Extracting Browser History Artifacts

When to Use

• When investigating user web activity as part of a forensic examination
• During insider threat investigations to establish patterns of data exfiltration
• When tracing user visits to malicious or policy-violating websites
• For correlating browser activity with other forensic artifacts and timelines
• When investigating phishing attacks to identify which links were clicked

Prerequisites

• Forensic image or access to user profile directories
• SQLite3 for querying browser databases
• Hindsight, BrowsingHistoryView, or DB Browser for SQLite
• Knowledge of browser artifact file locations per OS
• Python 3 with sqlite3 module for automated extraction
• Understanding of Chrome, Firefox, and Edge storage formats

Workflow