browserforensics
Back to all articles

Build a unified browser activity timeline

2026-06-21 · 4 min

Individual artifact tables answer narrow questions. A timeline answers the one that matters: what happened, in what order. The workflow below takes a loaded profile from a pile of tables to a single chronological view you can filter, correlate, and hand off.

Why one timeline beats six tables

Almost every browser artifact is timestamped. History carries visit times, downloads carry start and end times, cookies carry creation, last-access and expiry, the cache carries fetch times, autofill carries use dates, and saved logins carry a last-used date. Read in isolation, each table tells a fragment of the story.

The catch is that each browser stamps those times against a different epoch — WebKit microseconds in Chromium, PRTime in Firefox, Mac absolute time in Safari. Merging them by hand means converting three formats without slipping a column. See timestamp formats for the conversions and the per-column exceptions that trip people up.

How the unified timeline is built

The tool normalises every timestamped event from every loaded artifact and every browser into one table, sorted chronologically. The columns are deliberately flat:

  • time — normalised to UTC, regardless of source epoch.
  • browser — which profile the event came from.
  • artifact — history, download, cookie, cache, autofill, login.
  • event — visit, download start, cookie set, fetch, and so on.
  • detail — the URL, host, filename or value behind the event.

Because uploads accumulate, you can drop several profiles — even from different browsers — and they all land in the same timeline. That is the point: cross-browser activity reads as a single sequence instead of three windows you mentally interleave.

Filter it down

A raw timeline of a daily-driver profile is tens of thousands of rows. Two controls do most of the triage work:

  • Date range — clamp to the incident window. Everything outside it disappears.
  • Keyword — match on any substring in the detail column: a domain, a filename, a path fragment.

Group by day for visual pattern matching — bursts of activity, quiet gaps, the first and last events of a session stand out at a glance. Export the filtered view to CSV when you want it in Timeline Explorer, Excel or pandas.

Match indicators across everything

Paste your indicators — domains, URL fragments, filenames, or any raw value — into the IOC box. Matching rows highlight in every artifact table and in the timeline, with per-indicator hit counts. This is the fastest path from "here is the threat intel" to "here is where it touched this host," and it works the same whether the hit lands in history, a cookie, or the cache.

Correlate to pin a session

The timeline earns its keep where artifacts reinforce each other within the same second or two:

  • A cookie set in the same second as a download or a history visit pins a live session — the user was on that site, not just carrying a stale cookie.
  • An account's last-used login sitting next to a visit ties an identity to the activity, which is often the link an investigation actually needs.

Adjacency in a sorted timeline makes these pairings obvious. Scattered across separate tables, they are easy to miss. For cookies specifically, the cookie forensics post covers which timestamp fields to lean on.

The end-to-end workflow

  1. Load — drop a whole profile folder onto the drop zone. Uploads accumulate, so add more profiles or browsers as you go.
  2. Overview — read the summary first: artifact counts, overall date range, top domains. It sets your expectations before you dig.
  3. Timeline + IOCs — clamp the date range, paste indicators, and work the highlighted rows. Correlate the interesting ones.
  4. Export — pull a report or the filtered timeline as CSV for the case file.

Everything runs client-side. Nothing is uploaded, which keeps the acquisition inside whatever boundary it came from. For the full loading walkthrough, see analyze a browser profile in your browser.

Further reading