top of page

Forensic Analysis of Microsoft Edge Collections and IE Mode

2 days ago3 min read

Microsoft Edge introduced Collections, a unique feature that enhances how users organize and save web content. Unlike traditional bookmarks, Collections allow users to group URLs, images, text snippets, and notes in a structured way. This makes it an invaluable tool for research, productivity, and forensic investigations.


-----------------------------------------------------------------------------------------------------------


Where Collection Data is Stored

Edge stores Collection data in a dedicated database called collectionsSQLite, located within the Edge user profile’s Collections folder. This database contains multiple tables that document:


%UserProfile%AppDataLocalMicrosoftEdgeUser Data\<Profile>CollectionscollectionsSQLite

  • Contents of each Collection

  • Time of creation and modification

  • Order of stored items

  • Data origin (URLs, text, images, and notes)

Unlike browser history or cookies, Collections are not cleared via Edge’s ‘Clear Browsing Data’ settings. Users must manually delete individual items or entire Collections, which immediately removes them from the database.


-------------------------------------------------------------------------------------------------------------


Breaking Down the Collections Database

1. collections Table (Overview of Collections)

This table helps forensic investigators get a big-picture view of the user’s Collections.

  • id – Unique Collection identifier.

  • date_created – Timestamp of when the Collection was made.

  • date_modified – Last modified timestamp.

  • title – User-assigned Collection name.


2. collections_items_relationship Table (Tracking Item Placement)

This table links individual items to their respective Collections.

  • item_id – Foreign key referencing the items table.

  • parent_id – Links items to a specific Collection.

  • position – The order of items within a Collection.


3. items Table (Detailed Information on Collection Items)

This is the most critical table for forensic analysis as it stores detailed item data.

  • id – Unique identifier for each saved item.

  • date_created – When the item was added.

  • date_modified – Last change timestamp.

  • title – Webpage title or user note title.

  • source – The original URL of the saved item.

  • text_content – Contains extracted webpage text, highlighted content, or user annotations.

  • type – Specifies the type of content (website, text, image, annotation).


Since users can save a mix of webpage links, snippets, and personal notes, this database provides valuable context for forensic analysis.

How to correlate data b/w them

Collection table(copy ID)--> paste id in parent_id column of the table collections_items_relationship and copy the item_id --> paste the id into column id of the items Table

-------------------------------------------------------------------------------------------------------------


Edge IE Mode: Bridging Old and New

Many businesses still rely on outdated web applications that only function properly in Internet Explorer (IE). To support them while enhancing security, Edge includes IE Mode, which allows users to access legacy sites using the IE Trident MSHTML engine inside Edge.


How IE Mode Works

  • Disabled by default: Users or administrators must manually enable it.

  • Controlled via Enterprise Tools: IT teams can enforce IE Mode for intranet sites via a cached XML list.

  • Security Enhancements: Unlike standalone Internet Explorer, IE Mode runs in a sandboxed environment for improved security.


IE Mode Artifacts and Forensic Implications

IE Mode leaves behind artifacts in both Edge and IE databases, making it essential for forensic investigations:


  1. Edge History Database: Records visits to IE Mode sites.

  2. IE WebCacheV Database:* Stores additional browsing history from the legacy engine.

  3. Cache & Cookies: Found under INetCache and INetCookies, similar to old IE versions.


Interestingly, clearing Edge browsing data does not remove IE Mode artifacts. However, Edge provides a


-------------------------------------------------------------------------------------------------------------


Edge Privacy Features and Data Deletion

Microsoft Edge has significantly enhanced privacy controls compared to Chrome. Some key forensic considerations include:


  1. Tracking Prevention: Users can select from three privacy levels – Basic, Balanced (default), or Strict. The selection is recorded in the Preferences file under enhanced_tracking_prevention.

  2. Browsing Data Auto-Clear: Users can configure Edge to clear specific browsing data categories upon exit, a feature missing in Chrome.

  3. Forensic Indicators: The clear_data_on_exit entry in Edge’s Preferences file logs whether data deletion was enabled and if it was later turned off.


Key Takeaway for Forensics

If expected browsing history or artifacts are missing, checking Edge privacy settings can explain why some data was deleted automatically.


------------------------------------------------------------------------------------------------------------


Conclusion

by knowing where and how Edge stores data, forensic analysts can extract crucial information that might be overlooked when relying solely on traditional browsing history analysis. 🚀


-----------------------------------------Dean--------------------------------------

 
 
 

Comments

bottom of page