extracting-browser-history-artifacts

Featured

Extract and analyze browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge for forensic evidence of user web activity.

AI & Automation 13,115 stars 1533 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Extracting Browser History Artifacts ## When to Use - When investigating user web activity as part of a forensic examination - During insider threat investigations to establish patterns of data exfiltration - When tracing user visits to malicious or policy-violating websites - For correlating browser activity with other forensic artifacts and timelines - When investigating phishing attacks to identify which links were clicked ## Prerequisites - Forensic image or access to user profile directories - SQLite3 for querying browser databases - Hindsight, BrowsingHistoryView, or DB Browser for SQLite - Knowledge of browser artifact file locations per OS - Python 3 with sqlite3 module for automated extraction - Understanding of Chrome, Firefox, and Edge storage formats ## Workflow ### Step 1: Locate Browser Artifact Files ```bash # Mount forensic image mount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/evidence.dd /mnt/evidence # Chrome artifact locations (Windows) CHROME_WIN="/mnt/evidence/Users/suspect/AppData/Local/Google/Chrome/User Data/Default" # Key files: History, Cookies, Login Data, Web Data, Bookmarks, Preferences, # Cache/, GPUCache/, Local Storage/, Session Storage/, IndexedDB/ # Firefox artifact locations (Windows) FIREFOX_WIN="/mnt/evidence/Users/suspect/AppData/Roaming/Mozilla/Firefox/Profiles/*.default-release" # Key files: places.sqlite, cookies.sqlite, formhistory.sqlite, logins.json, # key4.db, sessionstore.jsonlz4, w...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

SQLite · Database

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

analyzing-browser-forensics-with-hindsight

Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.

13,115 Updated today
mukul975
AI & Automation Featured

analyzing-linux-system-artifacts

Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity.

13,115 Updated today
mukul975
AI & Automation Featured

analyzing-windows-registry-for-artifacts

Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and evidence of system compromise.

13,115 Updated today
mukul975
AI & Automation Featured

analyzing-usb-device-connection-history

Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable media usage and potential data exfiltration.

13,115 Updated today
mukul975
AI & Automation Featured

analyzing-windows-amcache-artifacts

Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman's AmcacheParser and Timeline Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.

13,115 Updated today
mukul975