Examine the Cache, Cookies, and History Recorded in Web Browsers
The Windows forensics methodology passes with 8 phases, we have discussed the first four before. If you are interested in reading about them you can use the following links:
1- Gathering Volatile Information: link
2- Collecting Non-volatile Information: link
3- Memory Analysis: link
4- Registry Analysis: link
By examining the cache, cookie, and history recorded in web browsers, investigators can gain valuable insights into a user’s internet activity, which can be used to build a comprehensive picture of their behavior and activities online. This information can be critical in forensic investigations, particularly in cases where internet activity may have played a role in a crime or incident.
Firstly, the web browser cache contains temporary files that are created when a user visits websites. These files can include images, videos, and other media that the user has viewed, and can provide valuable information about the user’s internet activity, such as the websites they have visited, the files they have downloaded, and the searches they have conducted.
Secondly, cookies are small text files that are created by websites and stored on the user’s computer. They can be used to track a user’s activity across different websites and sessions, and can provide information such as login credentials, preferences, and browsing habits.
Finally, the browser history provides a record of the user’s browsing activity, including the websites they have visited and the time and date of their visits. This can be particularly useful for investigators looking to trace a user’s online activities and build a timeline of their behavior.
Today’s blog is a straight forward guide on how you can extract cache, cookies, and history from the any browser using nirsoft freeware
Directly navigate to the targeted task and download the necessary tools based on the browser you are facing.
The below listed tools read the cache folder of web browser, and displays the list of all files currently stored in the cache.
For each cache file, the following information is displayed: URL, Content type, File size, Last modified time, Last fetched time, Expiration time, Fetch count, Server name, and more.
Internet Explorer Cache Viewer
This utility displays the details of all cookies that Internet Explorer stores on your computer. In addition, it allows you to change the content of the cookies, delete unwanted cookies files, save the cookies into a readable text file, find cookies by specifying the domain name, view the cookies of other users and in other computers, etc.
Internet Explorer Cookies Viewer
Mozilla Firefox Cookies Viewer
This utility reads all information from the history file on your computer, and displays the list of all URLs that you have visited with browsers in the last few days. It also allows you to select one or more URL addresses, and then remove them from the history file or save them into text, HTML or XML file. In addition, you are allowed to view the visited URL list of other user profiles on your computer, and even access the visited URL list on a remote computer, as long as you have permission to access the history folder.
Internet Explorer History Viewer
Mozilla Firefox History Viewer
nirsoft has also a password recovery tool that reveals the passwords stored by the following Web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, and Opera.
This tool can be used to recover your lost/forgotten password of any Website, including popular Web sites, like Facebook, Yahoo, Google, and Gmail, as long as the password is stored by your Web Browser. After retrieving your lost passwords, you can save them into text/html/csv/xml file.