Blog
Notes on browser forensics and artifact analysis.
- Choosing a browser forensics tool
2026-06-21
What to look for in a browser-forensics tool — coverage, decryption, timeline, reporting and privacy — and where a client-side, in-browser approach fits.
Read more → - Brave, Opera and Vivaldi profile locations
2026-06-21
These Chromium browsers reuse Chrome's artifacts. Exact profile paths on Windows, macOS and Linux — and what carries over unchanged.
Read more → - Browser cache forensics: Chrome, Firefox and Safari
2026-06-21
The HTTP cache recovers visited URLs, timestamps and sometimes content. Chrome Simple Cache, Firefox cache2 and Safari Cache.db — and how to parse them.
Read more → - Browser extensions forensics (Chrome & Firefox)
2026-06-21
Installed extensions reveal intent and risk. Where Chrome and Firefox record them — Preferences, Secure Preferences and extensions.json — and what to extract.
Read more → - Browser forensics for incident response
2026-06-21
What browser artifacts answer in an IR investigation — phishing clicks, data exfiltration, account takeover, malicious extensions — and exactly where to look.
Read more → - Browser forensics with nothing to install
2026-06-21
Parse and decrypt browser artifacts in a browser tab — no agent, no upload, no install. Why a client-side tool fits triage and air-gapped work.
Read more → - Build a unified browser activity timeline
2026-06-21
Merge history, downloads, cookies and cache across browsers into one chronological timeline — then filter it by date, keyword and IOC.
Read more → - Chrome bookmarks forensics
2026-06-21
Chrome stores bookmarks as a JSON tree with creation timestamps. Folder structure, date_added, the .bak copy, and what bookmarks reveal about a user.
Read more → - Decrypting Chrome cookies on Linux
2026-06-21
On Linux, Chromium uses AES-128-CBC with a key from the keyring — or the hard-coded 'peanuts' key. How to decrypt Linux Chrome cookies offline.
Read more → - Decrypting Chrome cookies on macOS (Safe Storage)
2026-06-21
macOS Chromium keys its AES-128-CBC values from the 'Chrome Safe Storage' Keychain password with 1003 PBKDF2 iterations. How to decrypt them.
Read more → - Chrome download history forensics
2026-06-21
The History database's downloads tables record every saved file — source URL, target path, sizes, timestamps, danger and interrupt reasons.
Read more → - Chrome History database forensics
2026-06-21
The History SQLite database holds visited URLs, per-visit timing, transition types and search terms. The schema, the enums, and what you can reconstruct.
Read more → - Chrome Local State as a forensic artifact
2026-06-21
Local State is more than the encryption key — it enumerates profiles and their accounts, the last-used profile, and browser metadata.
Read more → - Chrome Login Data: saved-password forensics
2026-06-21
The Login Data SQLite database holds saved credentials — origins, usernames, timestamps and encrypted passwords. What it reveals and how to read it.
Read more → - Chrome Preferences and account artifacts
2026-06-21
The Preferences and Secure Preferences JSON files record the signed-in account, profile name, sync state, startup pages and default search.
Read more → - Chrome session restore (SNSS) forensics
2026-06-21
Chrome's Sessions files use the SNSS format to record open and recently-closed tabs. What 'Current Session' and 'Current Tabs' reveal — and the format.
Read more → - Chrome Shortcuts (omnibox) forensics
2026-06-21
The Shortcuts database records what the user typed into the address bar and what it completed to — a direct, often-overlooked window into intent.
Read more → - Chrome Top Sites and Favicons forensics
2026-06-21
Top Sites ranks the most-visited pages; Favicons maps pages to their icons. Two small artifacts that corroborate browsing even after history is cleared.
Read more → - Chrome v20 app-bound encryption, explained
2026-06-21
Chrome 127+ wraps the cookie key with app-bound encryption on top of DPAPI. What v20 is, why it resists offline recovery, and what can still be done.
Read more → - Chrome vs Firefox vs Safari: artifacts compared
2026-06-21
A side-by-side map of where the three major browsers keep history, cookies, passwords, cache and sessions — and the on-disk formats you'll meet.
