Web Browser Forensics Introduction

Windows and most web browsers store information about searches and search habits in the form of cache and cookies. These can be saved locally to the machine and the web browser to quickly load web pages and to store search history.

Accessing this information reveals search habits to the investigator and what searches have been performed on the local system.

To simplify the searches, the tool being used for web history is BrowsingHistoryView by Nirsoft, a free tool available to search and organize web searches.

Importance

Web browsing history reveals a lot about an individual, especially about intent. Incredibly useful information can be revealed depending if the suspect researched beforehand "how to deploy malware" on a system and later there was a malware attack in the business.

In the purpose of child pornography and human trafficking, similar evidence can arise. If an individual consistently tries to frequent websites that have child pornography or searches for human trafficking resources, there is a level of intent shown by the web searches.

Evidence

Chrome

In Google Chrome, searches are traditionally stored under:

• \Users\[user]\AppData\Local\Google\Chrome\User Data\Default\

BrowsingHistoryView, however, parses all of the information for the user.

After specifying which search engine to look into, BrowsingHistoryView displays only Chrome searches on the machine.

In Google Chrome, searches for the kittens were found along with the Firefox search to download the browser along with "how to not be sketchy".

These searches have been broken down into separate "Visit Types". Most are listed as "Links", which are general searches that are typed in the search bar and then redirected to the search results of the terms.

"Typed URL"s are URLs that BrowsingHistoryView deems that was physically typed in by the user to access a specific site. It differs from what is considered a "Typed URL" by browser (e.g. Firefox's "Typed URL" is different from Chrome's "Typed URL"). This may lead to some inaccurate or inconsistent assumptions because "Visit Types" appear to be dictated by the browser.

However, the private search performed by Chrome, "how to avoid pizza", is nowhere to be found.

Edge/IE

Windows stores a lot more information about Microsoft Edge/Internet Explorer:

• \Users\[user]\AppData\Local\Microsof\Windows\INetCookies\
• \Users\[user]\AppData\Local\Microsoft\Windows\WebCache\
• \Users\[user]\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\

Despite data about Edge/IE being stored in more locations than other browsers, BrowsingHistoryView does an excellent job at collecting the information stored in those locations to find web search data.

As shown above, BrowsingHistoryView found searches for "puppies" performed by Edge/IE, Google Chrome for a download, and then "how to be sneaky".

There were no "Visit Types" available for Edge/IE in BrowsingHistoryView, nor did BrowsingHistoryView find the private search on Edge "how to make money illegal".

Firefox

Firefox stores browsing history information under:

• \Users\[user]\AppData\Roaming\Mozilla\Firefox\Profiles\

This information is well parsed out also by BrowsingHistoryView.

BrowsingHistoryView found searches to turtles, "how to hack", and search for a Tor download. There are "Visit Types" available for Firefox also.

However, BrowsingHistoryView did not find the private search on Firefox, "how to eat burgers", either. This search was not found in the folders either.

Tor

Tor is a search engine that was created with privacy in mind. This creates some difficulties in finding what was searched using Tor, as not Tor does not store any files related to the user's search, such as cache and cookies.

Looking into Tor's folders yielded no results either, most of the files were directly related to how Tor ran on the system.

Needless to say, BrowsingHistoryView does not support Tor.

This means the searches for koalas and "how to pet puppies" were not found on the local device.

Analysis

All of the web searches were found and displayed in BrowsingHistoryView except for Tor, which is a search engine designed around privacy, and the private browsing windows designed for each of the other browsers.

This means that the searches performed in private windows are not stored locally, which was double-checked in the temp folders created for the browsers on the Windows machine.

Implications

Most web searches are stored on the system locally, and finding user searches implies a certain interest in the topic being searched. While a web search is not enough evidence to prove that the suspect committed the crime (unless the crime was searching something), it does provide evidence for an interest.

However, with "Visit Types", a little more can be told about the suspect. "Typed URL"s can show that the user intended to go to the website as the website was physically typed into the URL search bar and then navigated to. There is conscious thought necessary to type the URL into the search bar, which can point to that the user intended to go on an illegal site to download or pirate illegal images or files.

Overall, more evidence is better, and while this evidence is great to supplement others, whether it be for intent or accessing illegal sites, this should not be a sole piece of evidence in a case. Web browsing history should be used in combination with other pieces of evidence to build a stronger case.