Before moving ahead very important topic we have to discussed is about credential storage, Lets talk in this article
----------------------------------------------------------------------------------------------------
Web browsers store credentials and other sensitive data for user convenience, but this also introduces security risks. Understanding how browsers manage credential storage, encryption mechanisms like DPAPI, and forensic recovery techniques is crucial for security professionals and incident responders.
----------------------------------------------------------------------------------------------------------
Lets talk first how Chromium-Based and Firefox approach to Credential Storage
How Chromium-Based Browsers Store Credentials
Chromium-based browsers, including Google Chrome, Microsoft Edge, and Brave, use an SQLite database named Login Data to store saved credentials
This database contains a logins table that records:
Website URL (origin_url and action_url)
Username and encrypted password
Date of creation and last usage
Interestingly, even when users select “Never” in the save password dialog, the browser still logs this decision!
These entries appear in the database with blacklisted_by_user = 1, meaning you can still retrieve information about sites the user visited but refused to save passwords for.
If the user simply closes the save password prompt without selecting an option, an entry is logged in the stats table, including:
origin_domain (Website URL)
username_value (Entered username)
dismissal_count (Number of times the prompt was closed)
update_time (Last dismissal timestamp)
Key Takeaways for Forensic Analysis
Even unsaved credentials leave traces in the database.
Synchronization across devices means credentials from another device might appear in local browser files.
Firefox’s Approach to Credential Storage
Firefox takes a slightly different approach by using a JSON-formatted file called logins.json.
This file stores:
Website hostname and form submission URL
encryptedUsername and encryptedPassword
Timestamps for when credentials were created, last used, and changed
Timestamps are stored in Unix epoch milliseconds, allowing you to track user behavior over time.
------------------------------------------------------------------------------------------------------------
Now lets talk about if in case you have windows vault installed
Windows provides its own credential management system called Windows Vault (or Credential Manager), which is used to store passwords for:
Internet Explorer
Remote Desktop sessions
Network shares
Various Windows applications
Credential data is stored in the following directories:
%USERPROFILE%\AppData\Local\Microsoft\Vault\{GUID}
%USERPROFILE%\AppData\Roaming\Microsoft\Vault\{GUID}
\Windows\System32\config\systemprofile\AppData\Local\Vault\{GUID}
\Windows\System32\config\systemprofile\AppData\Roaming\Vault\{GUID}Each credential is stored as a .vcrd file, while the .vpol file contains the encryption keys.
------------------------------------------------------------------------------------------------------------
Firefox Session Restore: A Hidden Treasure Trove
Firefox introduced Session Restore long before other browsers, allowing users to recover their browsing sessions after crashes or updates. This feature logs a wealth of data, including:
All open tabs and windows
Browser window dimensions and positions
Scroll position for each tab
Complete tab history
Cookies and form data
Details of failed downloads
Where is This Data Stored?
The session restore data is kept in sessionstore.jsonlz4, a compressed JSON file in the Firefox profile folder. Interestingly, this file is deleted upon normal browser exit, but you can still recover multiple historical copies due to the lack of immediate overwriting.
Additional backup files exist in the sessionstore-backups folder:
recovery.jsonlz4 – Live session tab data
recovery.baklz4 – Backup of recovery.jsonlz4
previous.jsonlz4 – Data from the previous browsing session
upgrade.jsonlz4-<buildID> – Session details from the last Firefox update cycle
Older Firefox versions used uncompressed files, meaning you may find files like sessionstore.js, recovery.js, and previous.js in legacy cases.
-------------------------
Now if you look there are new compression technique used by Firefox
Any file with name extended to is seems to be compressed
json. lz4
json.mozlz4
baklz4
I know, I know you will say Dean that how can we decompress it so we can get details worry not i am here for you
Use tool dejsonlz4.v1.1
command:
C:\Users\Akash's\Downloads\dejsonlz4.v1.1\bin-win32>dejsonlz4.exe "C:\Users\Akash's\AppData\Roaming\Mozilla\Firefox\Profiles\8teby4gw.default-release\sessionstore-backups\previous.jsonlz4" "C:\Users\Akash's\Downloads\sessionstore.json"
------------------------------------------------------------------------------------------------------------
Disabling Session Restore: Can Users Cover Their Tracks?
While users can disable Session Restore, you can verify these settings in prefs.js if modifications exist:
Firefox 3 and below: browser.sessionstore.enabled = false
Firefox 3.5+: browser.sessionstore.max_tabs_undo = 0 and browser.sessionstore.max_windows_undo = 0
------------------------------------------------------------------------------------------------------------
Extracting and Decrypting Browser Passwords
Forensic Analysis Tools
Tools help in extracting and decrypting browser passwords:
Firefox: Use WebBrowserPassView
Chome: Use ChromePass
------------------------------------------------------------------------------------------------------------
Now Windows use encryption method called DPAPI
The Data Protection API (DPAPI) is a Windows encryption mechanism that secures stored passwords. Chrome and Edge rely on DPAPI to encrypt credentials.
DPAPI encryption is tied to the user’s Windows login credentials. If an attacker gains access to a user’s Windows profile, they can potentially decrypt stored passwords.
DPAPI Master Key Extraction
The DPAPI master key is stored in:
C:\Users\<username>\AppData\Roaming\Microsoft\Protect\<SID>\------------------------------------------------------------------------------------------------------------
Final Thoughts: What This Means for Security & Forensics
From a security perspective, browser credential storage is a double-edged sword. While it improves convenience for users, it also creates a goldmine of forensic evidence. Investigators can:
Extract saved usernames and metadata even if passwords are encrypted.
Recover browsing history even after deletion via session restore files.
Identify websites where users attempted to log in but chose not to save passwords.
How Users Can Protect Themselves
Use a password manager instead of browser-stored credentials.
Regularly clear session restore data and disable unnecessary features.
Turn on full-disk encryption to protect local credential databases.
Avoid syncing passwords across devices if security is a concern.
For forensic analysts, understanding where browsers store credentials and session data is key to uncovering crucial evidence in investigations. With browsers continuously evolving, staying up-to-date with storage mechanisms is essential for both investigators and security-conscious users.
------------------------------------------Dean---------------------------------------