Read more → - Chrome Web Data: autofill and saved cards
2026-06-21
Web Data stores autofill form values, saved addresses and credit cards — a rich, underused artifact. The tables, fields and what's encrypted.
Read more → - Chromium LevelDB format for forensics
2026-06-21
Local Storage, Session Storage and IndexedDB live in LevelDB. The on-disk format — CURRENT, MANIFEST, .log, .ldb — and how deleted values linger.
Read more → - Compression in browser artifacts: Snappy, mozLz4 and more
2026-06-21
Browser data is often compressed before it hits disk. The formats you'll meet — Snappy in LevelDB, mozLz4 in Firefox sessions — and why parsers must handle them.
Read more → - Decrypt Microsoft Edge passwords and cookies
2026-06-21
Edge is Chromium, so its cookies, passwords and cards use the same os_crypt/DPAPI scheme as Chrome. How to decrypt them in your browser.
Read more → - Decrypt Firefox passwords in your browser
2026-06-21
Load key4.db (or key3.db) and logins.json and recover saved Firefox passwords — fully offline and client-side via an in-browser NSS decryptor.
Read more → - Decrypt saved passwords and credit cards (Chrome & Edge)
2026-06-21
Login Data passwords and Web Data card numbers use the same os_crypt key as cookies — decrypt all three at once, offline in your browser.
Read more → - Detect malicious browser extensions
2026-06-21
Hunt risky and malicious extensions across Chrome and Firefox — by permissions, sideload source and install timing — from on-disk artifacts.
Read more → - Export a browser forensics report
2026-06-21
Turn parsed artifacts into a defensible handover: SHA-256 file hashes, a self-contained HTML report, and CSV/JSON exports — all generated client-side.
Read more → - Extract browser cookies from an acquired profile
2026-06-21
Pull cookies from a collected Chrome, Firefox or Safari profile, decrypt the values, and export them — entirely offline and client-side.
Read more → - Firefox cookies forensics (cookies.sqlite)
2026-06-21
Unlike Chrome, Firefox stores cookie values in cleartext. The moz_cookies schema, the three timestamps, and what cookies reveal.
Read more → - Firefox form history forensics
2026-06-21
formhistory.sqlite stores everything typed into web forms and the search bar — names, emails, queries — with usage counts and timestamps.
Read more → - Firefox places.sqlite forensics
2026-06-21
places.sqlite is Firefox's history and bookmarks store. The moz_places / moz_historyvisits schema, visit types, PRTime timestamps and what you can reconstruct.
Read more → - Firefox session restore: jsonlz4 forensics
2026-06-21
Firefox stores open and recently-closed tabs in sessionstore.jsonlz4 and recovery.jsonlz4 — Mozilla LZ4-compressed JSON. The format and what to recover.
Read more → - Hunt IOCs across browser artifacts
2026-06-21
Paste a list of indicators — domains, URLs, tokens — and highlight every match across history, cookies, cache and the unified timeline.
Read more → - Internet Explorer and legacy Edge history forensics
2026-06-21
IE and pre-Chromium Edge store history, cache and cookies in the ESE database WebCacheV01.dat. The containers, the format, and how to approach it.
Read more → - Investigate a phishing incident with browser artifacts
2026-06-21
Trace a phishing click end to end — the typed or clicked URL, the redirect chain, the downloaded payload, and any stolen session — from browser artifacts.
Read more → - Mobile browser forensics: Chrome on Android, Safari on iOS
2026-06-21
Mobile browsers use the same database formats as desktop, in app-sandbox paths. Where Android Chrome and iOS Safari keep their artifacts — and the acquisition catch.
Read more → - Private and Incognito browsing: what's left behind
2026-06-21
Incognito and Private mode avoid writing the usual databases — but artifacts still leak via DNS, memory, cache remnants and OS traces. What survives, and what doesn't.
Read more → - Recover saved passwords across browsers
2026-06-21
Recover and audit saved credentials from Chrome, Edge and Firefox profiles — decrypt them and export the inventory — entirely offline.
Read more → - How to recover deleted browsing history
2026-06-21
Cleared history isn't always gone. Recover it from the SQLite WAL, freelist and unallocated pages — and corroborate with cache, favicons and bookmarks.
