Skip to content

What files were downloaded using a web browser?

ID: Q1001

Approaches to Answer

Approaches

Note

There are often multiple ways to approach answering a question. This section explains the approaches considered, how they work, and any benefits or drawbacks to each. All these approaches have different pros and cons. They can be used individually or in conjunction.

Collect download records from local browser artifacts

🗂️ Explanation

Most web browsers track file downloads (at least in non-Incognito/private sessions) in local artifacts on the system. We can collect and review these records. This approach is useful when you have remote access to a system (via GRR for example) or a disk image.

References

📝 Notes

Each approach comes with certain caveats or limitations. These can often be tacit knowledge or assumed that "everyone knows that" (even though they don't). This can lead to incorrect assumptions and analysis. Explicitly stating what is covered and not covered by the approach reduces ambiguity.

Covered

  • Chrome downloads. Beyond "stable" Chrome, this also includes Chromium, Chrome Canary, Chrome Beta, and other Chromium-based browsers (Microsoft Edge, Brave, and Opera) on Windows, macOS, and Linux
  • Safari downloads
  • Includes downloads from all Chrome profiles

Not Covered

  • Firefox downloads
  • Downloads on any other browsers
  • Browsers installed in non-standard paths
  • Downloads made during Incognito sessions

💾 Data

The following data source(s) are needed for this approach to the question.

Description
Collect local browser history artifacts. These are often in the form of SQLite databases and JSON files in multiple directories.
Type
ForensicArtifact
Value
BrowserHistory (view on GitHub)

⚙️ Processors

A processor is what takes the data collected and processes it in some way to produce structured data for an investigator to review. Multiple processor options can be defined, as there are often multiple programs capable of doing similar processing. Plaso is an example of a processor (it processes raw artifacts into a timeline). After the data is processed, additional analysis steps may be needed to answer the question.

The following processors can process the raw data specified above. Explicit instructions on how to run the processor are not included here, but any relevant configuration options are.

More information on Plaso.

Recommended options:

 --parsers webhist

📊 Analysis

After processing the raw data, further analysis steps are necessary to answer the question. After loading Plaso's output into one of these analysis platforms, use the following steps to refine the data to answer the question.

OpenSearch

  1. Filter the results to just file downloads

  2. OpenSearch query:

    data_type:("chrome:history:file_downloaded" OR "safari:downloads:entry")

Python Notebook

  1. Filter the results to just file downloads

  2. Python code:

    df.query('data_type in ("chrome:history:file_downloaded", "safari:downloads:entry")')

More information on Hindsight.

Recommended options:

 --format jsonl

📊 Analysis

After processing the raw data, further analysis steps are necessary to answer the question. After loading Hindsight's output into one of these analysis platforms, use the following steps to refine the data to answer the question.

OpenSearch

  1. Filter the results to just file downloads. Hindsight only supports Chromium-based browsers (including Microsoft Edge) and not Firefox or Safari.

  2. OpenSearch query:

    data_type:"chrome:history:file_downloaded"

Python Notebook

  1. Filter the results to just file downloads. Hindsight only supports Chromium-based browsers (including Microsoft Edge) and not Firefox or Safari.

  2. Python code:

    df.query('data_type == "chrome:history:file_downloaded"')

Detect browser downloads via file system event logs

🗂️ Explanation

Chrome downloads on macOS create a specific pattern of file system events:

  1. Download starts with a WRITE event to a temp file named like .com.google.Chrome.avXx0U (the suffix looks to be 6 letters/numbers).
  2. That .com.google.Chrome... temp file might be RENAMEd to Unconfirmed [6 digits].crdownload.
  3. If [2] Unconfirmed...crdownload RENAME didn't happen, the .com.google. temp file is renamed to the eventual filename (with extension) with .crdownload appended at the end (like cat.jpg.crdownload). In either case ([2] or [3]), at this point we have a file ending in .crdownload.
  4. Once the download completes, the .crdownload suffix is removed via a RENAME event, leaving the downloaded file with its final name.

Since [4] above captures the key information about the file download, we can search file system logs for it.

📝 Notes

Each approach comes with certain caveats or limitations. These can often be tacit knowledge or assumed that "everyone knows that" (even though they don't). This can lead to incorrect assumptions and analysis. Explicitly stating what is covered and not covered by the approach reduces ambiguity.

