browserforensics
Back to all articles

Investigate a phishing incident with browser artifacts

2026-06-21 · 4 min

A phishing case is a sequence of questions: how did the user reach the lure, what came down the wire, and what did the attacker walk away with. Each question maps to a specific browser artifact, and the answers line up into a single chain you can hand off. The workflow below walks that chain in order, then ties it together with a timeline and IOC sweep.

Find the entry point

Start in the History database, in urls joined to visits. The phishing URL is the anchor — pull its row and read the transition type on the matching visit. A typed transition means the user entered the address themselves, usually off a lookalike domain; a link transition means they clicked through; a redirect transition means something bounced them there.

From there, walk from_visit backwards. Each visit points at the one that referred it, so following the chain takes you from the landing page back to the source — the mail-client link, the ad, the shortened URL the user actually clicked. That referrer walk is what turns "they ended up on a bad site" into "here is exactly how they got there."

Recover the payload

If the lure delivered a file, it lands in the Downloads table of the same History DB. The row gives you the saved path, the file size, and whether it was opened. To see the real source behind a redirect or a URL shortener, read downloads_url_chains: it records every hop the download passed through, so the final entry is the true origin even when the visible link was a bit.ly or a tracking redirector.

See what was typed

The Shortcuts table — omni_box_shortcuts — captures partial strings the user typed into the omnibox along with what they resolved to. In a phishing case this recovers the lookalike domain the user keyed in by hand, or a search query that led them to the lure, even when no full visit landed in history.

Assess credential and session impact

Two artifacts answer the blast-radius question:

  • Cookies — decrypt the values to check for live session tokens for the spoofed or downstream sites. A present, valid token tells you a session existed that an attacker could replay.
  • Login Data — enumerate saved credentials for the spoofed site and anything related. These are the passwords that were reachable from the compromised profile.

Together they separate "the user entered credentials into a phishing page" from "the attacker had everything the profile already stored."

Timeline the sequence

Merge the artifacts above into one chronological view. The entry visit, the redirect hops, the download start and finish, and any cookie set should line up within seconds of each other. A cookie set next to the landing-page visit pins a live session; a download timestamp right after the click confirms the lure fired. Adjacency in a sorted timeline makes the order of operations obvious. See build a browser activity timeline for the full merge-and-filter workflow.

Sweep for every touch

You now have a known-bad domain or URL. Paste it into the IOC box and match it across all artifacts at once — history, downloads, cookies, shortcuts, cache. This finds every place the indicator appears, including touches that did not surface in the linear chain: a cookie set on a second visit, a cached resource, a redirect host you had not noted. The IOC hunting workflow covers how to build and apply an indicator list.

Export for handover

Close the case with a hashed report. Export the matched rows, the timeline, and the artifact counts so the rest of the IR team gets a reproducible record with integrity hashes for chain of custody.

Every step here — parsing the History DB, decrypting cookies, building the timeline, and matching IOCs — runs entirely client-side. The profile copy never leaves the workstation, so the analysis works on an air-gapped IR box and the acquisition stays inside its original boundary. For the artifact-by-artifact reference behind this workflow, see browser forensics for incident response.

Further reading