Using X-Ways Forensics to Review and Report on Internet Browser Activity

If selected as part of the volume snapshot refinement process, X-Ways Forensics will create HTML previews of Internet browser databases and extract tables as Tab Separated Values files from SQLite databases as child objects of the respective file (m. 6.3.3). The HTML preview is very accessible from the viewer component and may also be used to quickly report on the data extracted. Searches and indexing also benefit from the HTML preview and TSV files generated.

In addition, the extracted data is added to the event list, which may be used to sort browser history chronologically, and more!

RVS Options to Extract Internal Metadata, etc.

Specialist | Refine Volume Snapshot
Options to Extract internal metadata, browser history and events. Checking the two boxes indicated above result in two different types of child objects.

Setting the number of maximum rows (100 by default) per HTML table adds a new table that may aide the viewer component to preview the HTML child object. Setting a higher number may be appropriate if exclusively viewing the HTML child object with an Internet browser.

<table style="width:100%; table-layout:fixed"><colgroup><col width="3%"><col width="11%"><col width="22%"><col width="42%"><col width="4%"><col width="4%"><col width="7%"><col width="7%"></colgroup>[table_data]</table>

When “Create previews of browser databases, event logs, and $UsnJrnl:$J” and “Extract tables from various other SQLite databases” are checked as part of the RVS process for applicable artifacts, e.g., Chrome, Firefox, and Edge browser history, XWF will add child objects as virtual files.

When “Create previews of browser databases…” is checked, it will generate a HTML child object. The TSV child objects are generated by checking “Extract tables from various other SQLite databases”.
Be mindful of files and their respective descriptions.

Using browser history as an example, there are a few ways to review the information parsed by XWF:

MethodNotes
Events ListAccessible timestamp information that may be examined with existing artifacts in a XWF case. May be marked as notable, then exported as a list.
HTML Child ObjectHTML child objects are based on the data parsed by XWF and includes information not present in the events list description, e.g., visits, type duration. The HTML child object may be opened in Excel to filter rows, but only after separating the tables into another sheet. May be saved as a HTML or another file type.

Chrome/Edge child object (History):
History: Id, Time, Title, URL, Visits, Type, Duration, Transition
Keyword searches: Term, URL, Search time
Downloads : Path, URL, Start time, End time, Opened

Firefox child object (places.sqlite):
Bookmarks: Title, URL, Added, Modified
Places: Title, URL, Visits, Last visit, Visit type
TSV Child ObjectsParsed from SQLite tables, the TSV child objects may be used as data source for Simultaneous Search or to preview the contents of a database for research.

Chrome/Edge child objects parsed tables from History:
content_annotations.tsv
context_annotations.tsv
downloads.tsv
downloads_url_chains.tsv
keyword_search_term.tsv
meta.tsv
segment_usage.tsv
sqlite_sequence.tsv
typed_url_sync_metadata.tsv
urls.tsv
visits.tsv

Firefox child objects parsed tables from places.sqlite:
moz-annos.tsv
moz_anno_attributes.tsv
moz_bookmarks.tsv
moz_historyvisits.tsv
moz_inputhistory.tsv:
moz_meta.tsv
moz_origins.tsv
moz_places.tsv
sqlite_stat1.tsv

Helpful SQLite resources to consider:

-Heather Mahalik’s blog series on SQLite starting with part 1.

-Dirk Pawlaszczyk’s chapter 5 in Mobile Forensics – The File Format Handbook.

-Lee Reiber’s Mobile Forensic Investigations (2E), Chapter 14.

-Paul Sanderson’s SQLite Forensics.

-Rohit Tamma, Oleg Skulkin,Heather Mahlik & Satish Bommisetty’s Practical Mobile Forensics. Chapter 5, pages 110-115.

-Gianluca Tiepolo’s iOS Forensics for Investigators. Chapter 4, pages 90-107.

