Dray Agha

Dray Agha

28-02-2022

18:08

Let’s have a chat about web browser investigations We’ll look at Chrome, Edge, Firefox, and Safari’s data. And investigate if a user has downloaded anything from a dubious, malicious source. Along the way, we'll drop tips on formatting the data so it's easier to look at. 🧵

We’re not concerned if other members of our org are looking at eBay or cat memes during work hours. If your employer has tasked you to snoop on your peers' browser history, then dm me about finding a new job. We're focusing on downloads and their corresponding URLs.

According to this graph I didn’t fact check, Chrome and Safari dominate the game. Investigating Edge is similar to Chrome, so we’ll look at that too. And Firefox is 4th place, so we'll take a look here too.

C͟h͟r͟o͟m͟e͟ ͟&͟ ͟E͟d͟g͟e͟ Both built on Chromium You find the history database in the following paths: Chrome: C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\History Edge: C:\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\History

‘sqlite3’ can open up our database files

Then, to see how the data is organised, run ‘.tables’ to see what options we can delve deeper into.

If you just run ‘select * from downloads;’ , you’ll be annoyed by the messy output

To transform the data to something more useful to look at, try this, which will open it up in excel: .excel .headers on select * from downloads; And then if you tidy this up it's easy to see what the user downloaded and from where

Edge is essentially the same as Chrome, but with path variations

S͟a͟f͟a͟r͟i Safari’s data can be found in the directory : /System/Volumes/Data/Users/*/Library/Safari/ You can use the files Downloads.plist and History.db

For the History database, we can 'select * from history_items;'

And for the .plist, because we’re lazy we can just strings the file.

F͟i͟r͟e͟f͟o͟x For Firefox, we’ll go to: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\ And we get the files Downloads.json and Places.sqlite

Again we can use sqlite3 for Places.sqlite And then execute `select * from moz_places;`

But the above looks awful! I have a formatting tip for you that will make it a more enjoyable read: .mode line select * from moz_places;

If you’d rather not mess around with command line, you can always find a visualiser that lets you upload your database. But be careful to not just upload data to any random website….

You may see a suspicious URL amongst this data. You can take it to Virus total : Or, to go and see for yourself, go to Urlscan :

I hope this crash-course thread has discussed some tools and methods that will help you explore other forensic artefacts that can help you in web browser investigations 💪



Follow us on Twitter

to be informed of the latest developments and updates!


You can easily use to @tivitikothread bot for create more readable thread!
Donate 💲

You can keep this app free of charge by supporting 😊

for server charges...