Covered

  • Chrome downloads on macOS (given that Santa was installed and logging enabled)

Not Covered

  • All other browsers
  • Downloads from other Chromium/Chrome-based browsers might be collected via this method, but testing is necessary to confirm.
  • Downloads that occurred on macOS with Santa, but during a time period for which there are no Santa logs (out of retention or Santa was disabled).

💾 Data

The following data source(s) are needed for this approach to the question.

Description
Santa logs stored on the local disk; they may also be centralized off-system, but this artifact does not include those.
Type
ForensicArtifact
Value
SantaLogs (view on GitHub)

⚙️ Processors

A processor is what takes the data collected and processes it in some way to produce structured data for an investigator to review. Multiple processor options can be defined, as there are often multiple programs capable of doing similar processing. Plaso is an example of a processor (it processes raw artifacts into a timeline). After the data is processed, additional analysis steps may be needed to answer the question.

The following processors can process the raw data specified above. Explicit instructions on how to run the processor are not included here, but any relevant configuration options are.

More information on Plaso.

Recommended options:

 --parsers santa

📊 Analysis

After processing the raw data, further analysis steps are necessary to answer the question. After loading Plaso's output into one of these analysis platforms, use the following steps to refine the data to answer the question.

OpenSearch

  1. Filter the results to file system rename events where the original file name ended with .crdownload.

  2. OpenSearch query:

    data_type:"santa:file_system_event" action:RENAME file_path:"*\.crdownload"

Detect browser downloads via change journal records

🗂️ Explanation

Chrome downloads on Windows create a specific pattern of events on the file system:

  1. **Download starts with a FILE CREATE event to .tmp file; older Chrome versions have been observed creating four character file names (like 7DEE.tmp) while newer versions use file names consistent with Version 4 UUIDs (like 183011a0-f96c-4c98-b71b-ab8754fb0e0e.tmp).
  2. That .tmp file might be RENAMEd to Unconfirmed [6 digits].crdownload.
  3. If [2] Unconfirmed...crdownload RENAME didn't happen, the .tmp file is renamed to the eventual filename (with extension) with .crdownload appended at the end (like cat.jpg.crdownload). In either case ([2] or [3]), at this point we have a file ending in .crdownload.
  4. Once the download completes, the .crdownload suffix is removed via a USN_REASON_RENAME_OLD_NAME event, leaving the downloaded file with its final name.

Since [4] above captures the key information about the file download, we can search change journal records for it.

References

📝 Notes

Each approach comes with certain caveats or limitations. These can often be tacit knowledge or assumed that "everyone knows that" (even though they don't). This can lead to incorrect assumptions and analysis. Explicitly stating what is covered and not covered by the approach reduces ambiguity.

Covered

  • Chrome downloads to an NTFS volume

Not Covered

  • All other browsers.
  • Downloads from other Chromium/Chrome-based browsers might be collected via this method, but testing is necessary to confirm.
  • Downloads on file systems other than NTFS.
  • Downloads that would be covered, but happened long enough ago that the USN Journal records that would show it have been deleted.

💾 Data

The following data source(s) are needed for this approach to the question.

Description
The NTFS $UsnJnrl file system metadata file. This ForensicArtifact definition does not include the $J alternate data stream, but many tools collect it anyway.
Type
ForensicArtifact
Value
NTFSUSNJournal (view on GitHub)

⚙️ Processors

A processor is what takes the data collected and processes it in some way to produce structured data for an investigator to review. Multiple processor options can be defined, as there are often multiple programs capable of doing similar processing. Plaso is an example of a processor (it processes raw artifacts into a timeline). After the data is processed, additional analysis steps may be needed to answer the question.

The following processors can process the raw data specified above. Explicit instructions on how to run the processor are not included here, but any relevant configuration options are.

More information on Plaso.

Recommended options:

 --parsers usnjrnl

📊 Analysis

After processing the raw data, further analysis steps are necessary to answer the question. After loading Plaso's output into one of these analysis platforms, use the following steps to refine the data to answer the question.

OpenSearch

  1. Filter the results to file system rename events where the original file name ended with .crdownload.

  2. OpenSearch query:

    data_type:"fs:ntfs:usn_change" filename:crdownload "USN_REASON_RENAME_OLD_NAME"

  3. Select and search for the file_reference value for an event of interest from the previous query. There should be one with the same timestamp as your previous event and its filename value is the download's final name.

  4. OpenSearch query:

    data_type:"fs:ntfs:usn_change" {file_reference value} "USN_REASON_RENAME_NEW_NAME"