browserforensics
Back to all articles

Browser forensics for incident response

2026-06-21 · 4 min

In most intrusions the browser is where the breach starts and where the evidence lands. Initial access, credential theft, and exfiltration all leave structured traces in a profile you can pull and read in minutes. The trick during IR is to drive the artifacts from the question you actually need to answer, not the other way around.

Map the IR question to the artifact

Each row below is a question a responder gets asked under pressure, and the artifact that answers it fastest.

IR questionWhere to look
Did the user click the phishing link? How did they reach it?urls + visits — check transition (typed vs link) to tell a deliberate visit from a redirect; Downloads for the payload; Shortcuts for what was actually typed in the omnibox.
Was data exfiltrated?History / Downloads for uploads to file-sharing sites; the web app's Local Storage / IndexedDB for what was staged; Cache for what was rendered on screen.
Was an account taken over or a session stolen?Cookies for session tokens (decrypt them); Login Data for saved credentials; last-used / last-access timestamps to bracket the activity.
Is there a malicious or unwanted extension?Preferences / Secure Preferences plus extensions.json — read granted permissions and the sideload source.
What is the credential-theft blast radius?Login Data + Web Data — which sites had saved passwords, cards, or autofill entries the attacker could reach.

Phishing click and initial access

Start in urls joined to visits. The transition type is the discriminator: a typed transition means the user entered the URL deliberately, a link transition means they followed something. For a phishing case the interesting path is usually mail client → link → landing page → download. Pull the matching row from Downloads for the payload, and check Shortcuts to recover the exact string the user typed if the lure relied on a lookalike domain.

Data exfiltration

Exfiltration shows up as outbound activity. History and Downloads will flag visits and uploads to file-sharing or paste sites. The web application's own state — Local Storage and IndexedDB — tells you what was staged or queued client-side, and the on-disk cache preserves what was actually rendered, which matters when the data left through a SaaS UI rather than a file.

Account takeover and session theft

Cookies holds the session tokens. The values are encrypted at rest, so decrypt them to confirm a live session was present, then use creation and last-access timestamps to bracket when the session was used. Login Data shows which saved credentials were available to whoever had the profile. Together they separate "attacker reused a stolen cookie" from "attacker logged in with a saved password."

Malicious or unwanted extensions

Extensions are a quiet persistence and data-theft vector. Preferences and Secure Preferences, alongside extensions.json, record each extension's granted permissions and how it got installed — a webstore ID versus a sideload path tells you immediately whether to be worried. Permissions like access to all URLs or to cookies are the ones to triage first.

Credential-theft scope

When credentials are in play, the scope question follows fast. Login Data enumerates sites with saved passwords; Web Data covers saved cards and autofill profiles. The union of those two tables is the blast radius — every account the holder of the profile could have pivoted into without re-authenticating.

A repeatable IR workflow

  1. Collect the full profile folder, sidecars included.
  2. Build a unified timeline so history, downloads, cookies, and session events line up chronologically.
  3. Run IOC matching against known-bad domains and URLs from your threat intel.
  4. Decrypt cookies and saved passwords where the case requires it.
  5. Export a hashed report for handover to the rest of the IR team.

Because the parsing runs entirely client-side, this whole sequence works on an air-gapped IR workstation — the profile copy never leaves the machine, which keeps chain of custody clean for evidence pulled from a regulated environment.

Further reading