Browser forensics with nothing to install
2026-06-21 · 3 min
Most browser-forensics tooling assumes you can install something: an agent on the host, a parser on your workstation, or a SaaS account that ingests the evidence. BrowserForensics removes that assumption. You open a tab, drag in an acquired profile, and the parsing and decryption happen locally. This post explains how that works and where it actually fits.
How it runs
The parsers and decryptors are compiled to WebAssembly and driven by JavaScript that executes inside your browser tab. When you drop a profile folder, the files are read straight from local disk through the browser's file APIs. Nothing is uploaded — there is no backend that sees the evidence. Once the page has loaded, you can pull the network cable and keep working; the tool is fully functional offline.
That is the whole trust model: the code that touches your evidence is the code already running in front of you, and it has nowhere to send anything.
Why "nothing to install" matters
The constraint is not cosmetic. It changes which cases the tool can touch.
- Fast triage. No environment to provision, no dependencies to pin. Open the page, drag the profile, read the tables. Useful when you need a yes/no on a host before committing to a full pull.
- Evidence that must not leave the machine. Regulated, privileged, or cross-border material where upload is simply off the table. Because files never transit the network, the question of "where did the data go" has a trivial answer.
- Locked-down endpoints. On managed or kiosked machines where you cannot install software, a browser tab is often the one tool you are allowed to run.
- Air-gapped workstations. Load the page once on a connected machine, or serve it from local media, then work entirely offline on the isolated host.
- Teaching and labs. Students get the same parser with zero setup and no account, on whatever hardware they brought.
What it parses and decrypts
Despite running in a tab, it is not a toy. It reads the standard artifact classes across Chrome, Edge, Firefox, and Safari: history, cookies, saved passwords, payment cards, cache, extensions, storage, sessions, and bookmarks.
For the encrypted classes it does the decryption too — cookies, passwords, and cards — handling Windows DPAPI, Firefox NSS, the Linux keyring, and the macOS Safe Storage path. From there you get a unified timeline across artifacts, IOC matching against your indicators, SHA-256 hashing of inputs with an HTML report, and CSV / JSON export for downstream tooling.
If you want the click-by-click version, see analyzing a profile in your browser and the report export walkthrough.
What it is not
Being honest about scope keeps the tool credible. This is a parser and decryptor, not a full acquisition suite. It does not image disks, carve unallocated space, or read memory. You bring the artifacts — typically by dragging in a whole acquired profile folder — and it does the browser-side analysis on what you give it.
For a complete case, pair it with your disk and memory tooling. The browser timeline tells you what the user did in the browser; the MFT, USN journal, and EVTX tell you what the rest of the host did around it. The client-side tool slots into that workflow as the fast, no-friction browser layer — it does not replace it.