Search Results

Firefox cache can be a goldmine of evidence. T his cache stores web pages, images, and files locally to improve browsing speed, providing forensic investigators with a window into the user’s browsing history and downloaded content. --------------------------------------------------------------------------------------------------------- Why Firefox Cache Matters in Forensics The cache isn’t just a list of visited websites —it contains actual content files retrieved during web sessions. This means an examiner can recover cached web pages, media files, and other internet artifacts even if the user tries to delete their history. Additionally, metadata stored in the cache provides timestamps, helping to establish a timeline of online activities. --------------------------------------------------------------------------------------------------------- Cache Storage and Size Variations Firefox cache sizes vary depending on the browser version. Earlier versions (pre-4.0) had a fixed cache size of 50MB, while modern versions allow dynamic cache sizing based on available system resources, sometimes reaching up to 1GB. Investigators can check cache size configurations in the prefs.js file by looking for the browser.cache.disk.capacity  value. However, this setting only appears if the user has manually modified the default values. C:\Users\Akash's\AppData\Roaming\Mozilla\Firefox\Profiles\8teby4gw.default-release To manually inspect cache settings, type about:config  in the Firefox address bar. --------------------------------------------------------------------------------------------------------- Cache Storage Locations The cache storage structure has changed significantly over time. Understanding these changes is crucial for forensic investigations. For older systems like Windows XP, the location was: %UserProfile%\Local Settings\Application Data\Mozilla\Firefox\Profiles\.default\Cache The cache structure in these versions was complex , requiring specialized tools to parse. The cache files were divided into different components: Cache Map : The index file that tracks stored cache entries. Cache Block Files (CACHE_001, CACHE_002, etc.) : Containers storing multiple cached files and metadata. Cache Data Files : Randomly named files created when content was too large for Cache Block files. Firefox Versions Before 32 Before Firefox 32, the cache was stored in: %UserProfile%\AppData\Local\Mozilla\Firefox\Profiles\.default\Cache Firefox 32 and Later Mozilla introduced a new, simplified cache structure in Firefox 32 for improved speed and flexibility . The cache is now stored in: %UserProfile%\AppData\Local\Mozilla\Firefox\Profiles\.default\cache2\entries Each cached file is stored individually, making it easier for forensic analysis. Unlike older versions, no additional database is needed to map cache entries. Metadata is directly appended to each cached file. Key Metadata in Firefox Cache Forensic investigators can extract the following details from Firefox cache: Attribute Description URL Identifies the website the cached content originates from. Fetch Count Indicates how often a cached file has been accessed. Missing Status Shows whether the cached file still exists or has been purged due to cache control settings. Filename The original name of the downloaded content. Content Type Specifies the type of file stored (HTML, JavaScript, images, etc.). File Size Reveals the size of the cached content. Last Modified Time Records when the file was last updated in the cache. Last Fetched Time Shows the last time the cached content was accessed, indicating recent visits. Response Header Stores the full HTTP header, which includes encoding details, cache control settings, server information, and timestamp. Analyzing Firefox Cache Files Investigators can manually examine Firefox cache by navigating to the cache directory and reviewing stored files. Since metadata is appended to each cached file in modern versions, tools like strings or hex editors can extract useful details. However, automated tools like MozillaCacheView  and FTK Imager  streamline the process by presenting a structured view of cache entries. ----------------------------------------------------------------------------------------------------------- Tools for parsing and analyzing cache MZCacheView: A User-Friendly Solution for Cache Analysis One of the most effective tools for parsing Firefox cache files is MZCacheView , previously known as MozillaCacheView. This lightweight utility from NirSoft extracts and presents cache data in an easy-to-read format. Column important to analyses in MZCacheview: Attribute Description File name The name of the downloaded file. Content type Indicates the file format (e.g., HTML, PNG, JSON). URL The specific web address the file originated from. File size The size of the stored file. Fetch count Number of times the file has been retrieved from the cache. Last modified The timestamp indicating when the file was cached. Last fetched The most recent time the file was accessed. Expiration time The server-defined expiry date for the cached file. Encoding type Specifies whether the content was compressed (e.g., Gzip). Server details Metadata from the HTTP response, including server name, last modified date, ETag, and response code. Key Features of MZCacheView: ✔ Displays all cached files with metadata. ✔ Provides filtering options for targeted analysis. ✔ Exports selected files for further investigation. ✔ Helps reconstruct browsing activity. Using MZCacheView for Forensics: Close Firefox:  Since cache files are locked when Firefox is running, ensure the browser is closed before analysis. Launch MZCacheView:  Open the tool and let it automatically detect and list cache entries. Filter and analyze:  Sort results based on file type, URL, or modification time. Export relevant files:  Extract necessary cache entries for further review. By using this tool, analysts can piece together a user's web activity, including visited sites, downloaded files, and accessed resources. ----------------------------------------------------------------------------------------------------------- Rebuilding Webpages from Cache: A Hidden Goldmine Beyond just extracting cached files, some forensic tools can reconstruct entire webpages from stored data . This capability allows investigators to see exactly what a user saw at a given time , even if the original webpage has changed or been deleted. Popular Tools for Webpage Reconstruction: ✔ Foxton Browser History Examiner  - Offers in-depth cache analysis and webpage rebuilding. ✔ AXIOM  - A commercial tool used for advanced browser forensics. ✔ NetAnalysis  - Specializes in browser history and cache reconstruction. By isolating cached elements like HTML, CSS, and JavaScript, these tools recreate snapshots of previously visited sites. This is especially useful in cases where a suspect accessed a webpage that no longer exists. ----------------------------------------------------------------------------------------------------------- Final Thoughts Whether using MZCacheView  for a user-friendly approach automation, these tools help forensic analysts piece together digital trails effectively. With proper techniques and best practices, investigators can turn browser cache data into compelling evidence in digital investigations. ---------------------------------------------Dean------------------------------------------------------

When investigating digital evidence, a browser’s history can be a goldmine of information. Firefox, like other modern browsers, maintains extensive records of user activity, storing this data in the places.sqlite database . This database can provide critical insights into a user’s online behavior, revealing visited websites, timestamps, and other relevant metadata. ----------------------------------------------------------------------------------------------------------- Understanding Firefox History Storage Firefox originally stored browsing history for a fixed 90-day period, but since version 4, the duration is dynamically determined based on system resources. T his means history data can span months or even years, sometimes reaching hundreds of thousands of entries. Key Tables in places.sqlite To extract meaningful information, investigators must focus on two primary tables: moz_places : Contains URLs, visit counts, titles, and metadata related to web visits. moz_historyvisits : Stores detailed records of each visit, including timestamps, referrers, and visit types. ----------------------------------------------------------------------------------------------------------- Extracting Useful Information Identifying Frequently Visited Sites The v isit_count column in moz_places  helps determine which sites a user visited most frequently. Pages with a visit count greater than one suggest intentional and repeated access. Creating a Timeline of Activity Each visit to a webpage is recorded in moz_historyvisits, and the visit_date  field provides timestamps. By sorting entries by date, analysts can track user activity over specific time frames. Determining User Intent The typed field in moz_places  indicates if the URL was manually entered. The f rom_visit attribute reveals the previous page that led to the current visit. The visit_type field categorizes how a page was accessed. ------------------------------------------------------------------------------------------------------------- Co-relating data from moz-place to moz_history visit to get an timestamp ------------------------------------------------------------------------------------------------------------ Decoding the visit_type Field The visit_type field in moz_historyvisits  provides insight into why a URL was recorded: Type Description 1 User followed a link, and the page was loaded 2 User typed the URL to get to the page (with or without auto-complete) 3 User followed a bookmark to get to the page 4 Indicates some inner content was loaded, such as images and iframes 5 Page accessed due to a permanent redirect (HTTP 301 status code) 6 Page accessed due to a temporary redirect (HTTP 302 status code) 7 File indicated by history was downloaded (non-HTML content) 8 User followed a link that loaded a page in a frame 9 Page was refreshed/reloaded ------------------------------------------------------------------------------------------------------------ Handling PRTime Timestamps Firefox stores timestamps in PRTime format (microseconds since January 1, 1970). To convert a value like 1736802810848000 to a readable format, analysts can use tools like SQLite queries, Python scripts, or online converters. or Using NirSoft BrowsingHistoryView for Analysis While manually parsing the places.sqlite database provides deep insights, tools like NirSoft’s BrowsingHistoryView streamline the process: Mount Evidence : Point the tool to the browser profile stored in forensic images or live systems. Review Data : Filter and analyze history entries from multiple browsers in one interface. Export Findings : Save reports in text or HTML formats for documentation. ------------------------------------------------------------------------------------------------------------ Final Thoughts Firefox’s history database is an invaluable asset for digital investigations. By leveraging both manual database queries and forensic tools, analysts can reconstruct online activity with precision . Understanding how this data is structured and retrieved allows for effective forensic analysis, ultimately helping to establish patterns, verify timelines, and uncover digital evidence. --------------------------------------------Dean-----------------------------------------------

I Personally use Mozilla Firefox with increased security Mozilla Firefox is a widely used open-source browser backed by the Mozilla Foundation, known for its strong emphasis on privacy and customizability. Unlike other browsers, Firefox is designed with transparency in mind, making it a favorite among security-conscious users and forensic analysts alike . ----------------------------------------------------------------------------------------------------------- Understanding Firefox’s File Structure Firefox organizes user data into a profile-based structure. Each user profile contains all the necessary browser artifacts, including history, cache, cookies, bookmarks, and more. On Windows systems, these profiles are stored in: C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\.default %UserProfile%\Local Settings\Application Data\Mozilla\Firefox\Profiles\.default\Cache The < random text>.default folder is unique to each installation and user profile . If multiple profiles exist, investigators must check each profile folder separately. Locating Key Artifacts File Name Description places.sqlite History – Bookmarks – Auto-complete – Downloads formhistory.sqlite Auto complete form data cookies.sqlite Cookies webappsstore.sqlite Web Storage extensions.json Firefox add-ons ------------------------------------------------------------------------------------------------------------- Evolution of Firefox Data Storage Over the years, Firefox has refined its data storage mechanisms. Earlier versions relied on the proprietary Mork format, which was difficult to pars e. Since Firefox 3, Mozilla has transitioned to SQLite databases, significantly improving performance and forensic accessibility. Most crucial browser artifacts are now stored in either SQLite or JSON, making them easier to analyze using tools like SQLite Browser or forensic scripts. ------------------------------------------------------------------------------------------------------------- Challenges in Firefox Forensics Frequent Updates:   Firefox follows a rapid release cycle (new versions every 4-6 weeks), which can introduce format changes that break forensic tools. Multiple User Profiles:  A single system can have multiple Firefox profiles, requiring investigators to check all profile directories. Data Encryption:   Some data, such as saved passwords (logins.json) , is encrypted and requires a decryption key stored in key4.db. Conclusion If you are conducting a forensic investigation involving Firefox, be sure to check key databases like places.sqlite, cookies.sqlite, and formhistory.sqlite for valuable insights. 🚀 --------------------------------------------Dean----------------------------------------------------

In today's digital world, web browsers are a goldmine of information for forensic investigators. With many users relying on Chromium-based browsers like Google Chrome, Microsoft Edge, and Brave for daily activities, understanding how to analyze browser data is crucial. ------------------------------------------------------------------------------------------------------------- Understanding Browser Profiles One of the most important things to know when analyzing a Chromium-based browser is that it supports multiple user profiles . This feature allows users to keep their "work" and "personal" data separate. However, from a forensic perspective, it means there could be multiple sets of browser data that need to be examined. ------------------------------------------------------------------------------------------------------------- Where to Find Profiles? Location: %UserProfile%\AppData\Local\Google\Chrome\User Data\ The Default  folder contains the original Chrome profile. Additional profiles are stored in folders named "Profile 1," "Profile 2," etc. A Guest Profile  exists, which functions like Incognito mode and doesn't leave traces after the session ends. Microsoft Edge allows profiles without an associated email, but they are still tied to a Windows user account. ------------------------------------------------------------------------------------------------------------- Key Artifacts in the Preferences File Each profile has a Preferences file, a JSON-formatted file that records key information like: Associated email address (if provided) Profile name Installed extensions Homepage and pinned tabs Privacy and synchronization settings ------------------------------------------------------------------------------------------------------------- Recovering Deleted Browser Data When a user deletes a profile, its folder and associated databases are removed on the next reboot. However, forensic tools can often recover these files from unallocated disk space. So, even if a user tries to erase their browser history, traces may still be available for analysis . ------------------------------------------------------------------------------------------------------------- Best Tools for Chromium-Based Browser Forensics Forensic investigators have several powerful tools to extract and analyze browser artifacts. Here are some of the most effective ones: 1. Hindsight Hindsight, created by Ryan Benson, is one of the best open-source tools for parsing Chromium browser data. Parses SQLite databases used by Chrome Supports LevelDB to extract Web Storage and File System artifacts Analyzes cache files (Cache, Media Cache, GPUCache, etc.) Outputs data in Excel (XLSX) or SQLite format Supports plugins to analyze Google Analytics cookies, search history, and more How to Use Hindsight? Hindsight runs via the command line: hindsight -i "C:\Users\Username\AppData\Local\Google\Chrome\User Data" Output: This command extracts data from all profiles in the User Data folder . You can also specify individual profile folders for a more focused analysis. 2. NirSoft ChromeHistoryView NirSoft provides a lightweight, easy-to-use tool called ChromeHistoryView. Extracts browsing history from Chrome databases Displays a simple timeline of visited websites Works on newer browser versions faster than some other tools While it doesn’t provide as much detail as Hindsight, it's a good backup tool for quick investigations. ------------------------------------------------------------------------------------------------------------- Key Browser Artifacts to Investigate Chromium-based browsers store vast amounts of user data. Here are some of the most valuable artifacts: ********************************************************************************************************************* Browser Forensic Analysis Book Chapter 1: Determining Sites Visited Understanding a user's browsing activity begins with reviewing history data and associated artifacts. Key Steps: Review History Data:  Extract visited URLs, timestamps, and search keywords. Review Transition Info:  Identify typed URLs versus redirected links. Document Top Sites:  Rank frequently visited websites for behavioral insights. Audit Preferences File:  Check for visited sites, auto-fill data, and sync settings. Parse Download History:  Identify downloaded files and potential malicious payloads. Audit Bookmarks:  Retrieve saved and backup bookmarks (JSON format). Look for Other Profiles:  Detect additional Chrome user profiles to expand the scope of analysis. Relevant Files & Formats: Artifact File Location Format History Data History SQLite Bookmarks Bookmarks, Bookmarks.bak JSON Download History History SQLite Preferences Preferences file JSON Chapter 2: Filling