Things You Must Know About Computer Forensic

Computer Forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law.

What are the different areas of Computer Forensics?

To become a Computer Forensics expert, you must know about these six areas:

  1. The Legal and Ethical Principles of Computer Forensics
  2. Computer Forensics Investigations
  3. Computer Forensics as Forensic Science
  4. Digital Forensics
  5. Application Forensics
  6. Hybrid and Emerging Technologies

Areas of Digital Forensics

  • Media and File System Forensics
  • Operating System Forensics
  • Network Forensics (Specially Browser)
  • Mobile Device Forensics
  • Virtual System Forensics

Areas of Application Forensics

  • Software Forensics
  • Web and Email Forensics
  • Database and Malware Forensics

Areas of Hybrid and Emerging Technologies Forensics

  • Cloud Forensics
  • Social Network Forensics
  • The Big Data Paradigm

Web Browser Forensic

Web Browser Forensics means to trace and collect data (i.e. browser history, cookies etc.) what maybe cause for the incident.

In forensics analysis, browsers are a gold mine with the amount of information they contain. Often the source of incidents and malware can be traced down using the artifacts found inside of browsers. From the navigation history to downloaded files, browsers are a critical piece in any forensics analysis.

What are the Most Popular Web Browsers

Different types of Web Browsers based on user popularity (all desktop, tablet and mobile users):

  • Google Chrome
  • Safari
  • Mozilla Firefox
  • Samsung Internet
  • Microsoft Edge
  • Opera
  • UC Browser

Comparing Web Browsers Based on User Popularity

BrowserStatCounter (August 2020)NetMarketShare (August 2020)Wikimedia (November 2019)
Chrome65.99%65.86%48.7%
Safari16.82%18.50%22.0%
Firefox4.09%3.00%4.9%
Samsung Internet3.47%3.01%2.7%
Edge2.98%3.29%1.9%
Opera2.09%0.83%1.1%
UC1.35%0.47%0.3%

Comparing Web Browsers Based on Security

CriteriaMozillaOperaSafariEdgeChrome
Private Browsing mode
Blocks third-party tracking cookies
Blocks cryptomining scripts
Blocks social trackers/td>

What are the different web browser artifacts?

  1. Navigation History
  2. Autocomplete Data
  3. Bookmarks
  4. Extensions and Addons
  5. Logins
  6. Browser Sessions
  7. Downloads
  8. Form Data
  9. Thumbnails

Web Browser Artifacts Location in Mozilla Firefox

Artifacts DataPath
Profile PathC:UsersXXXAppDataRoamingMozillaFirefoxProfiles[profileID].default

 

C:UsersXXXAppDataLocalMozillaFirefoxProfiles[profileID].default

Navigation HistoryC:UsersXXXAppDataRoamingMozillaFirefoxProfiles[profileID].defaultplaces.sqlite
BookmarksC:UsersXXXAppDataRoamingMozillaFirefoxProfiles[profileID].defaultplaces.sqlite
Bookmarks BackupsC:UsersXXXAppDataRoamingMozillaFirefoxProfiles[profileID].defaultbookmarkbackups
CookiesC:UsersXXXAppDataRoamingMozillaFirefoxProfiles[profileID].defaultcookies.sqlite
Cache

C:UsersXXXAppDataLocalMozillaFirefoxProfiles[profileID].defaultcache2entries

C:UsersXXXAppDataLocalMozillaFirefoxProfiles[profileID].defaultstartupCache

Form HistoryC:UsersXXXAppDataRoamingMozillaFirefoxProfiles[profileID].defaultformhistory.sqlite
AddonsC:UsersXXXAppDataRoamingMozillaFirefoxProfiles[profileID].defaultaddons.sqlite
ExtensionsC:UsersXXXAppDataRoamingMozillaFirefoxProfiles[profileID].defaultextensions.sqlite
FaviconsC:UsersXXXAppDataRoamingMozillaFirefoxProfiles[profileID].defaultfavicons.sqlite
Settings And PreferencesC:UsersXXXAppDataRoamingMozillaFirefoxProfiles[profileID].defaultprefs.js
LoginsC:UsersXXXAppDataRoamingMozillaFirefoxProfiles[profileID].defaultlogins.json
PasswordsC:UsersXXXAppDataRoamingMozillaFirefoxProfiles[profileID].defaultkey4.db
Sessions Data

C:UsersXXXAppDataRoamingMozillaFirefoxProfiles[profileID].defaultsessionstore.jsonlz4

C:UsersXXXAppDataRoamingMozillaFirefoxProfiles[profileID].defaultsessionstore-backups

DownloadsC:UsersXXXAppDataRoamingMozillaFirefoxProfiles[profileID].defaultdownloads.sqlite
ThumbnailsC:UsersXXXAppDataLocalMozillaFirefoxProfiles[profileID].defaultthumbnails

