Examine the Cache, Cookies, and History Recorded in Web Browsers

Windows Forensics Methodology

The Windows forensics methodology passes with 8 phases, we have discussed the first four before. If you are interested in reading about them you can use the following links:

1- Gathering Volatile Information: link

2- Collecting Non-volatile Information: link

3- Memory Analysis: link

4- Registry Analysis: link


By examining the cache, cookie, and history recorded in web browsers, investigators can gain valuable insights into a user’s internet activity, which can be used to build a comprehensive picture of their behavior and activities online. This information can be critical in forensic investigations, particularly in cases where internet activity may have played a role in a crime or incident.


Firstly, the web browser cache contains temporary files that are created when a user visits websites. These files can include images, videos, and other media that the user has viewed, and can provide valuable information about the user’s internet activity, such as the websites they have visited, the files they have downloaded, and the searches they have conducted.


Secondly, cookies are small text files that are created by websites and stored on the user’s computer. They can be used to track a user’s activity across different websites and sessions, and can provide information such as login credentials, preferences, and browsing habits.


Finally, the browser history provides a record of the user’s browsing activity, including the websites they have visited and the time and date of their visits. This can be particularly useful for investigators looking to trace a user’s online activities and build a timeline of their behavior.

Today’s blog is a straight forward guide on how you can extract cache, cookies, and history from the any browser using nirsoft freeware

Directly navigate to the targeted task and download the necessary tools based on the browser you are facing.


The below listed tools read the cache folder of web browser, and displays the list of all files currently stored in the cache.

For each cache file, the following information is displayed: URL, Content type, File size, Last modified time, Last fetched time, Expiration time, Fetch count, Server name, and more.

Internet Explorer Cache Viewer

Mozilla Firefox Cache Viewer

Google Chrome Cache Viewer

Safari Cache Viewer

Opera Cache Viewer


This utility displays the details of all cookies that Internet Explorer stores on your computer. In addition, it allows you to change the content of the cookies, delete unwanted cookies files, save the cookies into a readable text file, find cookies by specifying the domain name, view the cookies of other users and in other computers, etc.

Internet Explorer Cookies Viewer

Edge Cookies Viewer

Mozilla Firefox Cookies Viewer

Google Chrome Cookies Viewer

Flash Cookies Viewer


This utility reads all information from the history file on your computer, and displays the list of all URLs that you have visited with browsers in the last few days. It also allows you to select one or more URL addresses, and then remove them from the history file or save them into text, HTML or XML file. In addition, you are allowed to view the visited URL list of other user profiles on your computer, and even access the visited URL list on a remote computer, as long as you have permission to access the history folder.

Internet Explorer History Viewer

Mozilla Firefox History Viewer

Google Chrome History Viewer

Safari History Viewer

The Four-mentioned-at-once

Extra (WebBrowserPassView)

nirsoft has also a password recovery tool that reveals the passwords stored by the following Web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, and Opera.

This tool can be used to recover your lost/forgotten password of any Website, including popular Web sites, like Facebook, Yahoo, Google, and Gmail, as long as the password is stored by your Web Browser. After retrieving your lost passwords, you can save them into text/html/csv/xml file.



Documenting the journey towards CyberSecurity Expertise

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store