in Evidence Gaps This phase focuses on less obvious browser artifacts that provide additional context. Key Steps: Review Cache Domains:  Extract stored website assets and determine access patterns. Analyze Specific File Types:  Identify cached executables, images, and scripts. Review Cookie Domains:  Extract stored cookies and associated metadata. Search Session Recovery Files:  Recover open tabs and recent browser activity. Analyze Web Data & Shortcuts:  Identify autocomplete and stored form data. Audit Browser Extensions:  Extract extension metadata and potential malicious add-ons. Snapshots Folder:  Examine browser snapshots for evidence of activity. Relevant Files & Formats: Artifact File Location Format Cache Data Cache N/A Cookies Cookies/IndexedDB SQLite/LevelDB Session Data Session_, Tabs_ SNSS Web Data Web Data, Network Action Predictor SQLite Chapter 3: Deep Dive Analysis Advanced forensic techniques focus on deleted, volatile, and shadowed browser data. Key Steps: Search Web Storage:  Analyze local storage data for application-based evidence. Review Sync Data Database:  Extract synchronized browsing data across multiple devices. Audit Chrome Jumplist Entries:  Recover recent browser session activities. Carve Deleted SQLite Entries:  Extract deleted history, cookies, and other records. Review Memory-Based Artifacts:  Identify browser-related artifacts in volatile memory. Focus on Incognito Artifacts:  Attempt to recover private browsing data. Targeted Analysis Using Volume Shadow Copies:  Extract historical data from system restore points. Relevant Files & Formats: Artifact File Location Format Web Storage Local Storage/IndexedDB LevelDB Sync Data Sync Data Folder LevelDB Deleted Data Recovered SQLite DBs SQLite Jumplist Entries JumpList File N/A Tools Recommended: Chrome Analysis Tools: Hindsight, Belkasoft Evidence Center SQLite Analysis: DB Browser for SQLite Memory Analysis: Volatility, Rekall Volume Shadow Copy Analysis: Shadow Explorer Staying Ahead in Browser Forensics Browser updates constantly change data storage methods, so forensic tools need to keep up. It's crucial to test tools regularly and manually verify important artifacts when needed. By understanding the storage structure, key artifacts, and best tools available, forensic analysts can effectively investigate browser activity and uncover critical evidence. -------------------------------------------Dean-----------------------------------------

What is Chrome Synchronization? Chrome synchronization is a feature that allows users to access their browsing data across multiple devices using their Google account. This includes bookmarks, history, passwords, and even open tabs. While this feature is highly convenient for users, it also creates a rich source of forensic artifacts that can be examined during investigations. How Chrome Sync Works When a user logs into Chrome with their Google account, synchronization is enabled by default unless they opt out during installation . This means that data from one device can be instantly available on another, even if Chrome is not actively running. To view the currently synchronized data on a running Chrome instance, users can visit chrome://sync-internals/ in their browser. ------------------------------------------------------------------------------------------------------------- Where to Look for Sync Settings? Chrome stores sync-related preferences in a JSON-based Preferences file. This file contains a "sync" section that details what is being synchronized and when it was last updated (stored in WebKit time format). However, many settings are only visible if they have been manually changed from the default. ------------------------------------------------------------------------------------------------------------- What Data Does Chrome Sync? Chrome syncs various types of user data, including: Browsing history  (only URLs typed directly in the address bar) Bookmarks Preferences Extensions Passwords (Login Data) Auto-complete data (Web Data) Open tabs from other devices A modern Chrome version (post-2019) uses a LevelDB database within the Chrome Sync Data folder to temporarily store data before syncing it to the cloud. However, this database is not meant to store large amounts of user data. ------------------------------------------------------------------------------------------------------------- What Data Does Chrome NOT Sync? Several important artifacts do not get synchronized across devices, including: Download history Cookies Keywords typed into search engines (keyword_search_terms) Omnibox suggestions (Shortcuts database) Prefetched data analytics (Network Action Predictor) Certain Chrome Preferences (e.g., media engagement, per-site zoom levels) ------------------------------------------------------------------------------------------------------------- How to Identify Synced vs. Local Data Forensic investigators can determine if a browsing entry was locally created or synced from another device by examining the visit_source table in Chrome’s history database . This table contains: Source 0 : Visits synced from other Chrome devices Source 1 : Local visits (not typically recorded for efficiency) Source 2 : Visits from Chrome extensions Source 3 : Data imported from Firefox Source 4 : Data imported from Internet Explorer Source 5 : Data imported from Safari Source 6 : Data imported from Chrome (used by Chromium Edge) Source 7 : Data imported from EdgeHTML Entries that are locally created do not appear in this table, making it easier to distinguish synced data from locally generated browsing history. ------------------------------------------------------------------------------------------------------------- Does Clearing Browsing Data Remove Synced Data? If a user clears their browsing data on one device, it does not necessarily mean the data is removed everywhere. The outcome depends on Chrome’s version and the settings chosen by the user. On the local system , most data is deleted, but some settings in the Preferences file and bookmarks remain. On synced devices , nearly all synced data is removed except for non-synced artifacts like cached files, download history, and cookies. Older Chrome versions  were not as effective at clearing synced data, leaving residual information in databases like SyncData.sqlite3. ------------------------------------------------------------------------------------------------------------- What Happens When a User Signs Out? When a user signs out of their Google account, synchronization stops for that browser instance. However, data remains on the device unless explicitly cleared . Other synced devices retain the browsing history unless the user performs a Reset Sync  from their Google Dashboard, a little-known option. Key Takeaways Chrome sync is a powerful feature that allows users to access their data across multiple devices, but it also leaves behind valuable forensic artifacts. The visit_source  table helps identify whether an entry was synced or locally created. Not all Chrome data is synced—download history, cookies, and search terms remain local. Clearing browsing data does not always erase all synchronized data across devices. Signing out of a Google account stops sync but does not delete previously synchronized data from other devices. Conclusion Understanding Chrome synchronization is essential for digital forensics. Whether investigating user behavior or tracking historical data, Chrome’s sync feature provides a valuable trail of artifacts. Investigators must be aware of what data is synced, where it is stored, and how it can be distinguished from locally generated data. ---------------------------------------------Dean---------------------------------------------------

Most browsers store some auto-complete data , but Chrome takes this to another level by recording a surprising amount of information. Whether it’s search terms, form data, or login credentials , Chrome’s databases capture nearly everything typed by the user. ----------------------------------------------------------------------------------------------------------- 1. Web Data Database: Storing Autofill Information This database keeps track of information typed into web forms. It includes details like: Email addresses Names Phone numbers Credit card details Login credentials The key table here is autofill , which saves data entered into forms. However, one critical thing to note is that it doesn’t link the data to specific websites. Instead, it connects to the form name , meaning it can be used across different sites with similar form structures. ----------------------------------------------------------------------------------------------------------- 2. Shortcuts Database: Recording Omnibox Activity The Omnibox (Chrome’s address bar) is more than just a search box; i t predicts what a user is looking for based on previous activity. This database records: What was typed in the Omnibox Suggestions given by Chrome Sites visited based on those suggestions Last accessed time and frequency of visits All this data is stored in the omni_box_shortcuts  table, providing a history of how a user interacted with the Omnibox. ----------------------------------------------------------------------------------------------------------- 3. Network Action Predictor: Tracking Typed Characters When Chrome’s Prefetch  feature is enabled (to speed up loading times), this database keeps a letter-by-letter  record of: What was typed What sites Chrome preloaded in the background How often the browser correctly predicted