06 - Browser Forensics Flashcards
What are the Chrome Browser Application Folders for Windows, MacOS, Linux?
- \Users\AppData\Local\Google\Chrome\User Data\Default
- /Users//Library/Application Support/Google/Chrome/Default
- /.config/google‐chrome/Default
What are the important tables in the Chrome Browser History database?
- urls: Information on all URLs visited. There is one entry per URL.
- visits: Each visit made by the user. From these the web history is rebuilt.
=> tables need to be joined to get web history.
What is the SQL query to see the browser history in Google Chrome?
SELECT visits.visit_time,urls.url
FROM visits, urls
WHERE visits.url = urls.id;
What is the Chrome Browser Web History Timestamp?
It is recorded in Webkit Time Format = No of micro sec since 01-Jan-1601. This time needs to be converted to Unix Epoch time. Then SQlite datetime function can be used to convert it into a human readable format.
Convert to Unix Epoch Time:
SELECT (visit_time/1000000) - 11644473600 AS time FROM visits;
=> 11644473600: No of seconds between beginning of Webkit time (01-Jan-1601) and Unix Epoch Time (01-Jan-1970).
What are Chrome Session Cookies?
Transient cookie, erased when the user closes the web browser.
SELECT * FROM Cookies WHERE persistent = 0;
What are the Mozilla Firefox files of interest?
places.sqlite: Used to rebuild history
cookies.sqlite: The cookie store
downloads.sqlite: Downloaded file location
formhistory.sqlite: Form autocomplete information
Howto Mozilla Firefox Rebuild Web History?
To rebuild the web history in Mozilla Firefox we need to use the places.sqlite database with two tables: moz_places and moz_historyvisits.
SELECT datetime(visit_date/1000000, ‘unixepoch’, ‘utc’), url
FROM moz_places, moz_historyvisits
WHERE moz_places.id = moz_historyvisits.place_id;
What is the Mozilla Firefox Date Stamps?
They are in PRTime format - No of microseconds since 1970.
Where are Mozilla Firefox Bookmarks stored?
stored in database places.sqlite in the table moz_bookmarks.
SQL: SELECT * FROM moz_bookmarks.