Read more → - The Safari Cookies.binarycookies format
2026-06-21
Safari stores cookies in a compact binary format. The page and cookie-record layout, Mac absolute-time timestamps, and how to parse it by hand.
Read more → - Safari bookmarks forensics (Bookmarks.plist)
2026-06-21
Safari keeps bookmarks and the Reading List in a binary property list. The plist tree, Reading List metadata, and what to extract.
Read more → - Safari History.db forensics
2026-06-21
Safari's History.db is SQLite — history_items and history_visits, joined by id, with Mac absolute-time timestamps. The schema and what to extract.
Read more → - SQLite forensics for browsers
2026-06-21
Most browser artifacts are SQLite. The WAL/SHM sidecars, the freelist and unallocated pages, and why you must capture more than the main .db.
Read more → - Thunderbird forensics: profiles, passwords and mail
2026-06-21
Thunderbird shares Firefox's NSS credential store. Where its profile lives, how saved passwords are protected, and what mail artifacts exist.
Read more → - Tor Browser forensics: what's on disk
2026-06-21
Tor Browser is hardened Firefox set to leave little behind. Where it lives, what it does and doesn't persist, and where to look instead.
Read more → - Triage a Chrome profile, fast
2026-06-21
A quick, repeatable workflow to triage a Chrome or Edge profile: which files to grab, what to parse first, and how to surface the signal.
Read more → - Where are browser passwords stored?
2026-06-21
A cross-browser map of saved-password storage — Chrome/Edge Login Data, Firefox logins.json + key4.db, Safari Keychain — and how each is protected.
Read more → - How Chromium encrypts cookies on Windows
2026-06-17
The os_crypt key in Local State, the v10/v20 AES-GCM blob format, and what you can actually decrypt offline.
Read more → - Decrypt Chrome & Edge cookies in your browser
2026-06-17
A client-side walkthrough: load Cookies, Local State and a DPAPI masterkey, derive the AES key, and read the values — nothing uploaded.
Read more → - Decrypting Firefox passwords: NSS, key4.db and logins.json
2026-06-17
How Firefox protects saved logins with NSS — the key4.db key store, the 3DES and AES-256 PBE schemes, and how to decrypt offline.
Read more → - Offline Windows DPAPI: unwrapping the os_crypt key
2026-06-17
From a masterkey file, a SID and an NT hash to the cleartext Chrome AES key — the DPAPI chain, done without Windows.
Read more → - How to analyze a browser profile in your browser
2026-05-19
A step-by-step walkthrough: load a Chrome/Firefox/Safari profile, build a unified timeline, and export findings — all client-side.
Read more → - Browser cookies in forensics
2026-05-19
What cookie databases reveal across Chrome, Firefox and Safari — and why the values are usually encrypted.
Read more → - Browser timestamp formats explained
2026-05-19
Chrome, Firefox and Safari all store time differently. Here are the three epochs and how to convert them.
Read more → - Chrome history file locations
2026-05-19
Exact on-disk paths for Google Chrome's history and related artifacts on Windows, macOS and Linux, and which file holds what.
Read more → - Chrome Local Storage & IndexedDB (LevelDB)
2026-05-19
The overlooked web-app artifacts — how Chrome stores Local/Session Storage and IndexedDB in LevelDB, and how to read them.
Read more → - Microsoft Edge history file locations
2026-05-19
Edge is Chromium-based — here are its profile paths on Windows, macOS and Linux and the files it shares with Chrome.
Read more → - Firefox history file locations
2026-05-19
Where Firefox keeps places.sqlite, cookies, form history and session files on Windows, macOS and Linux — and what each holds.
Read more → - Recovering recent history from SQLite WAL files
2026-05-19
The -wal sidecar holds committed changes not yet written to the main database. Skip it and you miss the most recent activity.
Read more → - Safari history file locations
2026-05-19
Where macOS Safari stores History.db, bookmarks, cookies and session files — paths and formats.
Read more → - What is browser forensics?
2026-05-19
A short primer on browser forensics — the artifacts investigators recover and why they matter.
Read more → - Where browsers store their artifacts
2026-05-18
A quick map of the SQLite databases Chrome, Firefox and Safari keep on disk — and what you can recover from each.
Read more →