user intent For example, if a user starts typing "cyber," Chrome may suggest relevant site s. If the user selects a suggestion, a hit count  is stored . This feature provides insights into past browsing activity even if the user never actually visited a page. ----------------------------------------------------------------------------------------------------------- 4. Login Data Database: Storing User Credentials This database holds login-related data, including: Websites where a user has saved login credentials Dates when passwords were created and last used Even sites where users chose not  to save their passwords! When a user clicks "Never save password" on a site, the database still records that decision . The blacklisted_by_user  field is marked as "1" for these sites. Chrome encrypts saved passwords using Windows DPAPI , but live forensics tools like NirSoft ChromePass  can retrieve them while the user is logged in. ----------------------------------------------------------------------------------------------------------- 5. How Prefetching Can Store Unvisited Pages If Prefetch is enabled, Chrome may download parts of web pages before a user visits them. While the History database  does not record prefetched pages, cached files and cookies may still exist. Checking the number_of_hits  and number_of_misses  fields in the Network Action Predictor  database can help determine if a page was auto-loaded or actually visited. ----------------------------------------------------------------------------------------------------------- Browser Session Recovery Modern web browsers are designed to be more reliable, especially with the rise of tabbed browsing. One key feature that improves reliability is session recovery  . This feature ensures that even if your browser crashes, you can restore your open tabs and continue where you left off. But did you know that session recovery stores a lot of detailed information about your browsing habits? What Information Can Be Retrieved from Session Recovery? When forensic analysts examine session recovery data, they can uncover: A list of open tabs from the last session (and sometimes previous sessions too) A detailed history of websites visited in each tab The referring websites for each page visited Session start and end timestamps (varies by browser) HTML, JavaScript, and even form data entered by the user Additional details like browser window size, pinned tabs, and page transition types (e.g., navigating from search results vs. direct URL entry) Most browsers automatically enable session recovery by default , meaning they continuously save this data. Some users even expand the feature using options like "Continue where you left off." How Chrome Handles Session Recovery Data Chrome stores session recovery data in a structured format, evolving over time: Before Chrome version 86:  Data was saved in four files: Current Session, Current Tabs, Last Session, and Last Tabs. From Chrome version 86 onward:  These files were moved to a Sessions folder and renamed Session and Tabs, each with a timestamp attached to their filename. This data is stored in a special format called SNSS (Session Saver Format) . The purpose of these files is to help the browser recover in case of a crash, as well as enable features like "Reopen Closed Tab." What Can Be Found in Chrome’s Session Data? Since session data records browser activity, it contains valuable information such as: URLs visited Original URLs (in case of redirections) Referring pages Page titles Visit counts Form data entered Page transition types (e.g., typed URL vs. clicked link) Chrome periodically saves and updates this data , meaning the Current Session and Current Tabs files reflect the most recent activity . On the other hand, Last Session and Last Tabs are usually written when the browser is closed, though there are exceptions. Extracting and Analyzing Session Data for Investigation Forensic analysts can extract session recovery data to reconstruct browsing behavior. There are two main ways to do this: Using Open-Source Tools: The Chromagnon  project was one of the first open-source tools developed to parse Chrome’s SNSS files. However, it hasn’t been updated in years and lacks full support for timestamps and page titles. https://github.com/JRBANCEL/Chromagnon/tree/SNSS/chromagnon Using String Extraction Methods: A simpler way to analyze these files is by extracting strings using tools like SysInternals' strings.exe . However, this method has a downside: it does not preserve metadata or relationships between tabs. Best commercial tools: Magnet AXIOM or belkasoft is best tool to parse sessions information Future of SNSS Parsing Parsing SNSS files is still an underdeveloped area in Chrome forensics. While commercial tools exist, a more robust open-source solution is needed to improve accuracy and recover additional metadata . Conclusion Session recovery is an essential feature in modern browsers, but it also leaves behind a detailed digital footprint . Understanding how Chrome stores and manages session data allows forensic analysts to reconstruct user activity, making it a valuable resource in digital investigations. Whether using open-source tools like Chromagnon or manual string extraction, session data can provide deep insights into a user’s browsing history and behavior. ------------------------------------------------------------------------------------------------------------ Stay with me we will continue about Google forensic in next article. -----------------------------------------------------------------------------------------------------------

Browsers have evolved beyond just displaying web pages; they now support complex web applications, cloud-based documents, and productivity tools. To make these features work smoothly, websites store increasing amounts of data directly on a user’s device. This client-side storage has grown significantly, often surpassing the traditional browser cache . Despite its importance, f orensic investigations have largely overlooked this area because analyzing browser storage can be challenging, and most forensic tools don't fully support it. -------------------------------------------------------------------------------------------------------- 1. Cookies: The Oldest Storage Method Cookies have been around for decades and remain a critical component of the web. Since web pages don’t have memory on their own, cookies help websites remember user activity, authentication details, and preferences. This is why you don’t have to log in every time you visit a site. Forensic Value of Cookies: They provide timestamps for when a user first and last visited a website. They store authentication tokens, session data, and user preference s. Even when browser history is deleted, cookies can still retain records of visited sites. Some sites use “third-party” cookies to track user activity across different websites. Cookies in modern browsers like Chrome are stored in a single SQLite database  named Cookies. Chrome's Evolving Storage Locations Chrome periodically updates how and where it stores data. For example: In version 33 , Chrome began encrypting cookie values. In version 61 , LocalStorage moved from SQLite to LevelDB. In version 96 , the Cookies database was relocated to the Network folder. ---------------------------------------------------------------------------------------------------------- 2. HTML5 Web Storage (LocalStorage & SessionStorage) As web applications became more advanced, cookies were no longer enough. The HTML5 Web Storage API introduced LocalStorage and SessionStorage , offering significantly more storage space (up to 10MB per website). LocalStorage vs. SessionStorage: LocalStorage : Data persists even after the browser is closed. SessionStorage : Data is cleared once the browser session ends. %UserProfile%\AppData\Local\Google\Chrome\User Data\Default\Local Storage/Session Storage Forensic Value of Web Storage: Stores authentication tokens and user settings. Can retain session-related data like form inputs or shopping cart items. May contain geolocation details and user tracking information. In Chrome, LocalStorage and SessionStorage data are saved in LevelDB databases , which can be found under Logs are stored in idb format ---------------------------------------------------------------------------------------------------------- Local Storage vs IndexedDB – What’s the Difference? Initially, Local Storage was designed to improve upon cookies. It allowed websites to store more data locally , but it was still limited in structure. Then came IndexedDB, a much more advanced storage system that changed the game . Local Storage:  A simple key-value store, mostly used for small data like user preferences or session states. IndexedDB:  A full-fledged database that supports a wide variety of data types, including text, integers, and even binary files.' IndexedDB allows websites to store much larger amounts of data. For example, Chrome can allocate up to 60% of a user’s disk space per domain ! It also enables websites to function offline, making it a prime target for forensic analysis. Where to Find IndexedDB Data in Chrome: %UserProfile%\AppData\Local\Google\Chrome\User Data\\IndexedDB IndexedDB doesn’t maintain a single database. Instead, each website (or domain) gets its own LevelDB database . This makes forensic investigation complex. ---------------------------------------------------------------------------------------------------------- Why Is IndexedDB Hard to Analyze? One major challenge with