Brave, Opera and Vivaldi profile locations
2026-06-21 · 3 min
Brave, Opera and Vivaldi are all Chromium forks, so their forensic story is
short: same artifacts, same formats, same parsing and decryption workflow as
Chrome. Only the vendor directory
changes. If you can work a Chrome profile, you can work all three — the trick
is knowing where the User Data tree lives on each platform.
Same artifacts as Chrome
Because the engine is shared, every Chromium browser writes the same set of files in the same layout. There is nothing to relearn:
| Data | File | Format |
|---|---|---|
| Visits / searches / downloads | History | SQLite |
| Cookies | Network/Cookies | SQLite |
| Logins | Login Data | SQLite |
| Form / autofill | Web Data | SQLite |
| Top sites | Top Sites | SQLite |
| Bookmarks | Bookmarks | JSON |
| Profile config | Preferences, Local State | JSON |
| Local / Session Storage, IndexedDB | LevelDB folders | LevelDB |
| Cache | Simple Cache (index, data_#, f_######) | Custom |
Timestamps follow the WebKit epoch (microseconds since 1601-01-01 UTC), and
History is opened in WAL mode — collect History-wal and History-shm
with the main file, exactly as you would for Chrome.
Brave
Brave keeps the closest layout to upstream Chrome, including the User Data
intermediate directory on Windows and Linux.
| OS | Path |
|---|---|
| Windows | %LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\<profile> |
| macOS | ~/Library/Application Support/BraveSoftware/Brave-Browser/<profile> |
| Linux | ~/.config/BraveSoftware/Brave-Browser/<profile> |
<profile> is usually Default, with Profile 1, Profile 2, … for
additional profiles. Note that Brave's private windows use Tor; that traffic
leaves little on disk, but normal-window browsing lands in History as usual.
Opera
Opera is the odd one out on directory naming and profile structure: it
typically uses a single profile written straight into the product folder,
not a Default sub-directory.
| OS | Path |
|---|---|
| Windows | %APPDATA%\Opera Software\Opera Stable\<profile> |
| macOS | ~/Library/Application Support/com.operasoftware.Opera/ |
| Linux | ~/.config/opera/ |
On Windows note the use of %APPDATA% (Roaming), not %LOCALAPPDATA%.
Opera GX and Opera Beta live in sibling folders (Opera GX Stable,
Opera Stable Beta) — enumerate the Opera Software directory rather than
assuming a single install.
Vivaldi
Vivaldi mirrors the Brave/Chrome shape on Windows and macOS, with a flatter tree on Linux.
| OS | Path |
|---|---|
| Windows | %LOCALAPPDATA%\Vivaldi\User Data\<profile> |
| macOS | ~/Library/Application Support/Vivaldi/<profile> |
| Linux | ~/.config/vivaldi/<profile> |
<profile> is again Default in the common case.
Cookie and password encryption
Encryption is inherited from Chromium too. On Windows, cookie values and saved passwords are protected with the os_crypt key wrapped by DPAPI (and on recent builds the v20 app-bound scheme); on macOS the key lives in the login Keychain; on Linux it is held by the system keyring (or a hardcoded fallback). The decryption procedure is identical to Chrome's — see Chrome cookie encryption on Windows for the full v10/v20 walkthrough, which applies verbatim to all three.
Acquisition notes
- The
Historyfile is locked while the browser is running. Close it, use a Volume Shadow Copy, or use a tool that handles the lock. - Do not stop at
Defaulton Brave and Vivaldi — extra profiles often hold the activity that matters. Opera usually has just the one. - Pull
Local Statefrom each install: it holds the wrapped encryption key you need for cookies andLogin Data. - Beta, Dev and portable variants write to sibling vendor folders. Walk the parent directory before concluding a profile does not exist.