Browser forensics for incident response
2026-06-21 · 4 min
In most intrusions the browser is where the breach starts and where the evidence lands. Initial access, credential theft, and exfiltration all leave structured traces in a profile you can pull and read in minutes. The trick during IR is to drive the artifacts from the question you actually need to answer, not the other way around.
Map the IR question to the artifact
Each row below is a question a responder gets asked under pressure, and the artifact that answers it fastest.
| IR question | Where to look |
|---|---|
| Did the user click the phishing link? How did they reach it? | urls + visits — check transition (typed vs link) to tell a deliberate visit from a redirect; Downloads for the payload; Shortcuts for what was actually typed in the omnibox. |
| Was data exfiltrated? | History / Downloads for uploads to file-sharing sites; the web app's Local Storage / IndexedDB for what was staged; Cache for what was rendered on screen. |
| Was an account taken over or a session stolen? | Cookies for session tokens (decrypt them); Login Data for saved credentials; last-used / last-access timestamps to bracket the activity. |
| Is there a malicious or unwanted extension? | Preferences / Secure Preferences plus extensions.json — read granted permissions and the sideload source. |
| What is the credential-theft blast radius? | Login Data + Web Data — which sites had saved passwords, cards, or autofill entries the attacker could reach. |
Phishing click and initial access
Start in urls joined to visits. The transition type is the discriminator:
a typed transition means the user entered the URL deliberately, a link
transition means they followed something. For a phishing case the interesting
path is usually mail client → link → landing page → download. Pull the matching
row from Downloads for the payload, and check Shortcuts to recover the exact
string the user typed if the lure relied on a lookalike domain.
Data exfiltration
Exfiltration shows up as outbound activity. History and Downloads will flag
visits and uploads to file-sharing or paste sites. The web application's own
state — Local Storage and IndexedDB — tells you what was staged or queued
client-side, and the on-disk cache preserves what was actually rendered, which
matters when the data left through a SaaS UI rather than a file.
Account takeover and session theft
Cookies holds the session tokens. The values are encrypted at rest, so decrypt
them to confirm a live session was present, then use creation and last-access
timestamps to bracket when the session was used. Login Data shows which saved
credentials were available to whoever had the profile. Together they separate
"attacker reused a stolen cookie" from "attacker logged in with a saved
password."
Malicious or unwanted extensions
Extensions are a quiet persistence and data-theft vector. Preferences and
Secure Preferences, alongside extensions.json, record each extension's
granted permissions and how it got installed — a webstore ID versus a sideload
path tells you immediately whether to be worried. Permissions like access to all
URLs or to cookies are the ones to triage first.
Credential-theft scope
When credentials are in play, the scope question follows fast. Login Data
enumerates sites with saved passwords; Web Data covers saved cards and autofill
profiles. The union of those two tables is the blast radius — every account the
holder of the profile could have pivoted into without re-authenticating.
A repeatable IR workflow
- Collect the full profile folder, sidecars included.
- Build a unified timeline so history, downloads, cookies, and session events line up chronologically.
- Run IOC matching against known-bad domains and URLs from your threat intel.
- Decrypt cookies and saved passwords where the case requires it.
- Export a hashed report for handover to the rest of the IR team.
Because the parsing runs entirely client-side, this whole sequence works on an air-gapped IR workstation — the profile copy never leaves the machine, which keeps chain of custody clean for evidence pulled from a regulated environment.