What is the “Web Browser” forensic artifact?

Web browser artifacts encompass the comprehensive record of a user’s internet activity, including visited websites, search queries, downloads, cookies, and cache. This data is stored within the user’s profile directory in files specific to each browser, such as SQLite databases for Chromium-based browsers (e.g., Chrome, Edge) and Firefox, or .plist files for Safari on macOS. These files maintain a detailed log of URLs, visit times, and download metadata (source URL, file path, and timestamps), providing a granular view of online behavior.

For a DFIR investigator, web browser history is essential for reconstructing a user’s actions and understanding the timeline of an incident. It can reveal how an attacker performed reconnaissance, which sites they used to download malicious tools, or if they accessed web-based email or cloud storage to exfiltrate data. Download history provides a direct link between a web session and a file being introduced to the system, which is crucial for identifying the initial point of malware infection. Analysis of this data can uncover phishing attempts, access to suspicious domains, and provide a clear window into the user’s or attacker’s online footprint.

Collecting, Decoding, and Viewing “Web Browser” with TensorGuard

1. Create a TensorGuard account and sign in to the TensorGuard console at https://app.tensorguard.com.
2. Select “Case Manager”, then the plus button to create a case. This will contain your enrolled devices, their reports, and any manually submitted collections.
3. Linked inside the case menu, download the TensorGuard Forensic Collector and run it on your target system.
4. In the console, click the plus button for “New Enrollment”, copy the enrollment key, and paste it into the TensorGuard Forensic Collector on your target device.
5. Now that you have a device enrolled, select the device(s), and click “Send Signal”. Answer the questions regarding what you want to look for in the analysis, any alerting on positive findings, and if the collection and analysis should be recurring.
6. Once the report is generated, you’ll have Web Browser delivered in the browser, alongside an executive summary and timeline of findings.