IndexedDB forensics is that no good free tools  exist for easy analysis. Since every website has its own LevelDB database, you could be looking at thousands of small databases spread across gigabytes of data. Another complication is that websites can store binary blobs (files) inside IndexedDB , including images, documents, or even databases . Some of these files are compressed using the Snappy algorithm , making it harder to retrieve meaningful information without proper decompression. ---------------------------------------------------------------------------------------------------------- 3. The "WebStorage" and "Storage Buckets" Mystery Newer versions of Chrome have introduced a WebStorage  folder, which contains additional IndexedDB and browser cache data. Experts believe this is tied to a feature called Storage Buckets , where sites can assign priorities to stored data and delete them selectively. This means forensic analysts now need to check yet another location when searching for persistent browser artifacts. ---------------------------------------------------------------------------------------------------------- 4. Chrome’s File System API – Another Hidden Storage Mechanism In addition to Local Storage and IndexedDB, Chrome also implements the File System API , allowing sites to store larger files . This is particularly useful for: Cloud-based services like Google Docs (for offline access) File-sharing platforms like Mega.nz (for temporary storage) Forensic analysis of the File System API starts with the Origins folder , which tracks which websites have stored files and where they are located. This structure means websites can store user files without them being easily detectable, making forensic recovery more challenging but also valuable for investigations. ---------------------------------------------------------------------------------------------------------- 5. How to Analyze Browser Storage? Since IndexedDB and LevelDB data are tricky to parse, investigators rely on a few specialized tools: Hindsight (by Ryan Benson):  Parses Local Storage, Session Storage, and some LevelDB data. https://dfir.blog/hindsight/?ref=dfir.blog Output Leveldb-py (by Mark McKinnon):  Provides a GUI viewer for LevelDB databases. https://github.com/markmckinnon/Leveldb-py Magnet AXIOM:  A commercial forensic suite with limited LevelDB support. ---------------------------------------------------------------------------------------------------------- Chrome's Preferences File Google Chrome stores a lot of user activity data, and one of the most valuable files for forensic analysis is the Preferences  file. This file continuously updates as the browser runs, capturing settings, behaviors, and interactions. It is stored in JSON format , making it easy to read with a proper JSON viewer. Where to Find the Preferences File The Chrome Preferences file is located in the user’s profile directory: Windows : C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Preferences Mac : /Users//Library/Application Support/Google/Chrome/Default/Preferences Linux : ~/.config/google-chrome/Default/Preferences Since it’s a JSON file, tools like N otepad++ with JSTool plugin  can help visualize the data in a tree format for easier analysis. or else you can use online Jason viewer https://jsonformatter.org/json-viewer ------------------------------------------------------------------------------------------------------------- Key Information Stored in the Preferences File The Preferences file contains thousands of entries , some of which can reveal crucial forensic insights . Here are some of the most valuable data points: 1. Evidence of Deleted Data clear_data  – Tracks whether a user has cleared browsing data. Values: 0 = Last hour 1 = Last 24 hours 2 = Last 7 days 3 = Last 4 weeks 4 = All time If this entry is missing, it means no data was cleared. 2. File Interaction savefile  – The last location where a file was saved. selectfile  – The last file opened from the browser. 3. Search and Prediction Data search_prefetch  – Stores cached search queries to improve future predictions. These can persist even after clearing search history. zerosuggest  – Tracks recent search terms across synced devices. This data is often encoded in Base64  and may include images. 4. Site-Specific Settings and Behavior content_settings  – This massive section records: Sites visited Parameters saved for those sites Special permissions granted per_host_zoom_levels  – Tracks sites where the user adjusted the zoom level. This data is not removed when clearing history. geolocation  – Records which sites have permission to track the user’s location. media_engagement  – Captures interactions with audio and video content (e.g., how long a video played, if the sound was muted). site_engagement  – Measures user engagement with websites, including timestamps of the last meaningful interaction. sound  – Lists websites the user has permanently muted. notifications  – Stores data on websites that requested notification access, including whether the request was accepted or denied. media_stream_camera  & media_stream_mic  – Tracks websites granted access to the webcam and microphone. 5. Google Account and Sync Information account_info  – Lists Google accounts signed into Chrome. signin  – Stores authentication data related to the Google account in use. last_synced_time  – Captures the last time data was synchronized to Google’s cloud services. ------------------------------------------------------------------------------------------------------------- Why This Data Matters in Forensics Investigators can extract a timeline of user activity  from the Preferences file , even if history has been deleted . For example: The per_host_zoom_levels  entry shows engagement with specific websites, which can indicate intent. clear_data  reveals attempts to erase digital traces. search_prefetch  and zerosuggest  help reconstruct search behavior. ------------------------------------------------------------------------------------------------------------- How to Read WebKit Timestamps Many timestamps in the Preferences file are stored in WebKit format , which represents the number of seconds since January 1, 1601  (instead of 1970 like UNIX time). Converting these timestamps helps establish precise activity timelines. ------------------------------------------------------------------------------------------------------------- Mapping Zoom Levels to Actual Zoom Percentage Users adjusting zoom levels is a sign of engagement with a website. Here’s how zoom levels translate: zoom_level Value Zoom Percentage -1.57 75% 0.52 110% 1.22 125% 2.22 150% 3.06 175% 3.80 200% If a user returns zoom to 100% , the entry disappears from the Preferences file, which can be useful in investigations. ------------------------------------------------------------------------------------------------------------- Conclusion Browser storage has evolved beyond simple cookies into a complex web of databases, binary blobs, and hidden caches . Forensic analysis of modern web storage requires specialized tools and expertise, but it can uncover critical evidence in investigations. Whether it’s IndexedDB, File System API, or Storage Buckets, understanding where and how data is stored is key to unlocking valuable forensic insights. The Chrome Preferences file is a goldmine  for forensic investigations . Even when users attempt to erase their tracks, remnants of their activity often remain. Understanding this file's structure can help forensic analysts uncover critical evidence, reconstruct timelines, and prove user intent. If you’re conducting an investigation, make sure to extract and analyze this file—it could hold the missing piece of the puzzle! ------------------------------------------------------------------------------------------------------------- Stay with me we will continue about Google forensic in next article. -----------------------------------------------Dean------------------------------------------------------

Introduction Since its release in 2008, Google Chrome has become one of the most widely used web browsers, thanks to its user-friendly interface, seamless integration with Google services, and efficient web rendering capabilities. From a forensic standpoint, Chrome's artifacts are well-organized and primarily stored within the user’s profile directory, making them a valuable resource for digital investigators. ------------------------------------------------------------------------------------------------------------- Chrome User Data Storage Locations Windows XP: %UserProfile%\Local Settings\Application Data\Google\Chrome\User Data Windows 7 and Later: %UserProfile%\AppData\Local\Google\Chrome\User Data Most artifacts are stored in SQLite databases or JSON files . While these formats are widely documented, the stored data often requires additional processing for analysis. For example, timestamps and page transition data may not be human-readable at first glance. ------------------------------------------------------------------------------------------------------------- Analyzing Chrome Browser History Browser history is an essential artifact in forensic investigations, providing insight into a user’s online activity. Chrome maintains an extensive history of visited websites, with a default retention period of up to 90 days. Key information extracted from browser history includes: URLs of visited websites Page titles and referring sites Frequency of visits Timestamps for each visit User profile associated with the visits ------------------------------------------------------------------------------------------------------------- Chrome History Database The History  database, stored within User Data\, is the primary source for browsing activity. Chrome stores its history in SQLite format, and forensic analysts can extract valuable insights by querying specific tables. Key SQLite Tables in the History Database: Table Name Data Stored downloads, downloads_url_chains Download history, including URLs and file names keyword_search_terms Typed search queries (used for autocomplete) segments, segment_usage Frequently visited sites (for the Most Visited page) visit_source Source of URL information (local, synced, imported) urls, visits Comprehensive browser history, including timestamps and referrer data Additional History Artifacts Top Sites Database:  Stores thumbnails and metadata for frequently visited pages. Archived History:  Previously stored older browsing history beyond 90 days (removed in Chrome v37). History Index YYYY-MM:  Used to index page content for searches (removed in Chrome v30). ------------------------------------------------------------------------------------------------------------- Key Tables in Chrome’s History Database The primary tables of interest are: urls  – Stores the URL, page title, and the last visit time. visits  – Keeps a detailed log of each visit to a website. To get a complete picture of a user’s browsing activity, you need to cross-reference both tables. What Can We Learn from Chrome’s History? Total Visits:  Each time a site is visited, a new entry is made in the visits table. Last Visit Time:  Stored in the urls table, showing the most recent visit. Visit Count:  Tracks how often a particular site was visited. Typed URLs:  URLs that were physically typed or pasted into the address bar get a special typed_count value, indicating intentional user activity. Visit Duration:  Unlike most browsers, Chrome records how long a site was open in the visit_duration field. This data is stored in microseconds , and the tab doesn’t even have to be in focus for the duration to increase. Hidden URLs:  The hidden field in the urls table doesn’t mean the visit was hidden from the user . Instead, it controls whether the URL appears in auto-complete suggestions (0 = visible, 1 = hidden). ------------------------------------------------------------------------------------------------------------- Understanding Page Transition Types Every visit entry in Chrome has a transition field , which indicates how the user accessed a website. These values are stored as 32-bit numbers  and can look cryptic without decoding. The core types include: Transition Type Meaning 0 Link click 1 Typed URL 2 Auto bookmark 3 Auto subframe (embedded content) 4 Manual subframe 5 Omnibox suggestion 6 Start page visit 7 Form submission 8 Page reload 9 Keyword search 10 Generated keyword search These transition types help investigators determine how a website was accessed. For example, a typed  transition (1) suggests direct user interaction, whereas a link  transition (0) indicates the user clicked a hyperlink. https://kb.digital-detective.net/display/BF/Page+Transitions Check out the article related to Transitions and qualifiers ------------------------------------------------------------------------------------------------------------- What is an Internet Cache? The internet cache is a feature designed to speed up web browsing . When you visit a website, your browser downloads and saves parts of the webpage (such as images, scripts, and HTML files) on your device. This way, if you revisit the same site, your browser can load the saved content instead of downloading it again, making things much faster. This is why when you press the back button, the previous page loads instantly—it’s coming from the cache. Why is Cache Important in Forensics? From a forensic standpoint, the cache is a goldmine of information about a user's online activity. It stores actual webpage content, meaning investigators can reconstruct what a user saw and interacted with on a websit e. While browsing history only logs visited URLs, the cache holds more valuable data like images, HTML files, and even downloaded attachments (e.g., in Outlook Web Access). How is Chrome's Cache Structured? Chrome stores cached files inside a user’s profile directory. Before version 97, the cache files were stored in the Cache folder . From v ersion 97 onwards, they were moved deeper into Cache\Cache_Data. The cache consists of at least five key files: Index file  (index): Keeps track of cached entries. Data files  (data_0 to data_3): Store the actual cached content and metadata. Block files : Organize cached data into fixed-size blocks for efficient storage. Separate files  (f_xx format): Used for storing larger files (above 16 KB).\ What Information Can Be Extracted from Chrome Cache? Each cached item comes with metadata that gives useful insights, such as: Metadata Field Description Filename The name of the file downloaded from the website. URL The web address where the cached file came from. Content Type Type of file (e.g., HTML, JPG, JavaScript). File Size Size of the cached file. Last Accessed Time The last time the cached content was used. Server Time The first time the cached content was saved. Response Header Stores HTTP headers, which help Chrome retrieve cached data efficiently. Timestamp Analysis in Chrome Cache Chrome cache files contain four important timestamps stored in UTC: Last Accessed  – The last time the user viewed the cached content. Server Time  – When the content was first saved to disk. Server Last Modified  – When the content was last updated on the website. Expire Time  – When the cached content is expected to be removed (set by the website). Additionally, large files stored separately (f_##### files) have filesystem-specific timestamps , including Created, Modified, Accessed, and MFT Change times  (for NTFS systems). Tools for Analyzing Chrome Cache Manually extracting cache data can be challenging since it’s stored in a structured format. However, tools like NirSoft ChromeCacheView  simplify the process by displaying cache details in an easy-to-read table. I request whitelist the tool to your antivirus because this will get quarantined everytime you will try to run View cached file metadata. Extract and save cached files for analysis. Limitations of Cache Analysis The cache is dynamic — older files get removed as new ones are stored. Websites can prevent caching  for security reasons (e.g., Gmail doesn’t cache sensitive content). Cache files corrupt easily , causing loss of data. Chrome rebuilds  the cach e if essential files are missing. Conclusion Chrome is one of the most data-rich browsers for forensic investigations. Its history database, visit logs, and metadata provide a detailed timeline of a user’s web activity as well Chrome’s cache is also very valuable forensic artifact that helps investigators piece together a user’s browsing activity. B y analyzing cache contents and timestamps, forensic experts can understand what sites were visited, what files were downloaded, and even reconstruct webpages. However, cache data is volatile, so timely acquisition and analysis are crucial! -------------------------------------------------------------------------------------------------------- Stay with me we will continue about Google forensic in next article. ------------------------------------------------Dean------------------------------------------------

---------------------------------------------------------------------------------------------------------- In today’s digital world, tools like Belkasoft and Magnet Axiom are like superheroes of browser forensics. You snap a screenshot, run the tool, and boom —you have all the answers. It's almost like magic! ✨ But, let’s be real—those tools aren’t exactly cheap, and not everyone (especially freelancers or small businesses) can afford to shell out a small fortune for them. So, what do we do when the fancy tools are out of reach? Well, we roll up our sleeves and dive into the exciting world of manual browser forensics! Yes, it’s more time-consuming, but trust me, it’s worth it. Plus, the best part? You’ll get to be the digital detective you’ve always wanted to be. 🕵️‍♂️ Don't worry if you feel overwhelmed by articles and technical jargon. Stick with me, and by the end of this series, you'll be a browser forensics pro—without the hefty price tag! Let’s get started, and have some fun along the way! 