browserforensics
Back to all articles

Brave, Opera and Vivaldi profile locations

2026-06-21 · 3 min

Brave, Opera and Vivaldi are all Chromium forks, so their forensic story is short: same artifacts, same formats, same parsing and decryption workflow as Chrome. Only the vendor directory changes. If you can work a Chrome profile, you can work all three — the trick is knowing where the User Data tree lives on each platform.

Same artifacts as Chrome

Because the engine is shared, every Chromium browser writes the same set of files in the same layout. There is nothing to relearn:

DataFileFormat
Visits / searches / downloadsHistorySQLite
CookiesNetwork/CookiesSQLite
LoginsLogin DataSQLite
Form / autofillWeb DataSQLite
Top sitesTop SitesSQLite
BookmarksBookmarksJSON
Profile configPreferences, Local StateJSON
Local / Session Storage, IndexedDBLevelDB foldersLevelDB
CacheSimple Cache (index, data_#, f_######)Custom

Timestamps follow the WebKit epoch (microseconds since 1601-01-01 UTC), and History is opened in WAL mode — collect History-wal and History-shm with the main file, exactly as you would for Chrome.

Brave

Brave keeps the closest layout to upstream Chrome, including the User Data intermediate directory on Windows and Linux.

OSPath
Windows%LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\<profile>
macOS~/Library/Application Support/BraveSoftware/Brave-Browser/<profile>
Linux~/.config/BraveSoftware/Brave-Browser/<profile>

<profile> is usually Default, with Profile 1, Profile 2, … for additional profiles. Note that Brave's private windows use Tor; that traffic leaves little on disk, but normal-window browsing lands in History as usual.

Opera

Opera is the odd one out on directory naming and profile structure: it typically uses a single profile written straight into the product folder, not a Default sub-directory.

OSPath
Windows%APPDATA%\Opera Software\Opera Stable\<profile>
macOS~/Library/Application Support/com.operasoftware.Opera/
Linux~/.config/opera/

On Windows note the use of %APPDATA% (Roaming), not %LOCALAPPDATA%. Opera GX and Opera Beta live in sibling folders (Opera GX Stable, Opera Stable Beta) — enumerate the Opera Software directory rather than assuming a single install.

Vivaldi

Vivaldi mirrors the Brave/Chrome shape on Windows and macOS, with a flatter tree on Linux.

OSPath
Windows%LOCALAPPDATA%\Vivaldi\User Data\<profile>
macOS~/Library/Application Support/Vivaldi/<profile>
Linux~/.config/vivaldi/<profile>

<profile> is again Default in the common case.

Cookie and password encryption

Encryption is inherited from Chromium too. On Windows, cookie values and saved passwords are protected with the os_crypt key wrapped by DPAPI (and on recent builds the v20 app-bound scheme); on macOS the key lives in the login Keychain; on Linux it is held by the system keyring (or a hardcoded fallback). The decryption procedure is identical to Chrome's — see Chrome cookie encryption on Windows for the full v10/v20 walkthrough, which applies verbatim to all three.

Acquisition notes

  • The History file is locked while the browser is running. Close it, use a Volume Shadow Copy, or use a tool that handles the lock.
  • Do not stop at Default on Brave and Vivaldi — extra profiles often hold the activity that matters. Opera usually has just the one.
  • Pull Local State from each install: it holds the wrapped encryption key you need for cookies and Login Data.
  • Beta, Dev and portable variants write to sibling vendor folders. Walk the parent directory before concluding a profile does not exist.

Further reading