Let’s have a chat about web browser investigations
We’ll look at Chrome, Edge, Firefox, and Safari’s data. And investigate if a user has downloaded anything from a dubious, malicious source.
Along the way, we'll drop tips on formatting the data so it's easier to look at.
🧵
We’ll look at Chrome, Edge, Firefox, and Safari’s data. And investigate if a user has downloaded anything from a dubious, malicious source.
Along the way, we'll drop tips on formatting the data so it's easier to look at.
🧵
We’re not concerned if other members of our org are looking at eBay or cat memes during work hours.
If your employer has tasked you to snoop on your peers' browser history, then dm me about finding a new job.
We're focusing on downloads and their corresponding URLs.
If your employer has tasked you to snoop on your peers' browser history, then dm me about finding a new job.
We're focusing on downloads and their corresponding URLs.
According to this graph I didn’t fact check, Chrome and Safari dominate the game.
Investigating Edge is similar to Chrome, so we’ll look at that too. And Firefox is 4th place, so we'll take a look here too.
Investigating Edge is similar to Chrome, so we’ll look at that too. And Firefox is 4th place, so we'll take a look here too.
C͟h͟r͟o͟m͟e͟ ͟&͟ ͟E͟d͟g͟e͟
Both built on Chromium
You find the history database in the following paths:
Chrome:
C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\History
Edge:
C:\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\History
Both built on Chromium
You find the history database in the following paths:
Chrome:
C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\History
Edge:
C:\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\History
‘sqlite3’ can open up our database files
Then, to see how the data is organised, run ‘.tables’ to see what options we can delve deeper into.
If you just run ‘select * from downloads;’ , you’ll be annoyed by the messy output
To transform the data to something more useful to look at, try this, which will open it up in excel:
.excel
.headers on
select * from downloads;
And then if you tidy this up it's easy to see what the user downloaded and from where
.excel
.headers on
select * from downloads;
And then if you tidy this up it's easy to see what the user downloaded and from where
Edge is essentially the same as Chrome, but with path variations
S͟a͟f͟a͟r͟i
Safari’s data can be found in the directory : /System/Volumes/Data/Users/*/Library/Safari/
You can use the files Downloads.plist and History.db
Safari’s data can be found in the directory : /System/Volumes/Data/Users/*/Library/Safari/
You can use the files Downloads.plist and History.db
For the History database, we can 'select * from history_items;'
And for the .plist, because we’re lazy we can just strings the file.
F͟i͟r͟e͟f͟o͟x
For Firefox, we’ll go to: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\
And we get the files Downloads.json and Places.sqlite
For Firefox, we’ll go to: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\
And we get the files Downloads.json and Places.sqlite
Again we can use sqlite3 for Places.sqlite
And then execute `select * from moz_places;`
And then execute `select * from moz_places;`
But the above looks awful! I have a formatting tip for you that will make it a more enjoyable read:
.mode line
select * from moz_places;
.mode line
select * from moz_places;
If you’d rather not mess around with command line, you can always find a visualiser that lets you upload your database.
But be careful to not just upload data to any random website….
But be careful to not just upload data to any random website….
You may see a suspicious URL amongst this data.
You can take it to Virus total : virustotal.com/gui/search/
Or, to go and see for yourself, go to Urlscan : urlscan.io
You can take it to Virus total : virustotal.com/gui/search/
Or, to go and see for yourself, go to Urlscan : urlscan.io
I hope this crash-course thread has discussed some tools and methods that will help you explore other forensic artefacts that can help you in web browser investigations 💪
• • •
Missing some Tweet in this thread? You can try to
force a refresh
