Browser Usage

Forensic analysis of web browsers can uncover a large range of artifacts that can be used in both forensic and incident response investigations. These artifacts can include search history, webpage history, downloaded files, auto-complete data, saved passwords and cached web pages.

Some examples of evidence that can be found when analysing the artifacts of a web browser include:

  • Web searches showing what a user was thinking about at a point in time which can help show intent
  • Malicious links clicked on that could have caused a compromise
  • Downloaded files or tools involved in an attack that have since been deleted
  • Autofill data that is saved for the user to help understand what they were doing

When conducting a forensic investigation the artifacts found in a web browser can help determine the facts, for example if a user accessed a certain website of interest or downloaded files that have since been deleted. The evidence gathered from web browsers can help build a picture of what a user was doing at a certain point in time, proving extremely useful in employment disputes. It can also help show which person was behind the keyboard at a certain point in time.

While browsers are often thought of as only a web browser, not all of them are created equally from a forensic standpoint.

For example, Microsoft’s Edge browser also records local, removable, and remote network share file access. This allows for analysis of the files and applications that were accessed on the system. Some examples of what evidence that can found from examining IE/Edge artifacts are:

The ability to find out what a user was accessing, helps build a picture of who was behind the keyboard and what their intentions were. Examples of evidence that can found from examining Edge browser artifacts include:

  • What files were accessed from local, removable, and remote storage
  • What applications were launched on the computer and when this occurred

As explained above, the use of browser artifacts aid in determining who the user was that was accessing the computer at the time, and also when responding to an incident, help to determine the potential source of a compromise. An example of this is when an attacker sends a victim an email with a malicious link, the user then clicks on the link and is directed to a website that downloads a malicious application onto their computer. An investigation could uncover evidence that the website referenced in the malicious link was visited, and that it redirected the user to a page that downloaded the malicious application. Knowing the method of attack helps an organisation implement better security awareness training and also email filtering policies that will assist with  mitigating any future compromise.

In forensics, one major asset of browser histories is that most browsers will not clear the history for extended periods of time, if ever. An analyst may have multiple years worth of browsing history to search through for evidence. This extremely long term view of user activity can give the analyst the clearest picture of how a user was behaving in the lead up to whatever incident triggered the investigation. We sometimes see users search for “how to delete my web browser history”. Therefore, it’s critical to create a forensic copy of the entire computer and not just rely on ‘logging onto’ the computer.

All in all, browser history artifacts are a valuable source of information for a forensic investigator, giving insight into the activity and mindset of a user over a long period of time.