Export a browser forensics report
2026-06-21 · 4 min
Parsing artifacts is only half the job. The other half is producing something a colleague, a court, or future-you can trust without re-running the whole analysis. This post covers the export side of the tool: the file manifest, the self-contained report, and the per-table CSV/JSON dumps — all generated in the tab, with nothing uploaded.
The file manifest is your chain of custody
Every file you load is hashed with SHA-256 the moment it lands. The
Loaded files manifest records the path, size and hash of each one, and
it accumulates across uploads — so if you drop a profile, then add a
Local State and a masterkey later (as in the
cookie decryption walkthrough),
every input is logged in one place.
That manifest is the integrity backbone. Record the hashes at acquisition time, and anyone can later verify that the bytes you analysed are the bytes that came off the host — the standard chain-of-custody assertion, minus the spreadsheet you'd otherwise maintain by hand.
Build the report before you export
The report is a snapshot of analysis state, so do the analysis first. The sequence I follow:
- Load the profile. Drop the whole folder so sidecars pair correctly (see analyze a browser profile).
- Review the overview. Confirm the artifact and record counts look right for the acquisition, and sanity-check the date range.
- Run IOC matching. Paste your indicators and let the hits land — see hunting IOCs in browser artifacts. The hit totals carry into the report.
- Download the report, then export individual tables as needed.
Reordering this matters: the report captures whatever IOC list and hit totals exist when you click the button, so match first.
What the HTML report contains
Download report produces a single, self-contained HTML file — no external CSS, JS or images, so it opens identically on an air-gapped review box years from now. Inside:
- Header — tool name and the generated-at timestamp.
- Overview stats — artifact count, total record counts, browsers detected, the overall date range, and top domains.
- File manifest — the same path/size/hash table described above, so the integrity record travels with the findings.
- Per-artifact record counts — a table breaking down how many records came from each parsed file.
- IOC list and hit totals — the indicators you searched and how many times each matched.
Because it's one file with everything inlined, it attaches to a ticket or a case folder cleanly and survives being moved around.
Per-table CSV and JSON
The report is the summary; the tables are the evidence. Each artifact table exports independently to CSV and JSON:
- Exports contain the visible columns only, so filter and arrange the table to the view you want before exporting.
- Encrypted blobs are excluded. Raw
os_cryptciphertext doesn't clog the output. - Decrypted values are included once you've decrypted them — so a cookie table exported after running the decryption flow carries the cleartext, not the blob.
Pair the two: the HTML report for the narrative and integrity record, the CSV/JSON tables for the granular data your downstream tools (Timeline Explorer, Excel, pandas) chew on.
Why client-side matters here
Reporting often touches the most sensitive evidence — auth cookies, private URLs, internal domains. Every export, including the hashing and the HTML generation, happens locally in the browser. Nothing is transmitted, which keeps the workflow usable inside regulated environments where uploading evidence to a third-party service is a non-starter. For the bigger picture on that model, see what browser forensics is.