😎 ---------------------------------------------------------------------------------------------------------- I nternet access is one of the most frequent user activities, making web browsers a key portal for online interactions. In cases like employee misuse, internet activity alone can serve as crucial evidence. In other investigations, while not the primary focus, browser data can provide valuable corroborating information. For instance, analyzing browsing history can reveal access to local files or network shares during an intrusion investigation. We are going to explore the dominant browsers on Windows: Google Chrome, Microsoft Edge, Internet Explorer, and Mozilla Firefox. If you haven’t kept up with browser artifacts, you may be surprised at the vast amount of data stored by these applications. ---------------------------------------------------------------------------------------------------------- Understanding Browser Artifacts We must determine what a piece of trace evidence represents and how it relates to key investigative questions. Internet browsers store a wealth of user data, commonly referred to as artifacts. While many types of browser artifacts exist, three fundamental categories form the foundation of most browser forensic investigations: History Databases Browser Cache Cookies These artifacts help us build a profile of user activity—identifying visited websites, frequency of access, timestamps, and user interactions. While these primary sources are invaluable, other artifacts can further corroborate findings and provide additional context. These include: Bookmarks  – Indicating user intent and areas of interest. Download History & Default Download Folder  – Revealing past file retrievals. Temporary Directories  – Storing forgotten downloads. Auto-Complete Data  – Providing insight into form submissions, search queries, and usernames. However, history and cache files are often the first to be deleted by users. In such cases, these ancillary artifacts may be the only available sources of evidence. ---------------------------------------------------------------------------------------------------------- The Evolution of Web Browsers The battle for browser dominance continues as organizations compete for market share in an increasingly web-driven world. Google Chrome has held the lead for years, while Internet Explorer and Mozilla Firefox have seen a decline. Microsoft introduced multiple browsers, with the latest iteration of Edge gaining traction. Meanwhile, Apple’s dominance in the mobile space has bolstered Safari’s market share. The leading engines include: Blink (used by Chrome, Edge, Opera, and Brave)  – A fork of the WebKit engine, dominating the market. Gecko (used by Mozilla Firefox)  – The primary alternative to Blink. WebKit (used by Safari)  – Initially developed by Apple. Microsoft Edge previously used a proprietary engine (EdgeHTML), but later adopted Blink due to limited success. ---------------------------------------------------------------------------------------------------------- Investigating Browser Artifacts The similarity among modern browsers simplifies forensic investigations. If you can analyze Chrome artifacts, you will find Opera and Brave to be nearly identical . This similarity, however, presents challenges when carving artifacts from unallocated disk space or memory, as determining the exact source browser can be difficult. A strong set of forensic tools and the ability to manually parse browser databases are essential skills for investigators. ---------------------------------------------------------------------------------------------------------- Next Step: Google Chrome Forensics In the next few sections, we will dive into multiple browser forensic, exploring how to extract and analyze its artifacts effectively. First we are going to start with Google Chrome --------------------------------------------Dean------------------------------------------------------

When it comes to investigating cloud environments, having the right tools can save a lot of time and effort. Today, I’ll introduce two free, powerful tools that are absolutely fantastic for log analysis within the Microsoft cloud ecosystem: Microsoft-Extractor-Suite  and Microsoft-Analyzer-Suite . These tools are easy to use, flexible, and can produce output in accessible formats like CSV and Excel, making them excellent resources for investigating business email compromises, cloud environment audits, and more. About Microsoft-Extractor-Suite The Microsoft-Extractor-Suite  is an actively maintained PowerShell tool designed to streamline data collection from Microsoft environments, including Microsoft 365 and Azur e. This toolkit provides a convenient way to gather logs and other key information for forensic analysis and cybersecurity investigations. Supported Microsoft Data Sources Microsoft-Extractor-Suite can pull data from numerous sources, including: Unified Audit Log Admin Audit Log Mailbox Audit Log Azure AD Sign-In Logs Azure Activity Logs Conditional Access Policies MFA Status for Users Registered OAuth Applications This range allows investigators to get a comprehensive picture of what’s happening across an organization’s cloud resources. ---------------------------------------------------------------------------------------------------------- Installation and Setup To get started, you’ll need to install the tool and its dependencies. Here’s a step-by-step guide: Install Microsoft-Extractor-Suite : Install-Module -Name Microsoft-Extractor-Suite Install the PowerShell module Microsoft.Graph  (for Graph API Beta functionalities): Install-Module -Name Microsoft.Graph Install ExchangeOnlineManagement  (for Microsoft 365 functionalities): Install-Module -Name ExchangeOnlineManagement Install the Az module  (for Azure Activity log functionality): Install-Module -Name Az Install the AzureADPreview module  (for Azure Active Directory functionalities): Install-Module -Name AzureADPreview Once the modules are installed, you can import them using: Import-Module .\Microsoft-Extractor-Suite.psd1 ---------------------------------------------------------------------------------------------------------- Note:  You will need to sign in to Microsoft 365 or Azure with appropriate permissions(Admin level access, included P1 or higher access level, or an E3/E5 license) before using Microsoft-Extractor-Suite functions. ---------------------------------------------------------------------------------------------------------- Getting Started First, connect to your Microsoft 365 and Azure environments: Connect-M365 Connect-Azure Connect-AzureAZ From here, you can specify start and end dates, user details, and other parameters to narrow down which logs to collect. The tool captures output in Excel format by default, stored in a designated output folder. Link :- https://microsoft-365-extractor-suite.readthedocs.io/en/latest/ ---------------------------------------------------------------------------------------------------------- Example Log I collected: One drawback to keep in mind is that logs are collected one by one. example first u collect MFA logs second again you written command and collected Users log. Another thing to keep in mind is if u do not provide path output will be capture under default folder where script is present. ---------------------------------------------------------------------------------------------------------- You might have question why two different suite? Answer is because there is script name Microsoft-Analyzer-Suite developed by evild3ad. This suite offers a collection of PowerShell scripts specifically designed for analyzing Microsoft 365 and Microsoft Entra ID data, which can be extracted using the Microsoft-Extractor-Suite. Current Analysis support by Microsoft-Analyzer-Suite is: Link: https://github.com/evild3ad/Microsoft-Analyzer-Suite ---------------------------------------------------------------------------------------------------------- Before I start, I will show you folder structure of both the tools: Microsoft-Extractor-Suite Microsoft-Analyzer-Suite-main Analyzer-Suit allows You can also add specific IP addresses, ASNs, or applications to a whitelist by editing the whitelist folder in the Microsoft-Analyzer-Suite directory. ------------------------------------------------------------------------------------------------------------ Lets start: I will show you two logs capture and analyzed is message trace log other one Unified audit log all collect using the script Microsoft extractor suite and than I will use Microsoft-Analyzer-Suite. Collecting Logs with Microsoft-Extractor-Suite Now, let’s go over collecting logs. Here’s an example command to retrieve the Unified Audit Log  entries for the past 90 days for all users: Get-UALAll After running this, the tool will output data in Excel format to a default folder. However, you may need to combine multiple excel file into one .csv file. Because Anlyzer suite script only run using .csv. ------------------------------------------------------------------------------------------------------------ Combining CSV Files into One Excel File When working with large data sets, it's more efficient to combine multiple log files into a single file. Here’s how to do this in Excel: Place all relevant CSV files in a single folder. Open a new Excel spreadsheet and navigate to Data > Get Data > From File > From Folder . Select the folder containing your CSV files and click “Open”. From the Combine  drop-down, choose Combine & Transform Data . This option loads your files into the Power Query Editor , where you can manipulate and arrange the data. In the Power Query Editor, click OK  to load your combined data. Edit any column formats, apply filters, or sort the data as needed. Once done, go to Home > Close & Load   Once Done Output will be look like below: But to ensure compatibility with Microsoft-Analyzer-Suite save the file as a .csv Using Microsoft-Analyzer-Suite for Log Analysis With your data collected and organized, it’s time to analyze it with Microsoft-Analyzer-Suite . UAL-Analyzer.ps1 Before using UAL-Analyzer.ps1 script there are few dependencies u have to make sure these are installed for running script First is creating is IPinfo account its free. https://ipinfo.io/signup?ref=cli ImportExcel  for Excel file handling (PowerShell Module) Install-Module -Name ImportExcel https://github.com/dfinke/ImportExcel IPinfo CLI (Standalone Binary) https://github.com/ipinfo/cli xsv (Standalone Binary) https://github.com/BurntSushi/xsv To install xsv: Now as I had WSL (I used command git clone https://github.com/BurntSushi/xsv.git ) You can download folder (as you feel comfortable) Once dependencies are set up, configure your IPinfo  token by pasting it into the UAL-Analyzer  script. To locate this in the script: Open UAL-Analyzer.ps1  with a text editor like Notepad++, search for the token variable, and paste your token there. ------------------------------------------------------------------------------------------------------------- As for latest Microsoft Analyzer suite There is another script called config.ps1 add token here If you are using older analyzer suite, Than its same for you but if not there is changes in script.. ------------------------------------------------------------------------------------------------------------- Running the Analysis Script For Unified Audit Logs, use the UAL-Analyzer  script. For example: .