What pages did web browsers visit?
UUID: e6fe3320-7051-4c0e-9d6e-61ee44b2b116 ID: Q1020
Approaches to Answer
- Collect URL visit records from local browser artifacts [Q1020.10]
- Parse URL visit records from web browsers' own databases.
- Tags: Web Browser SQLite Chrome Safari Firefox Edge Internet Explorer
Approaches
Note
There are often multiple ways to approach answering a question. This section explains the approaches considered, how they work, and any benefits or drawbacks to each. All these approaches have different pros and cons. They can be used individually or in conjunction.
Collect URL visit records from local browser artifacts
🗂️ Explanation
Parse URL visit records from web browsers' own databases.
Most web browsers track URL visits (at least in non-Incognito/private sessions) in local artifacts on the system. We can collect and review these records. This approach is useful when you have remote access to a system (via GRR for example) or a disk image.
References
- Chrome, Firefox, and Safari History on ForensicsWiki
- Web Browsers on ForensicArtifacts
📝 Notes
Each approach comes with certain caveats or limitations. These can often be tacit knowledge or assumed that "everyone knows that" (even though they don't). This can lead to incorrect assumptions and analysis. Explicitly stating what is covered and not covered by the approach reduces ambiguity.
Covered
- Chrome URL visits. Beyond "stable" Chrome, this also includes Chromium, Chrome Canary, Chrome Beta, and other Chromium-based browsers (Microsoft Edge, Brave, and Opera) on Windows, macOS, and Linux
- Includes URL visits from all Chrome profiles
- Firefox URL visits
- Safari URL visits on Windows and macOS
- Internet Explorer (4 - 10) URL visits
Not Covered
- Other Chromium-based browsers not specified above
- Browsers installed in non-standard paths
- Visits made in Incognito/Private sessions
💾 Data
The following data source(s) are needed for this approach to the question.
- Description
- Collect local browser history artifacts. These are often in the form of SQLite databases and JSON files in multiple directories.
- Type
- ForensicArtifact
- Value
- BrowserHistory (view on GitHub)
⚙️ Processors
A processor is what takes the data collected and processes it in some way to produce structured data for an investigator to review. Multiple processor options can be defined, as there are often multiple programs capable of doing similar processing. Plaso is an example of a processor (it processes raw artifacts into a timeline). After the data is processed, additional analysis steps may be needed to answer the question.
The following processors can process the raw data specified above. Explicit instructions on how to run the processor are not included here, but any relevant configuration options are.
More information on Plaso.
Recommended options:
--parsers webhist
📊 Analysis
After processing the raw data, further analysis steps are necessary to answer the question. After loading Plaso's output into one of these analysis platforms, use the following steps to refine the data to answer the question.
OpenSearch
- Filter the results to just URL page visits
-
OpenSearch query:
data_type:("chrome:history:page_visited" OR "firefox:places:page_visited" OR "safari:history:visit_sqlite")
Python Notebook
- Filter the results to just URL page visits
-
Python code:
df.query('data_type in ("chrome:history:page_visited", "firefox:places:page_visited", "safari:history:visit_sqlite")')
More information on Hindsight.
Recommended options:
--format jsonl
📊 Analysis
After processing the raw data, further analysis steps are necessary to answer the question. After loading Hindsight's output into one of these analysis platforms, use the following steps to refine the data to answer the question.
OpenSearch
-
Filter the results to just URL page visits. Hindsight only supports Chromium-based browsers (including Microsoft Edge) and not Firefox or Safari.
-
OpenSearch query:
data_type:"chrome:history:page_visited"
Python Notebook
-
Filter the results to just URL page visits. Hindsight only supports Chromium-based browsers (including Microsoft Edge) and not Firefox or Safari.
-
Python code:
df.query('data_type == "chrome:history:page_visited"')