Internet Browser Forensics with Autopsy

Internet Browser Forensics with Autopsy

Octavious W. Octavious W.

Octavious W.

Incident Response | Digital Forensics | Vulnerability Analysis | Security+ | CHFI | CEH | Cisco Certified CyberOps Associate | GFACT | GSEC (2025) | GCIH (2025)

发布日期: 2024年5月17日
+ 关注

In this lab we learned how to access web browser history from Windows computers and how to use that data in an investigation. We learned the locations of the web history, web cache, and cookies in the Chrome, Edge, and Firefox browsers. Cookies help prove a user visited a website and can help determine what they did when they visited. We manually visited the locations where the Autopsy parsers get their data from.

The web history and Cookies files for Google Chrome are located at the path:<Userprofile>\AppData\Local\Google\Chrome\User Data\Default\

  • To view the data in the History file click on it in the file pane in Autopsy. Then in the bottom pane click the Application tab. In the Application tab change the Table dropdown option to view various web history tables (url, visits, keyword_search_terms, downloads).
  • To view the data in the Cookies file click on it in the file pane in Autopsy. Then in the bottom pane click the Application tab. In the Application tab change the Table dropdown option to view various web history tables (meta, cookies).

The history file with the url table selected

The cache file for Google Chrome is located at the path:<Userprofile>\AppData\Local\Google\Chrome\User Data\Default\Cache

  • Selecting the Thumbnail view can reveal some images from the websites visited by the user

The history and cookies files in Mozilla Firefox are stored in the path C > Users > Mr Good > AppData > Roaming > Mozilla > Firefox > Profiles > *.default-release

  • The places.sqlite file stores data about the top-level domains from web pages accessed by the user (moz_origins table), a list of each url that was visited (moz_places table), data about each instance when a user visited a url such as date/time & method used (moz_historyvisits)

The place.sqlite file with the moz_places table selected

  • The cookies.sqlite file holds cookie info like the data stored in each cookie and when the cookie was last accessed (moz_cookies table).

The cookies.sqlite file with the moz_cookies table showing

The cache in Mozilla Firefox is stored in C > Users > [User Profile] > AppData > local > Mozilla > Firefox > Profiles > *.default-release.

领英推荐

The web history in Internet Explorer is stored in C > Users > [User Profile] > AppData > Local > Microsoft > Windows > WebCache

  • The .dat file stores the web history and can be exported & parsed with an ESE database viewer

The WebCache .dat file

The web cookies in Internet Explorer are stored in C > Users > [User Profile] > AppData > Local > Microsoft > Windows > INetCookies

  • Each cookie is stored in a separate folder
  • Important cookie info: Creation Time, Access Time, Modified Time, website visited, type of data store by the cookie

The INetCookies folder holds a file for each cookie

The web cache in Internet Explorer is stored in C > Users > [User Profile] > AppData > Local > Microsoft > Windows > WebCache > IE? ***OR***? C > Users > [User Profile] > AppData > Local > Microsoft > Windows > WebCache > Low > IE

2 locations for web cache data in Internet Explorer

Autopsy stores parsed, categorized data in Results > Extracted Content. These categories aggregate all the information from the sources we manually visited earlier in this lab.

Autopsy puts all the useful data here so we don't have to manually hunt it down like we did in the above steps





要查看或添加评论,请登录

Octavious W.的更多文章

  • SQL Injection Lab
    2023年12月16日

    SQL Injection Lab

    TOPICS: Basic SQL Commands Querying a database with SQL Deleting data with SQL SQL Injection Techniques Basic SQL…

  • Web Hacking Lab
    2023年11月22日

    Web Hacking Lab

    TOPICS Web Application Vulnerability Scanning With Nikto Burp Suite setup Using Burp Suite to build a site map Brute…

    3 条评论
  • Metasploit Review Lab
    2023年11月17日

    Metasploit Review Lab

    TOPICS: Getting Familiar with Metasploit Vulnerability Scanning with WMAP Configuring Exploits and Payloads Getting…

    5 条评论
  • System Hardening
    2023年10月20日

    System Hardening

    System hardening is the process of making changes to a system or application to make it more secure than it’s default…

    2 条评论
  • I went to Bsides Atlanta!
    2023年10月15日

    I went to Bsides Atlanta!

    I had an amazing experience at BSides Atlanta 2023! Here are my highlights and takeaways of the day! My morning started…

    5 条评论
  • Reconnaissance
    2023年10月12日

    Reconnaissance

    What is Reconnaissance? Reconnaissance is the process hackers use to gather as much information as possible about their…

    7 条评论
  • Logging for Cyber Security
    2023年10月2日

    Logging for Cyber Security

    Here are some notes I took on Logging during my Security+ exam prep. Logs form detailed lists of activities related to…

    6 条评论
  • TryHackMe - New Hire Old Artifacts - Notes
    2023年4月6日

    TryHackMe - New Hire Old Artifacts - Notes

    Scenario Notes: Widget LLC has some concerns with the endpoints in the Finance Dept. Especially an endpoint for a…

  • TryHackMe KAPE Hands-on Challenge
    2023年2月19日

    TryHackMe KAPE Hands-on Challenge

    We will use the forensics tool KAPE to collect and process files from a device Scenario Notes: Organization X’s…

    1 条评论
  • TryHackMe - Windows Forensics 1 - Hands-on Challenge
    2023年2月9日

    TryHackMe - Windows Forensics 1 - Hands-on Challenge

    We will identify where the different files for the relevant registry hives are located and load them into Registry…

    2 条评论

社区洞察

其他会员也浏览了