browserforensics
Back to all articles

How to analyze a browser profile in your browser

2026-05-19 · 3 min

The workflow below assumes you have a profile copy on disk and a few minutes to triage it. It is the same sequence I run before deciding whether a host deserves a deeper pull (MFT, USN, EVTX) or whether the browser-side story is enough on its own.

1. Acquire the profile correctly

Copy the entire profile folder, not just History. For Chromium that means Default/ (or the relevant Profile N/). For Firefox the randomly-named Profiles/<xxxx>.default-release/. For Safari, both ~/Library/Safari/ and the container under ~/Library/Containers/com.apple.Safari/Data/Library/.

Make sure the -wal and -shm sidecars come along. See the WAL recovery post for why this is non-negotiable.

If the browser is running, either close it cleanly, image the volume, or collect via Volume Shadow Copy. Live xcopy of a locked SQLite file is the wrong move.

2. Load it

Drag the whole profile folder onto the drop zone. Folder upload matters because it auto-pairs History with History-wal, and groups each LevelDB directory as a single store rather than a pile of .ldb files.

Parsing happens client-side. Nothing leaves the machine — a basic requirement for any acquisition that came out of a regulated environment.

3. Read the artifact tables

Each recognised file becomes its own table. The badges next to each indicate whether the parser opened it cleanly or fell back to best-effort (typical for half-written LevelDBs and corrupted-cookie cases). Use the per-table search and sort to triage quickly.

The fields that earn their keep first:

  • urls.last_visit_time joined to visits.transition — to separate user-driven navigation from redirects.
  • downloads.target_path plus downloads_url_chains — to recover the original source URL even after browser-side redirects.
  • Cookie host_key + creation_utc — to corroborate visits the user may have cleared from History.

4. Build a unified timeline

The timeline merges history, downloads, cookies and session events into one chronological view, normalising each browser's epoch (see timestamp formats). Filter by date range or keyword; group by day for visual pattern matching.

For correlation with the rest of the host, you usually want the same window from:

  • MFT for file create/modify of downloaded binaries.
  • USN journal for delete and rename activity around the same time.
  • LNK files for downloaded files that the user later opened.
  • EVTX for PowerShell or process activity that followed a download.

5. Export

Export any table or the filtered timeline as CSV / JSON. The exports use strict ISO-8601 UTC timestamps so the same timeline opens identically in Timeline Explorer, Excel and pandas.

Further reading