Web Browser Artifacts Location in Google Chrome

Artifacts DataPath
Profile Path

C:UsersXXXAppDataLocalGoogleChromeUser DataDefault

C:UsersXXXAppDataLocalGoogleChromeUser DataChromeDefaultData

Navigation History, Search History, Download

C:UsersXXXAppDataLocalGoogleChromeUser DataDefaultHistory

C:UsersXXXAppDataLocalGoogleChromeUser DataChromeDefaultDataHistory

Bookmarks

C:UsersXXXAppDataLocalGoogleChromeUser DataDefaultBookmarks

C:UsersXXXAppDataLocalGoogleChromeUser DataChromeDefaultDataBookmarks

CookiesC:UsersXXXAppDataLocalGoogleChromeUser DataDefaultCookies C:UsersXXXAppDataLocalGoogleChromeUser DataChromeDefaultDataCookies
Cache

C:UsersXXXAppDataLocalGoogleChromeUser DataDefaultCache

C:UsersXXXAppDataLocalGoogleChromeUser DataChromeDefaultDataCache

Form HistoryC:UsersXXXAppDataLocalGoogleChromeUser DataDefaultWeb Data C:UsersXXXAppDataLocalGoogleChromeUser DataChromeDefaultDataWeb Data
Addons and ExtensionsC:UsersXXXAppDataLocalGoogleChromeUser DataDefaultExtensions C:UsersXXXAppDataLocalGoogleChromeUser DataChromeDefaultDataExtensions
FaviconsC:UsersXXXAppDataLocalGoogleChromeUser DataDefaultFavicons C:UsersXXXAppDataLocalGoogleChromeUser DataChromeDefaultDataFavicons
LoginsC:UsersXXXAppDataLocalGoogleChromeUser DataChromeDefaultDataLogin Data
ThumbnailsC:UsersXXXAppDataLocalGoogleChromeUser DataDefaultTop Sites C:UsersXXXAppDataLocalGoogleChromeUser DataDefaultThumbnails (Older versions)
Current Sessions DataC:UsersXXXAppDataLocalGoogleChromeUser DataDefaultCurrent Session C:UsersXXXAppDataLocalGoogleChromeUser DataChromeDefaultDataCurrent Session
Current Tabs DataC:UsersXXXAppDataLocalGoogleChromeUser DataDefaultCurrent Tabs C:UsersXXXAppDataLocalGoogleChromeUser DataChromeDefaultDataCurrent Tabs
Previous Sessions DataC:UsersXXXAppDataLocalGoogleChromeUser DataDefaultLast Session C:UsersXXXAppDataLocalGoogleChromeUser DataChromeDefaultDataLast Session
Previous Tabs DataC:UsersXXXAppDataLocalGoogleChromeUser DataDefaultLast Tabs C:UsersXXXAppDataLocalGoogleChromeUser DataChromeDefaultDataLast Tabs

Web Browser Artifacts Location in Microsoft Edge

Artifacts DataPath
Profile PathC:UsersXXAppDataLocalPackagesMicrosoft.MicrosoftEdge_XXXAC
Navigation HistoryC:UsersXXAppDataLocalMicrosoftWindowsWebCacheWebCacheV01.dat
CookiesC:UsersXXAppDataLocalMicrosoftWindowsWebCacheWebCacheV01.dat
CacheC:UsersXXXAppDataLocalPackagesMicrosoft.MicrosoftEdge_XXXAC#!XXXMicrosoftEdgeCache
Settings And BookmarksC:UsersXXAppDataLocalPackagesMicrosoft.MicrosoftEdge_XXXACMicrosoftEdgeUserDefaultDataStoreDatanouser1XXXDBStorespartan.edb
Last SessionC:UsersXXAppDataLocalPackagesMicrosoft.MicrosoftEdge_XXXACMicrosoftEdgeUserDefaultRecoveryActive

Web Browser Artifacts Location in Opera Mini

Artifacts DataPath
CacheC:Users%userprofile%AppDataRoamingOpera SoftwareOpera StableShaderCacheGPUCachedata_3
Current Sessions DataC:Users%userprofile%AppDataRoamingOpera SoftwareOpera StableCurrent Session
Current Tabs DataC:Users%userprofile%AppDataRoamingOpera SoftwareOpera StableCurrent Tabs
Previous Sessions DataC:Users%userprofile%AppDataRoamingOpera SoftwareOpera StableLast Session
Last Tabs DataC:Users%userprofile%AppDataRoamingOpera SoftwareOpera StableLast Tabs

Web Browser Artifacts Location in Safari

Artifacts DataPath
Navigation HistoryC:Users%userprofile%LibrarySafariHistory.db
BookmarksC:Users%userprofile%LibrarySafariBookmarks.plist
Top Visited SitesC:Users%userprofile%LibrarySafariTopSites.plist
CacheC:Users%userprofile%LibraryCachescom.apple.SafariCache.db
Sessions DataC:Users%userprofile%LibrarySafariLastSession.plist

Top Web Browser Forensic Tools

Free

  1. Browser History Capturer
  2. Browser History Viewer
  3. SQLite Examiner
  4. Pasco
  5. Web Historian
  6. Nirsoft
  7. Total Recall (works for Internet Explorer versions prior to 10)
  8. Browser Forensic Tool

Paid

  1. Hindsight
  2. FTK
  3. Encase
  4. OSForensics
  5. Belkasoft Evidence Centre
  6. NetAnalysis
  7. Internet Examiner Toolkit

Hope your experience in our blog is not bad. Fell free to throw acomment.