Back in 2019, Microsoft replaced its EdgeHTML browser engine with Chromium, the open-source project that powers Google Chrome. By switching to Chromium, Edge shares a common foundation with Chrome, meaning the forensic techniques used for Chrome investigations also apply to Edge.
Microsoft isn’t just using Chromium; they’re actively contributing to its development. This means that, as long as Microsoft continues to submit changes to the Chromium project rath er than making Edge-specific modifications, forensic tools built for Chrome will seamlessly work with Edge.
-------------------------------------------------------------------------------------------------------
Even Edge and Chrome are nearly identical. Microsoft has introduced a few unique features. One of the most intriguing is IE Mode, which allows users to open a tab using the legacy Internet Explorer engine. This feature is mainly aimed at enterprises that still rely on older web applications.
Edge maintains the same folder structure as Chrome
%UserProfile%\AppData\Local\Microsoft\Edge\User DataMakes it easy to apply existing Chrome forensic methodologies to Edge without major changes.
Similarity b/w edge and chrome artifacts:
Browser Artifacts | Chrome | Edge |
Internet History | History | History |
Cache Files | data_#, f_###### | data_#, f_###### |
Cookies/Web Storage | Cookies/Local Storage/File System/IndexedDB | Cookies/Local Storage/File System/IndexedDB |
Bookmarks | Bookmarks, Bookmarks.bak | Bookmarks, Bookmarks.msbak |
Download History | History | History |
Auto-Complete/Form History | History, Web Data, Login Data, Network Action Predictor | History, Web Data, Login Data, Network Action Predictor |
Installed Extensions | Extensions Folder | Extensions Folder |
Session Recovery | Session_<timestamp>, Tabs_<timestamp> | Session_<timestamp>, Tabs_<timestamp> |
Synchronization | Sync Data Folder | Sync Data Folder |
-------------------------------------------------------------------------------------------------------------
Investigating Downloads in Edge
Edge records extensive metadata on file downloads.
Records are stored in the History database, specifically in the downloads and download_url_chains tables. Key fields in these tables include:
current_path/target_path – Where the file was saved.
start_time/end_time – Timestamps in Webkit format.
state – Whether the download was successful.
state Code
Code | Description |
0 | In Progress |
1 | Complete |
2 | Cancelled |
3 | Interrupted |
4 | Blocked |
danger_type – Whether the file was flagged as dangerous.
Danger type
Code | Description |
0 | Not Dangerous |
1 | Dangerous |
2 | Dangerous URL |
3 | Dangerous Content |
4 | Maybe Dangerous |
5 | Uncommon Content |
6 | User Validated |
7 | Dangerous Host |
8 | Potentially Unwanted |
11 | Password Protected |
13/14 | Sensitive Content |
interrupt_reason – Why a download failed (e.g., flagged as malware).
Interrupt reason
Code | Description |
0 | None |
1 | File Failed (generic) |
2 | Access Denied |
3 | No Space |
5 | Filename too long |
6 | File too large |
7 | Virus Infected |
12 | Failed Security Check |
20 | Network Error |
40 | User Cancelled |
41 | User Shutdown |
50 | Browser Crash |
opened – Whether the file was opened via the browser’s download manager.
last_access_time – When the file was last opened via the browser.
tab_url & tab_referrer_url – The page that initiated the download.
site_url – The domain from which the download originated.
mime_type – The type of file downloaded.
-------------------------------------------------------------------------------------------------------------
Download Chains and Redirects
The download_url_chains table helps reconstruct the sequence of URLs that led to a file being downloaded.
This is useful when a website employs multiple redirects to obscure the true origin of a file, a common tactic in phishing and malware distribution.
-------------------------------------------------------------------------------------------------------------
Browser Extensions: The Silent Threat
Chromium-based browsers, including Edge, support a vast range of extensions. While this is great for customization, it also opens the door to security risks. Rogue extensions are a growing threat, often used to steal data or install malware.
Each installed extension is stored in a uniquely named folder (based on an application GUID) within the Edge user data directory.
Inside, the manifest.json file contains key details such as:
name – The extension’s official name.
description – A brief summary of its purpose.
version – The installed version.
URL & metadata – Additional information for identifying the extension.
While most forensic tools can extract this data, manually reviewing manifest.json can sometimes reveal hidden or misleading details.
-------------------------------------------------------------------------------------------------------------
Tools like Hindsight can automate this process by parsing manifest.json files and displaying installed extensions in an easy-to-read format.
-------------------------------------------------------------------------------------------------------------
Browser Bookmarks
Bookmarks don’t always take center stage in forensic tools, yet they hold valuable insights into user behavior. These simple shortcuts, created intentionally by users, can reveal frequently visited websites, saved research, and even traces of malicious activity.
Why Bookmarks Matter in Digital Forensics
Bookmarks serve as personalized navigation aids, offering key details such as:
Website of interest – The exact URL, including any parameters embedded in it.
User profile association – Identifies which user created the bookmark.
Timestamps – Information on when the bookmark was created or last accessed.
Google Chrome & Microsoft Edge
Chrome and Edge (Chromium-based) store bookmarks in a JSON file named Bookmarks (without an extension), making it easy to parse. Additionally, backup versions (Bookmarks.bak or Bookmarks.msbak in Edge) , preserving previous states.
Output Bookmark
date_added: Uses the Webkit timestamp format.
source: Indicates how the bookmark was created (e.g., user-added or imported).
url: The saved web address.
Forensic Considerations:
Look for backup files (Bookmarks.bak or Bookmarks.msbak) to retrieve deleted bookmarks.
Investigate archived versions of bookmarks stored in snapshot folders:
%UserProfile%\AppData\Local\Google\Chrome\User Data\Snapshots
%UserProfile%\AppData\Local\Microsoft\Edge\User Data\SnapshotsIf a user has cleared bookmarks, backup versions might still hold past evidence.
Bookmark for other browsers:
Browser | Bookmark Location(s) |
Chrome | Bookmarks, Bookmarks.bak |
Edge | Bookmarks, Bookmarks.msbak |
Internet Explorer | %UserProfile%\Favorites\*.url |
Firefox | places.sqlite, bookmarks-<date>.jsonlz4 |
------------------------------------------------------------------------------------------------------------
Detecting Malicious Bookmarks
Bookmarks can sometimes be manipulated by malware, injecting rogue sites without user knowledge. Forensic investigators should look for:
Unusually high bookmark creation activity in a short period (indicating automation or script-based bookmark injection).
Bookmarks pointing to phishing pages or known malware-hosting domains.
Mismatch between user activity and bookmarks (e.g., a user primarily visiting tech forums but having multiple financial scam bookmarks).
How to Validate Suspicious Bookmarks:
Cross-check browser history – Was the site actually visited?
Scan the system for malware – Look for persistence mechanisms.
Review antivirus logs – Any detections related to browser activity?
Final Thoughts
Forensic analysis isn’t just about looking at history logs—it’s about understanding user behavior through every available artifact. And in that regard, bookmarks offer a surprisingly rich source of evidence.
----------------------------------------Dean-------------------------------------------
Comentários