All SkillsGet Started Free
Extracting Browser History Artifacts
Extract and analyze browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge for forensic evidence of user web activity.
MCP get_skill({ skillId: "extracting-browser-history-artifacts-7ce2c96a" })Use this skill with your agent
Create a free account and connect via MCP
# Extracting Browser History Artifacts
## When to Use
- When investigating user web activity as part of a forensic examination
- During insider threat investigations to establish patterns of data exfiltration
- When tracing user visits to malicious or policy-violating websites
- For correlating browser activity with other forensic artifacts and timelines
- When investigating phishing attacks to identify which links were clicked
## Prerequisites
- Forensic image or access to user profile directories
- SQLite3 for querying browser databases
- Hindsight, BrowsingHistoryView, or DB Browser for SQLite
- Knowledge of browser artifact file locations per OS
- Python 3 with sqlite3 module for automated extraction
- Understanding of Chrome, Firefox, and Edge storage formats
## Workflow
### Step 1: Locate Browser Artifact Files
```bash
# Mount forensic image
mount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/evidence.dd /mnt/evidence
# Chrome artifact locations (Windows)
CHROME_WIN="/mnt/evidence/Users/suspect/AppData/Local/Google/Chrome/User Data/Default"
# Key files: History, Cookies, Login Data, Web Data, Bookmarks, Preferences,
# Cache/, GPUCache/, Local Storage/, Session Storage/, IndexedDB/
# Firefox artifact locations (Windows)
FIREFOX_WIN="/mnt/evidence/Users/suspect/AppData/Roaming/Mozilla/Firefox/Profiles/*.default-release"
# Key files: places.sqlite, cookies.sqlite, formhistory.sqlite, logins.json,
# key4.db, sessionstore.jsonlz4, webappsstore.sqlite
# Edge (Chromium) artifact locations (Windows)
EDGE_WIN="/mnt/evidence/Users/suspect/AppData/Local/Microsoft/Edge/User Data/Default"
# Copy artifacts to working directory
mkdir -p /cases/case-2024-001/browser/{chrome,firefox,edge}
cp -r "$CHROME_WIN"/{History,Cookies,Downloads,"Login Data","Web Data",Bookmarks} \
/cases/case-2024-001/browser/chrome/ 2>/dev/null
cp -r $FIREFOX_WIN/{places.sqlite,cookies.sqlite,formhistory.sqlite,logins.json} \
/cases/case-2024-001/browser/firefox/ 2>/dev/null
cp -r "$EDGE_WIN"/{History,Cookies,Downloads} \
/cases/case-2024-001/browser/edge/ 2>/dev/null
# Hash artifacts for integrity
find /cases/case-2024-001/browser/ -type f -exec sha256sum {} \; \
> /cases/case-2024-001/browser/artifact_hashes.txt#mukul-cybersecurity-skills#security#cybersecurity#forensicspythonsqlite