Browser History & Downloads

windowsUser ActivityDisk Image

Location

C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\History

Description

SQLite databases for Chrome, Edge, and Firefox storing visited URLs with timestamps, download records with source URL and target path, search queries, and form autofill data.

Forensic Value

Browser history reveals initial access vectors such as phishing URLs and drive-by download sites. Download records link a malicious file to the exact URL it was fetched from and the time of download. Search queries may show attacker reconnaissance activity (searching for sensitive shares, admin portals). Multiple browser profiles may need to be checked.

Tools Required

KAPEHindsight (Chrome)BrowsingHistoryView (NirSoft)DB Browser for SQLite

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical