Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Dray Agha Profile picture
Dray Agha
@Purp1eW0lf
EMEA Security Operations Center Manager @HuntressLabs || "Competition is the law of the jungle, but cooperation is the law of civilisation” - Kropotkin

Feb 28, 2022, 19 tweets

Let’s have a chat about web browser investigations

We’ll look at Chrome, Edge, Firefox, and Safari’s data. And investigate if a user has downloaded anything from a dubious, malicious source.

Along the way, we'll drop tips on formatting the data so it's easier to look at.

🧵

We’re not concerned if other members of our org are looking at eBay or cat memes during work hours.

If your employer has tasked you to snoop on your peers' browser history, then dm me about finding a new job.

We're focusing on downloads and their corresponding URLs.

According to this graph I didn’t fact check, Chrome and Safari dominate the game.

Investigating Edge is similar to Chrome, so we’ll look at that too. And Firefox is 4th place, so we'll take a look here too.

C͟h͟r͟o͟m͟e͟ ͟&͟ ͟E͟d͟g͟e͟
Both built on Chromium

You find the history database in the following paths:

Chrome:
C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\History

Edge:
C:\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\History

‘sqlite3’ can open up our database files

Then, to see how the data is organised, run ‘.tables’ to see what options we can delve deeper into.

If you just run ‘select * from downloads;’ , you’ll be annoyed by the messy output

To transform the data to something more useful to look at, try this, which will open it up in excel:

.excel
.headers on
select * from downloads;

And then if you tidy this up it's easy to see what the user downloaded and from where

Edge is essentially the same as Chrome, but with path variations

S͟a͟f͟a͟r͟i

Safari’s data can be found in the directory : /System/Volumes/Data/Users/*/Library/Safari/

You can use the files Downloads.plist and History.db

For the History database, we can 'select * from history_items;'

And for the .plist, because we’re lazy we can just strings the file.

F͟i͟r͟e͟f͟o͟x

For Firefox, we’ll go to: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\

And we get the files Downloads.json and Places.sqlite

For the JSON, I’d just take it to CyberChef and pretty it up
gchq.github.io/CyberChef/#rec…

Again we can use sqlite3 for Places.sqlite

And then execute `select * from moz_places;`

But the above looks awful! I have a formatting tip for you that will make it a more enjoyable read:

.mode line
select * from moz_places;

If you’d rather not mess around with command line, you can always find a visualiser that lets you upload your database.

But be careful to not just upload data to any random website….

You may see a suspicious URL amongst this data.

You can take it to Virus total : virustotal.com/gui/search/

Or, to go and see for yourself, go to Urlscan : urlscan.io

I hope this crash-course thread has discussed some tools and methods that will help you explore other forensic artefacts that can help you in web browser investigations 💪

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling