About a month ago, I started a forensic project at Dreamlab Technologies, which I won't give many details about (for obvious reasons). During my analysis, I had to face a hard disk with dozens of data to analyze in historical terms, which was a very exhausting task, but allowed me to get a deeper level of understanding of the system.
Among all the artifacts I had to analyze, the "web browsing artifacts" and in particular the Chromium-based Microsoft Edge artifacts gave me extra work as I couldn't find a forensic tool to parse those files. This led me to investigate a little more about how the information stored by Microsoft Edge worked, looking specifically at data such as history, downloads, shortcuts, etc.
In this new blog entry I will tell you about how I was able to obtain the data from these artifacts and from a small tool that I built for the occasion.
Edge folders and files
On January 15th, 2020 Microsoft released Edge v79, the first stable version of their Chromium-based Edge web browser. The microsoft edge artifacts for this version onwards can be found in the following paths for Windows:
%USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\Default
%USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data
In the first path, we will find all the information related to the user's actions while browsing using edge, i.e. history, cookies, bookmarks and other relevant data that we can obtain.
In the second path, we can find the database with cache data, i.e. pre-loaded information that allows us to speed up the user's browsing on the Internet. This information can be useful depending on what a researcher is looking for and can be opened with tools such as ChromeCacheView.
Although this artifact provides interesting information, I couldn't find enough to answer my research questions, so I decided to find out more about the files located in the Default path.
According to foxtonforensics, some of the most important artifacts in this directory are listed below:
Bookmarks
Edge Bookmarks are stored in the 'Bookmarks' JSON file.
Browser Settings
Edge Browser Settings are stored in the 'Preferences' JSON file.
Cache
Edge Cache is stored using an Index file ('index'), a number of Data Block files ('data_#'), and a number of separate data files ('f_######').
Cookies
Edge Cookies are stored in the 'Cookies' SQLite database, within the 'cookies' table.
Downloads
Edge Downloads are stored in the 'History' SQLite database, within the 'downloads' and 'downloads_url_chains' tables.
Favicons
Edge Favicons are stored in the 'Favicons' SQLite database, within the 'favicons', 'favicon_bitmaps' and 'icon_mapping' tables.
Logins
Edge Logins are stored in the 'Login Data' SQLite database, within the 'logins' table.
Searches
Edge Searches are stored in the 'History' SQLite database, within the 'keyword_search_terms' table. Associated URL information is stored within the 'urls' table.
Session Data
Edge Session Data is stored in the 'Current Session', 'Current Tabs', 'Last Session' and 'Last Tabs' files.
Site Settings
Edge Site Settings are stored in the 'Preferences' JSON file.
Thumbnails
Edge Thumbnails are stored in the 'Top Sites' SQLite database, within the 'thumbnails' table.
Website Visits
Edge Website Visits are stored in the 'History' SQLite database, within the 'visits' table. Associated URL information is stored within the 'urls' table.
For my purposes, I decided to dig into the "Website Visits" and "Downloads" artifacts located in the History file, as I presumed they contained information I needed.
History database
As the name of this section indicates, the history file found in the Default directory is a SQLite3 database that contains the information we need to analyze.
Initially, I didn't know what kind of tables existed inside this database, so I created a small python script to help me get the names of the internal tables.
Output:
[+] meta
[+] urls
[+] sqlite_sequence
[+] visit_source
[+] keyword_search_terms
[+] downloads
[+] downloads_url_chains
[+] downloads_slices
[+] segments
[+] segment_usage
[+] typed_url_sync_metadata
[+] content_annotations
[+] context_annotations
[+] clusters
[+] clusters_and_visits
[+] downloads_reroute_info
[+] visitsFrom here the URL and downloads tables seemed to have interesting information for my purposes, so I decided to look at the contents of the URL table, trying to list its column names.
Output:
['id', 'url', 'title', 'visit_count', 'typed_count', 'last_visit_time', 'hidden']
Nice, now we fetch all the data using pandas and print the dataframe in the terminal.
Output
As you can see, we already have all the URLs the user has visited, but the last_visit_time column is not in human timestamp format. Since it is a very important piece of data, it was necessary to transform this timestamp to answer some important questions.
Honestly, this was one of the trickier steps in my analysis. I wrongly assumed that the timestamps were in a unix epoch format, so I played around with a lot of transformations that resulted in wrong timestamps. Fortunately, my friend #ChatGPT hinted that it was a Windows Epoch Time (duhhh!), which changes things a lot when doing the time transformation.
With a small function, I manage to transform this Windows epoch format into a human-readable timestamp.
Output
Note that all timestamps are in UTC -00.
The tool
With the information gathered and understanding that other artifacts such as the "Shortcuts" and "Favicons" files worked in the same way, I set out to create a script that would parse the most important column information for my forensic projects.
The tool I created for this purpose was called "CuttingEdge" and I uploaded it to a small public github repository for anyone who needs to quickly parse these artifacts.
URL: https://github.com/h4tt0ri/CuttingEdge The usage is quite simple, we just need to provide the history/shortcuts/favicons file that we want to parse and the tool will do the rest of the work.
Usage: CuttingEdge.py [-h] -f INPUT -t TYPE [-o OUTPUT]
Microsoft Edge Parser
optional arguments:
-h, --help show this help message and exit
-f INPUT history edge file
-t TYPE ex: history, downloads, favicons, shortcuts
-o OUTPUT file output in csv formatNote: Remember that "Downloads" is database table of the History file, therefore, this file must be provided to obtain the download information.
The final result of this tool, allow us to create a CSV file with the information of the mentioned databases, which allows to manage data in a simpler way.
Final result is something like that:
Final Notes
An even easier (and dirtier) way to get the information from these artifacts is to simply take the "Default" directory from edge and paste it into the path on your machine, which will allow edge to load this information and view it from your browser (and thus erase all your previous history if you don't have a backup). On the other hand, any tool that can load SQLite3 databases can be used to look at the information in these files, as long as we make the correct queries to the database.
Finally, if you made it this far, I appreciate the time you have spent reading this blog post. If you want to give some feedback on the script or if you just want to thank me, you can contact me through my social networks and share this post as it may be useful to someone else.
Comments