-SANS’ SQlite Pocket Reference Guide. https://www.sans.org/posters/sqlite-pocket-reference-guide/

Events List

The event list’s super power is the ability to sort and filter various timestamps associated with certain events. This may be helpful when reviewing other information included in a XWF case.

For Internet activity, the events may be filtered by Type.

Event list type filter options.,

The following are relevant event list types for information parsed from History or places.sqlite.

Event List TypeDescription
Visited[URL]
OtherEnd download, source: [URL] (target: [path])
OtherStart download, source: [URL] (target: [path])
OtherSearch term: [search term]
The events may be listed in chronological order to identify a search term used and a URL visited after that search.

Notable events may be marked by selecting the event row and:

1. Directory browser context menu | Events | Mark as notable, OR

2. [space bar]

From the Event List, rows marked a notable may be filtered using the Timestamp column.

The filtered results may then be selected (Ctrl + A) then exported (Directory Browser context menu | Export list…).

Export list options.
Exported list with Timestamp, Type and Description columns.

HTML Child Object

Checking “Create previews of browser database, event logs, and $UsnJrnl:J$” will generate the HTML child object. XWF supports several data sources that are described in section 6.3.3(f) of the manual. Chrome’s History HTML child object displays browsing history, keyword searches, and downloads into three distinct tables. The HTML child object also has columns for visits and type duration – columns that are not populated in the events list as of 20.5 SR-2. While the child object may be previewed with the viewer component, my preference is using an Internet browser or Excel.

Previewing the HTML child object.

Opening the HTML child object in Excel may offer additional flexibility through filtering and sorting. However, to ensure the columns are sorted properly, the tables for history, keyword searches and downloads need to be separated into their own sheet.

Quick Excel Tip:

Rather than clicking and dragging a section of rows and columns, you may extend data selection to a blank row or column in Excel using Ctrl + Shift + [🠡, 🠣, 🠤, or 🠢].

1. For the HTML child object, start with the History table by selecting on its label (row 6). Use the extended selection shortcut by pressing Ctrl+Shift and then 🠣🠣. The first 🠣 will select row 6 through 8. The second 🠣 will select rows through the next blank row.

2. With the data selected, copy and paste to another worksheet. Repeat with additional tables.

3. Save as an Excel, or HTML file. Saving it as an HTML file will also generate a directory for its resources.

View of the HTML file, with tabbed pages, after editing in Excel and viewed with Edge.

TVS Child Objects

If checked, XWF will “Extract tables from various other SQLite databases” as TSV child objects and are named after the table (6.3.3g). Consequently, notable search hits may identify a table for further examination.

If a situation requires it, the TSV child objects may be opened in a program of your choice.

This TSV files was opened in Excel (Directory Browser Context Menu | Viewer Programs | Associated Program OR Selected Program.
The data was transformed in Excel (Version 2205) using Power Query Editor by clicking on Data | From Table/Range | Transform | Split Column, By tab Delimiters into columns | Close & Load.

Summary

Perhaps a preferred tool is not available, or a reporting function is not working. If XWF is part of your toolkit, it may be used to extract Internet browser activity for examination and/or validation of other tools.

As demonstrated, data extracted may be reviewed in an event list, the HTML child object, or the TSV child object. With some practical application of filters, Simultaneous Search, and some Excel know-how, reporting on Internet activity is very manageable with XWF.

It is nice to know you have options.

Related

Ted Smith’s video on Finding and parsing Internet Explorer Index.dat files and Parsing SQLite Database with X-Ways Forensics.

3 thoughts on “Using X-Ways Forensics to Review and Report on Internet Browser Activity

  1. Hello,
    I would like to know if you have a solution to do data visualization on data from browsers?

    (usage statistics, reconciliation, correspondence, etc…)
    thank you

    Like

    1. I’ve done a couple of things to summarize browser usage.
      1) Summarize frequency of domains visited summarized by day, week, or month.
      2) While not from a browser, data from a proxy service may categorize URLs. I’ll summarize the URLs by its category, e.g., shopping, technology, adult.

      Did you have a specific scenario in mind?

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.