Digital Forensics | C:\Users\Escafl0wn3

Hello there! (I know, Obi-Wan would it be proud!)

Today I bring to you some basic procedures that might help you to research possible IOCs, evidence or resources to be analyzed on your intelligence cycle. All of this in the context of well known Internet Browsers (Chrome, Firefox, Edge, etc).

In my experience so far, trying to gather as much information as possible from a Browser, I use a free tool called Sqlite Browser (https://sqlitebrowser.org/dl/):

This very intuitive and easy-to-use software, lets you browse the common local databases that this browsers creates to store your historical information, such as downloads, urls, searches, logs, in a timeline.

You can achieve this exploring the usual common paths for this browsers:

C:\Users\USERNAME\AppData\Local\Microsoft\Edge\User Data\Default

C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default

C:\Users\USERNAME\AppData\Roaming\Mozilla\Firefox\Profiles\PROFILEID

Before touching anything at all, the golden rule in forensics is “Never use the original, always make a copy”. So what we are going to do is hash the original file, make a copy of this file and hash that copy too, this way we could rest sure is an exact match.

In windows you can achieve that using Powershell:

Once you have that copy with the exact match as a proof, you can start working on it.

–Open the Sqlite DB browser and click on “Open Database Read Only”:

If you ask Why Read Only? is because you want to extract information from here without affecting it’s integrity. I know it’s a copy, but still ¡It’s a good habit! Make sure you select “All Files(*)“

Here you will see all the tables on the file:

I dare to say almost every table can give you a lot of information, I will not go deep on every one of these, but as an example, you can check the Downloads history, with the right time and place (URL in this case…).

–Go to the second tab “Browse Data” and on ‘Table’ select Downloads:

(I had to make it in two pictures since it’s too long, with too many columns)

From this columns you can get dates, urls, sizes, the exact time it took to download, the mime types and much more.

Something that it’s important to say, is that the times are displayed on Epoch/Unix, so you can use an online converter like: https://www.epochconverter.com/ to read it in human format.

–Switch to other tables like “urls” and you will see different columns/information like :

–Another interesting table is “Keyword_Search_Terms”, as it’s name says, it represents all your searches on search engines :

–If we decide to explore/switch to a different file, another one very useful can be Bookmarks or Cookies. Some of the columns with information that you might find here:

Take your time to explore all the different files that you can find on this browser’s default paths, just remember to follow the first part, never play with an original file, you might corrupt the data.

Now, let’s say you want to find out if someone used the built-in feature of the browser to clear/delete history, caché and/or downloads. Here’s something you can use to, not just confirm if this has been done, but also to know which “period” or “range” in the history has been deleted:

->Close Chrome (As an example) and then open the following path:
C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default

->Find a file called “Preferences” , right click on it and “Open with” Notepad, Notepad++, Sublime, Wordpad or any other text editor: