DOJ-approved and widely accepted computer forensic methods:
Tool for creating forensic images and performing live previews of file systems. Can capture volatile memory, disk images, and carve out deleted files. Can extract Internet Explorer and Edge artifacts, including deleted cache and browsing history. Supports registry and memory analysis to find traces of visited websites.
Open-source forensic suite that provides an easy-to-use interface.
Supports keyword searching, metadata analysis, and recovery of deleted browsing history, cookies, and cached files.
Industry-standard tool for in-depth disk analysis. Can recover deleted files, internet history, and even system artifacts related to browser activity. Can parse WebCacheV01.dat, where Edge and IE store history, cookies, and cache. Can extract deleted browsing records from unallocated disk space.
Specialized in analyzing internet artifacts, including browsing history, cache, and deleted cookies.
Also useful for recovering data from live and dead-box forensics. Has built-in support for analyzing IE and Edge artifacts, including: WebCacheV01.dat, TypedURLs, registry keys, Cookies, cache, and indexed databases
Lightweight but powerful forensic tool. Offers deep analysis of file systems, unallocated space, and browser artifacts. Supports deep recovery of deleted browsing history from disk images. Can parse IE’s index.dat and Edge’s WebCacheV01.dat.
Quick tool to extract and view browsing history from IE and Edge.
Can analyze deleted history if the underlying database files are still recoverable.
Useful for extracting patterns such as URLs, email addresses, and credit card numbers from raw data.
Can process unallocated space and recover deleted browsing history. Can search for URLs, cache records, and other browser-related data in unallocated space and deleted files. Useful for parsing fragments of browsing history that still exist on disk.
Wireshark (If Network Traffic is Available)
While not a forensic recovery tool, it can help analyze network packets to see previously accessed websites if packet captures are available.
While primarily designed for partition recovery, TestDisk can sometimes help recover deleted browser history files.
PhotoRec is useful for recovering specific file types like SQLite databases that browsers use. Can attempt recovery of deleted browser history database files: IE: index.dat Edge: WebCacheV01.dat
Volatility (If Memory Dumps are Available)
If a memory dump was taken, use Volatility plugins like iehistory or dumpfiles to extract browsing history stored in RAM.
Can examine places.sqlite for Firefox history. DB Browser for SQLite for Chrome’s History database.
Can create a forensic timeline of browser activity. Can extract and correlate timestamps from IE’s index.dat and Edge’s WebCacheV01.dat. Useful for creating a timeline of browsing activity.
Registry Analysis Locations for Browsing History:
Windows
Browser Registry Key Purpose
Internet Explorer HKCU\Software\Microsoft\Internet Explorer\TypedURLs Stores manually typed URLs
Microsoft Edge (Legacy) HKCU\Software\Microsoft\Edge\TypedURLs Stores manually typed URLs
Google Chrome HKCU\Software\Google\Chrome\PreferenceMACs May contain encrypted browsing data
Mozilla Firefox HKCU\Software\Mozilla\Mozilla Firefox\ Stores Firefox profile information
All Browsers (Including Edge Chromium) HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths Stores recent manually typed paths, including URLs
Key Files for Browsing History Recovery
Browser File Location Purpose
Internet Explorer C:\Users\<user>\AppData\Local\Microsoft\Windows\History\index.dat Stores browsing history
Internet Explorer C:\Users\<user>\AppData\Local\Microsoft\Windows\Temporary Internet Files\ Stores cached files
Edge (Legacy) C:\Users\<user>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat Stores browsing history, cookies, cache
Edge (Chromium) C:\Users\<user>\AppData\Local\Microsoft\Edge\User Data\Default\History SQLite database storing browsing history
Google Chrome C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\History SQLite database storing browsing history
Google Chrome C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Cache Stores cached web content
Mozilla Firefox C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile>\places.sqlite SQLite database storing browsing history and bookmarks
Mozilla Firefox C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile>\cache2\entries\ Stores cached web contentMozilla Firefox C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile>\cookies.sqlite Stores browser cookies
macOS:
Google Chrome
Profile Folder: ~/Library/Application Support/Google/Chrome/
Preferences: ~/Library/Application Support/Google/Chrome/User Data/Default/Preferences
Cache: ~/Library/Caches/Google/Chrome/
Extensions: ~/Library/Application Support/Google/Chrome/User Data/Default/Extensions/
History and Cookies: ~/Library/Application Support/Google/Chrome/User Data/Default/History
Firefox
Profile Folder: ~/Library/Application Support/Firefox/Profiles/
Preferences: ~/Library/Application Support/Firefox/profiles.ini
Cache: ~/Library/Caches/Firefox/
Extensions: ~/Library/Application Support/Firefox/Profiles/[ProfileName]/extensions/
History and Cookies: ~/Library/Application Support/Firefox/Profiles/[ProfileName]/places.sqlite
MS Edge
Microsoft Edge
Profile Folder: ~/Library/Application Support/Microsoft Edge/
Preferences: ~/Library/Application Support/Microsoft Edge/User Data/Default/Preferences
Cache: ~/Library/Caches/Microsoft Edge/
Extensions: ~/Library/Application Support/Microsoft Edge/User Data/Default/Extensions/
History and Cookies: ~/Library/Application Support/Microsoft Edge/User Data/Default/History
Safari
Profile Folder: ~/Library/Safari/
Preferences: ~/Library/Preferences/com.apple.Safari.plist
Cache: ~/Library/Caches/com.apple.Safari/
Extensions: ~/Library/Safari/Extensions/
History and Cookies: ~/Library/Safari/History.db
Linux:
Google Chrome
Profile Folder: ~/.config/google-chrome/
Preferences: ~/.config/google-chrome/Default/Preferences
Cache: ~/.cache/google-chrome/
Extensions: ~/.config/google-chrome/Default/Extensions/
History and Cookies: ~/.config/google-chrome/Default/History
Firefox
Profile Folder: ~/.mozilla/firefox/
Preferences: ~/.mozilla/firefox/profiles.ini
Cache: ~/.cache/mozilla/firefox/
Extensions: ~/.mozilla/firefox/[ProfileName]/extensions/
History and Cookies: ~/.mozilla/firefox/[ProfileName]/places.sqlite
MS Edge
Profile Folder: ~/.config/microsoft-edge/
Preferences: ~/.config/microsoft-edge/Default/Preferences
Cache: ~/.cache/microsoft-edge/
Extensions: ~/.config/microsoft-edge/Default/Extensions/
History and Cookies: ~/.config/microsoft-edge/Default/History
Leave a Reply