browserforensics
Back to all articles

Chrome vs Firefox vs Safari: artifacts compared

2026-06-21 · 4 min

The three major engines store the same conceptual data — history, cookies, credentials, cache, sessions — but in different files, different formats, and on different timestamp epochs. This post puts them side by side so you can jump straight to the right artifact in a profile you don't recognise. For the broader map of a profile folder, start with where browsers store their artifacts.

History

Chrome / Edge (Chromium)FirefoxSafari
FileHistoryplaces.sqliteHistory.db
FormatSQLiteSQLiteSQLite
Tablesurls, visitsmoz_places, moz_historyvisitshistory_items, history_visits

All three are SQLite, so all three open read-only and query the same way. The column names and join keys differ, but the shape — a URL table joined to a visit table — is identical across vendors.

Cookies

ChromiumFirefoxSafari
FileCookies (Network/Cookies)cookies.sqliteCookies.binarycookies
FormatSQLiteSQLiteApple binary
ValuesEncrypted (AES-GCM via os_crypt)CleartextCleartext
MetadataCleartextCleartextCleartext

Cookies are where the formats diverge hardest. Firefox keeps plain values in SQLite. Safari uses its bespoke Cookies.binarycookies container — binary, but cleartext. Chromium encrypts the value with AES-GCM keyed through os_crypt (DPAPI on Windows, the Keychain on macOS) while leaving the domain, name and flags readable. See browser cookies forensics for the per-field detail.

Passwords

ChromiumFirefoxSafari
StoreLogin Data (SQLite)logins.json + key4.dbmacOS Keychain
Encryptionos_cryptNSS (master key)Keychain (OS-level)
Browser file?YesYesNo

The important caveat is Safari: passwords live in the macOS Keychain, not in a Safari file at all, so there is nothing in the profile to parse. Chromium stores ciphertext in Login Data; Firefox splits the secrets between logins.json and the key4.db NSS key store.

Bookmarks

ChromiumFirefoxSafari
LocationBookmarksinside places.sqliteBookmarks.plist
FormatJSONSQLite (moz_bookmarks)Binary plist

Firefox is the odd one out here: bookmarks share places.sqlite with history rather than living in their own file.

Cache

ChromiumFirefoxSafari
LocationSimple Cache (Cache_Data)cache2/entriesCache.db
FormatChromium Simple CacheFirefox cache2SQLite

Only Safari's cache is a tidy SQLite database. Chromium's Simple Cache and Firefox's cache2 are custom on-disk layouts of indexed entry files.

Sessions and tabs

ChromiumFirefoxSafari
FileSessionssessionstore.jsonlz4LastSession.plist
FormatSNSSMozilla LZ4-wrapped JSONBinary plist

These hold the tabs that were open — short-lived intent that often matters most at the moment of an incident. Each vendor wraps it differently: Chromium's SNSS command stream, Firefox's LZ4-compressed JSON, Safari's binary plist.

Timestamp epochs

ChromiumFirefoxSafari
EpochWebKitPRTimeMac absolute time
Base1601-01-01 UTC1970-01-01 UTC2001-01-01 UTC
Unitmicrosecondsmicrosecondsseconds

This table is the one to keep on hand. Mixing epochs is the single most common analyst error: a Chromium value read as Unix microseconds lands centuries off. The mechanics — including the per-table exceptions — are in browser timestamp formats.

What the tool parses and decrypts

BrowserForensics is 100% client-side: files are processed in your browser and never uploaded. Honest scope of what it does today:

CapabilityCoverage
ParsesHistory, cookies, bookmarks, cache, sessions across all three browsers
Decrypts (Chromium)Cookies, saved passwords, payment cards (via os_crypt)
Decrypts (Firefox)Saved passwords (logins.json + key4.db)
Not decryptedSafari Keychain passwords (OS store, not a browser file)

Decryption depends on having the key material — the Chromium os_crypt key or the Firefox NSS master key — alongside the artifact. Without it you still get all the cleartext metadata.

Further reading