Cookies

Metadata

The metadata information about the cookies stores:

  • Cookie name in the filesystem

  • URL

  • AccessCount: Number of times the cookies has been sent to terhe serv

  • CreationTime: First time the cookie was created

  • ModifiedTime: Last time the cookie was modifued

  • AccessedTime: Last time the cookie was accesed

  • ExpiryTime: Time of expiration of the cookie

Files

The cookies data can be found in %userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies and %userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies\low

Session cookies will reside in memory and persistent cookie in the disk.

Downloads

Metadata

Getting the information of the column "ResponseHeaders" you can transform from hex that information and obtain the URL, the file type and the location of the downloaded file.

Files

Look in the path %userprofile%\Appdata\Roaming\Microsoft\Windows\IEDownloadHistory

History

Metadata

  • ModifiedTime: First time a URL is found

  • AccessedTime: Last time

  • AccessCount: Number of times accessed

Files

Search in userprofile%\Appdata\Local\Microsoft\Windows\History\History.IE5 and userprofile%\Appdata\Local\Microsoft\Windows\History\Low\History.IE5

Typed URLs

This information can be found inside the registry NTDUSER.DAT in the path:

  • Software\Microsoft\InternetExplorer\TypedURLs

    • Stores the last 50 URLs typed by the user

  • Software\Microsoft\InternetExplorer\TypedURLsTime

    • last time the URL was typed

Microsoft Edge

For analyzing Microsoft Edge artifacts all the explanations about cache and locations from the previous section (IE 11) remain valid with the only difference that the base locating in this case is %userprofile%\Appdata\Local\Packages (as can be observed in the following paths):

  • Profile Path: C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC

  • History, Cookies and Downloads: C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

  • Settings, Bookmarks, and Reading List: C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb

  • Cache: C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC#!XXX\MicrosoftEdge\Cache

  • Last active sessions: C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active

Safari

The databases can be found in /Users/$User/Library/Safari

  • History.db: The tables history_visits and history_items contains information about the history and timestamps.

    • sqlite3 ~/Library/Safari/History.db "SELECT h.visit_time, i.url FROM history_visits h INNER JOIN history_items i ON h.history_item = i.id"

  • Downloads.plist: Contains the info about the downloaded files.

  • Book-marks.plist: URLs bookmarked.

  • TopSites.plist: List of the most visited websites that the user browses to.

  • Extensions.plist: To retrieve an old-style list of Safari browser extensions.

    • plutil -p ~/Library/Safari/Extensions/Extensions.plist| grep "Bundle Directory Name" | sort --ignore-case

    • pluginkit -mDvvv -p com.apple.Safari.extension

  • UserNotificationPermissions.plist: Domains that are allowed to push notifications.

    • plutil -p ~/Library/Safari/UserNotificationPermissions.plist | grep -a3 '"Permission" => 1'

  • LastSession.plist: Tabs that were opened the last time the user exited Safari.

    • plutil -p ~/Library/Safari/LastSession.plist | grep -iv sessionstate

  • Browser’s built-in anti-phishing: defaults read com.apple.Safari WarnAboutFraudulentWebsites

    • The reply should be 1 to indicate the setting is active

Opera

The databases can be found in /Users/$USER/Library/Application Support/com.operasoftware.Opera

Opera stores browser history and download data in the exact same format as Google Chrome. This applies to the file names as well as the table names.

  • Browser’s built-in anti-phishing: grep --color 'fraud_protection_enabled' ~/Library/Application Support/com.operasoftware.Opera/Preferences

    • fraud_protection_enabled should be true

Previous.pycNextDesofuscation vbs (cscript.exe)

Last updated 3 years ago

Was this helpful?

places.sqlite : History (moz__places), bookmarks (moz_bookmarks), and downloads (moz_annos). In windows the tool can be used to read the history inside places.sqlite_.

cookies.sqlite : Contains cookies. **can be used in Windows to inspect this file.

cache2/entries or startupCache : Cache data (~350MB). Tricks like data carving can also be used to obtain the files saved in the cache. can be used to see the files saved in the cache.

In order to try to decrypt the master password you can use With the following script and call you can specify a password file to bruteforce:

History : URLs, downloads and even searched keywords. In Windows you can use the tool to read the history. The "Transition Type" column means:

Cookies : Cookies. can be used to inspect the cookies.

Cache : Cache. In Windows you can use the tool to inspect the ca

As you can observe in the previous sections, both Chrome and Firefox use SQLite databases to store the data. It's possible to recover deleted entries using the tool or .

Once recovered this artifact (It's an ESE database, photorec can recover it with the options Exchange Database or EDB) you can use the program to open it. Once opened, go to the table "Containers".

You can use the tool to inspect the cache. You need to indicate the folder where you have extracted the cache date.

You can use the tool to inspect the cookies. You need to indicate the folder where you have extracted the cookies.

Checking the tool you can find the container with the metadata of the downloads:

The tool can be used to read the history. But first you need to indicate the browser in advanced options and the location of the extracted history files.

BrowsingHistoryView
MZCookiesView
MozillaCacheView
https://github.com/unode/firefox_decrypt
ChromeHistoryView
ChromeCookiesView
ChromeCacheView
sqlparse
sqlparse_gui
ESEDatabaseView
IECacheView
IECookiesView
ESEDatabaseView
BrowsingHistoryView