Tracing the Digital Footprints - Browser Usage
In the intricate world of digital forensics, browser artifacts are invaluable. They offer a deep dive into user activity, revealing visited websites, downloaded files, search queries, and even the "snapshot in time" of a user's online experience. Understanding these digital breadcrumbs is crucial for reconstructing events, identifying malicious activity, or proving intent. This blog post will illuminate key artifacts under the "Browser Usage" section, detailing their descriptions, locations, and interpretive value.
History
The browser's history is a fundamental artifact for understanding a user's online journey.
Description: This artifact records websites visited by date and time. It stores details for each local user account and records the number of times visited (frequency). Importantly, it also tracks access of local system files and includes the website history of search terms in search engines.
Location:
Internet Explorer:
IE6-7:
%USERPROFILE%\Local Settings\History\History.IE5.IE8-9:
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5.IE10, 11, Edge:
%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat.
Firefox:
XP:
%userprofile%\Application Data\Mozilla\Firefox\Profiles\<randomtext>.default\places.sqlite.Win7/8/10:
%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\places.sqlite.
Chrome:
XP:
%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default\History.Win7/8/10:
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History.
Interpretation: The history artifact allows investigators to understand what sites a user has been visiting and can list the files that were opened from remote sites and downloaded to the local system. It also records the access to files on websites that were accessed via a link.
Cookies
Cookies offer insights into specific activities and visits.
Description: Cookies give insight into what websites have been visited and what activities may have taken place there.
Location:
Internet Explorer:
IE6-8:
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies.IE10:
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies.IE11:
%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookies.Edge:
%USERPROFILE%\AppData\Local\Packages\microsoft.microsoftedge_<APPID>\AC\MicrosoftEdge\Cookies.
Firefox:
XP:
%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\<random text>.default\cookies.sqlite.Win7/8/10:
%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\cookies.sqlite.
Chrome:
XP:
%USERPROFILE%\Local Settings\ApplicationData\Google\Chrome\User Data\Default\Local Storage.Win7/8/10:
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Local Storage.
Interpretation: By examining cookies, forensicators can gain valuable insight into websites visited and the actions performed on them.
Cache
Browser cache provides a tangible snapshot of content viewed by a user.
Description: The cache is where web page components can be stored locally to speed up subsequent visits. It gives the investigator a "snapshot in time" of what a user was looking at online. It identifies websites which were visited and provides the actual files the user viewed on a given website. These cached files are tied to a specific local user account, and their timestamps show when the site was first saved and last viewed.
Location:
Internet Explorer:
IE8-9:
%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5.IE10:
%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5.IE11:
%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IE.Edge:
%USERPROFILE%\AppData\Local\Packages\microsoft.microsoftedge_<APPID>\AC\MicrosoftEdge\Cache.
Firefox:
XP:
%USERPROFILE%\Local Settings\ApplicationData\Mozilla\Firefox\Profiles\<randomtext>.default\Cache.Win7/8/10:
%USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles\<randomtext>.default\Cache.
Chrome:
XP:
%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache - data_# and f_######.Win7/8/10:
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Cache\ - data_# and f_######.
Interpretation: The cache acts as a direct evidence source of content a user has viewed, with timestamps providing a temporal context of access and viewing.
Flash & Super Cookies
These persistent tracking mechanisms often bypass typical browser cookie management.
Description: Local Stored Objects (LSOs), also known as Flash Cookies, have become ubiquitous on most systems due to the extremely high penetration of Flash applications across the Internet. They tend to be much more persistent because they do not expire, and there is no built-in mechanism within the browser to remove them. Many sites have begun using LSOs for their tracking mechanisms because they rarely get cleared like traditional cookies.
Location: Win7/8/10:
%APPDATA%\Roaming\Macromedia\FlashPlayer\#SharedObjects\<randomprofileid>.Interpretation: Due to their persistence and lack of easy user-deletion mechanisms, Flash and Super Cookies are powerful artifacts for long-term user tracking and profiling, often revealing activity that might otherwise be hidden if only traditional cookies were examined.
Session Restore
Session restore features can inadvertently preserve crucial browsing context.
Description: This artifact relates to Automatic Crash Recovery features built into the browser.
Location:
Internet Explorer Win7/8/10:
%USERPROFILE%/AppData/Local/Microsoft/Internet Explorer/ Recovery.Firefox Win7/8/10:
%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\sessionstore.js.Chrome Win7/8/10:
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\ Files = Current Session, Current Tabs, Last Session, Last Tabs.
Interpretation: Session restore data can provide insights into:
Historical websites viewed in each tab.
Referring websites.
Time the session ended.
Modified time of
.datfiles in theLastActivefolder.Time each tab opened (only when a crash occurred).
Creation time of
.datfiles in theActivefolder.
Google Analytics Cookies
These specific cookies offer highly detailed tracking information often used by websites.
Description: Google Analytics (GA) has developed an extremely sophisticated methodology for tracking site visits, user activity, and paid search. GA holds a commanding market share, estimated at over 80% of sites using traffic analysis and over 50% of all sites, largely because it is free. Key GA cookies include:
__utma: Tracks Unique visitors, including Domain Hash, Visitor ID, Cookie Creation Time, Time of 2nd most recent visit, Time of most recent visit, and Number of visits.__utmb: Used for Session tracking, including Domain hash, Page views in current session, Outbound link clicks, and Time current session started.__utmz: Identifies Traffic sources, including Domain Hash, Last Update time, and Number of visits.
Location: The specific file paths for Google Analytics cookies are not explicitly detailed in the provided source separate from the general browser cookie locations. One would typically look for these within the browser's main cookie storage.
Interpretation: These cookies provide a highly granular view of user interaction with specific websites, allowing forensicators to reconstruct visitor history, session duration, referral sources, and even repeat visit patterns to sites that employ Google Analytics.
By thoroughly analyzing these browser usage artifacts, digital forensic investigators can reconstruct significant portions of a user's online activities, providing critical evidence for a wide range of investigations.
