Browser History & Downloads

WindowsUser ActivityDisk Image

Location

C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\History

Description

SQLite databases for Chrome, Edge, and Firefox storing visited URLs with timestamps, download records with source URL and target path, search queries, and form autofill data.

Forensic Value

Browser history reveals initial access vectors such as phishing URLs and drive-by download sites. Download records link a malicious file to the exact URL it was fetched from and the time of download. Search queries may show attacker reconnaissance activity (searching for sensitive shares, admin portals). Multiple browser profiles may need to be checked.

Tools Required

KAPEHindsight (Chrome)BrowsingHistoryView (NirSoft)DB Browser for SQLite

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target WebBrowsers

Hindsight

hindsight.py -i "C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default" -o C:\output\chrome_history

BrowsingHistoryView

BrowsingHistoryView.exe /scomma C:\output\browser_history.csv

SQLite

sqlite3 "C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\History" "SELECT url, title, datetime(last_visit_time/1000000-11644473600,'unixepoch') FROM urls ORDER BY last_visit_time DESC"

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1189T1566.002T1071.001

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote