SANS Digital Forensics and Incident Response Blog: Tag - browser

Forensically mining new nuggets of Google Chrome

I was recently creating some slides on Chrome forensics for a class I'm teaching, when I really discovered for the first time just how popular it's actually become. As of last month, according to, Chrome is not only 50% more popular than internet Explorer, but is actually neck and neck with Firefox (36.6% vs. … Continue reading Forensically mining new nuggets of Google Chrome

Google Chrome Forensics

Google Chrome stores the browser history in a SQLite database, not unlike Firefox. Yet the structure of the database file is quite different.

Chrome stores its files in the following locations:

  • Linux: /home/$USER/.config/google-chrome/
  • Linux: /home/$USER/.config/chromium/
  • Windows Vista (and Win 7): C:\\Users\\[USERNAME]\\AppData\\Local\\Google\\Chrome\\
  • Windows XP: C:\\Documents and Settings\\[USERNAME]\\Local Settings\\Application Data\\Google\\Chrome\\

There are two different versions of Google Chrome for Linux, the official packets distributed by Google, which stores its data in the google-chrome directory and the Linux


Is Your index.dat File LEAKing?

One of the projects that I've been working on, has required me to become intimately familiar with index.dat files. These files (index.dat) are usually associated with Internet Explorer's browser history. If you've ever worked with index.dat files before, you've probably encountered the mysterious "LEAK" record. After some analysis, I think I've finally figured out what LEAK records are used for.

Essentially, a LEAK record is created when a cached URL entry is deleted (by calling DeleteUrlCacheEntry) and the cached file associated with the entry (a.k.a. "temporary internet file" or TIF) can not be deleted.

You can easily test this on your own system:

  1. Open Internet Explorer and surf to a web page. Ideally a page with a unique and easily identifiable name (e.g.

Firefox 3 History

Analysis of a browser history almost always comes up, no matter what is being investigated. And despite Firefox being one of the most popular browsers currently used there aren't many tools out there that can read and display browser history (at least in a human readable format). There are tools out there, such as f3e from ( however that tool, just as others that I've found, is only distrubuted as an EXE, running on Windows (and no source code is provided).

Traditionally Firefox stored the history file as a Mork file format, which could be easily read using any standard editor. The new version, that is version 3 which has been out for quite some time now, uses a different method of storing user history. The history file is stored in a MozStorage format, as a


Block Pornography - The Bane of Computer Forensics

By J. Michael Butler

What is more important? Searching for porn on an organization owned asset, or looking for misuse of organization owned data? Not even a trick question. Too easy. So why do organization's computer forensic experts still find themselves searching for porn? Because it is there.

New problem? I think not. In T.h.e. Journal, there is an article written in 1997 addressing this same issue and suggesting a product called "Little Brother" to fix it.[1] Today there are a plethora of software products for home and office use, ranging from free to more than $100 per workstation. Some are more effective than others, but evaluation is outside the scope of this article. Just know that