\UAL-Analyzer.ps1 "C:\Path\To\Your\CombinedUALLog.csv" -output "C:\Path\To\Output\" Once script ran successfully and output collected you will get pop up ------------------------------------------------------------------------------------------------------------ Lets check the output: As per screenshot , You can see output will be in CSV, XLSX in both format. Now question arise why there is same output in different. This is because the XLSX will contain output in coloured format, if something suspicious found it will be highlighted automatically. Where as csv will be in no highlighted format. Example of xlsx: Example of CSV: Folder Suspicious Operation: Kind note scripts are still getting updated and modified if you open GitHub you might find newer version it might work better for current this will output for me it make thing easy hope it do for you as well. ------------------------------------------------------------------------------------------------------------ Second Log we are going to talk about Message Trace logs Command : (This will collect all logs) Get-MessageTraceLog Screenshot of Output: Next step is Combined all excel into one(.csv format). Once done run MTL-Analyzer script .\MTL-Analyzer.ps1 "C:\Path\To\Your\CombinedMTLLog.csv" -output "C:\Path\To\Output\" (Make sure before running add token details inside the script than run the script) Conclusion By combining Microsoft-Extractor-Suite  and Microsoft-Analyzer-Suite , you can effectively streamline log collection and analysis across Microsoft 365 and Azure environments. While each suite has its own focus, together they provide an invaluable resource for incident response and cybersecurity. Now that you have the steps, you can test and run the process on your own logs. I hope this guide makes things easier for you! See you, and take care! Akash Patel

Google Workspace is an integral part of many organizations, providing essential tools for communication and collaboration. However, when it comes to forensic investigations, compliance, and eDiscovery, knowing how to extract and analyze data from Google Workspace is crucia l. ---------------------------------------------------------------------------------------------------------- Data Extraction in Google Workspace There are three primary ways to extract data from Google Workspace: Admin Console Data Export Available in all paid Google Workspace tiers. Exports data for all users or specific accounts. Covers a wide range of data, including Gmail, Drive, Calendar, Contacts, Chat, Tasks, Voice data, and even Vault-retained items. Data is first archived in cloud storage, from where it can be selectively downloaded. Similar to Google Takeout but allows administrators to manage multiple user exports efficiently. Google Vault (For eDiscovery and Compliance) Included in Business and Enterprise editions or available as an add-on. A powerful tool for data retention, searching, and exporting  beyond standard exports. The only method   to access Gmail’s “Confidential Mode” messages. Supports retention policies, litigation holds, and compliance-related data archiving. Can search across Gmail, Drive, Shared Drives, Google Groups, Chat messages, Meet recordings, and Google Voice data. Provides search and filtering based on keywords, dates, and user accounts. Gmail API (For Custom Data Collection) Allows programmatic access to Gmail data. Used by third-party email collection tools or for building custom forensic scripts. Grants access to Gmail History Records , which track message additions, deletions, and label changes. Useful for tracking actions like message deletion, marking emails as spam, or email forwarding. ---------------------------------------------------------------------------------------------------------- Google Vault: A Deep Dive into eDiscovery Google Vault is a must-use  tool for organizations needing compliance and legal hold capabilities. It goes beyond basic exports, offering: Advanced Search and Filtering:  Using search operators similar to Gmail. Comprehensive Export Options:  Supports PST and MBOX formats, with additional metadata in XML and CSV formats. Confidential Mode Access:  Unlike the Gmail API, Vault retains the full content  of confidential messages. Draft Message Versioning:   Every version of a draft is saved and available in Vault for 30 days, even if deleted by the user. Retention and Hold Policies:  Enforceable for different data types to ensure compliance with organizational policies. Critical Pro-Tip: If a user account is deleted , all associated data is permanently removed from Vault . Instead, suspend user accounts to retain data while restricting access ---------------------------------------------------------------------------------------------------------- Audit Logging and Investigations One of the most powerful aspects of Google Workspace is its audit logs , which help track user activity and identify security incidents. Google provides different types of logs, including: Log Name Purpose Data Retention Admin Log Actions taken by Google Workspace administrators Account, event description, date, IP address 6 months User Log All login activity, including webmail and admin console Account, log-in type, date, IP address 6 months Email Log Search Search emails sent and received by the organization Email headers (no content searches) 30 Days OAuth Log Authorizations by email clients and mobile devices User, Application Name, Scope, IP address, date 6 months User Reports App Usage Consolidated view of user status and account activity Usage of Gmail, Drive, Storage, and External Apps 6 months Log Retention Periods: Most logs are retained for six month s , except for Email Log Search, which is available for 30 days . Organizations using Google Workspace Enterprise  can store logs indefinitely in Google BigQuery  or export them to a SIEM  for extended retention. ---------------------------------------------------------------------------------------------------------- Leveraging Open-Source Tools for Google Workspace Investigations ALFA on GitHub:   invictus-ir/ALFA Will try to create a article on this tool in coming future(Stay tuned) ---------------------------------------------------------------------------------------------------------- Email Header and Metadata Investigations Google Workspace allows email header searches  for messages from the last 30 days . Investigators can extract metadata such as: Sender & recipient email addresses. Subject lines & timestamps. Message ID and client IP address. Mail delivery tracking (e.g., failures, spam filtering). Matched Rules  that flag emails for objectionable content, PII, or compliance violations. Key Limitation: Email headers do not  contain email message content (only metadata). For full content analysis, investigators must rely on Google Vault or exports . ---------------------------------------------------------------------------------------------------------- Final Thoughts Google Workspace provides robust tools for forensic investigations, data compliance, and eDiscovery. By leveraging Admin Console exports, Google Vault, Gmail API, and audit logs , organizations can effectively extract, search, and preserve critical data. To ensure thorough investigations : Use Google Vault  for advanced eDiscovery. Leverage audit logs  for security analysis. Export logs to BigQuery or a SIEM  for extended analysis. Suspend accounts instead of deleting them  to retain forensic evidence. Understanding these mechanisms ensures that organizations can respond effectively  to incidents while maintaining compliance with legal and regulatory requirements. --------------------------------------------Dean--------------------------------------

When investigating digital forensics cases, confirming which files were deleted or previously existed is crucial . Whether tracking user activity or validating forensic evidence, understanding where and how to find artifacts plays a key role in uncovering the truth. Many articles on my website discuss different deleted items and file existence artifacts. However, putting them all together in a structured way helps streamline forensic investigations. This article serves as a reference guide , consolidating various forensic artifacts that indicate deleted items and file existence , along with their advantages, disadvantages, and relevant analysis techniques. ---------------------------------------------------------------------------------------------------------- Thumbnail Cache (Thumbs.db / Thumbcache) Artifact:  Thumbs.db (Windows XP) and Thumbcache (Windows Vista and later) Forensic Importance:  Stores thumbnail previews of images and documents, even after deletion. Article: Understanding and Managing Thumbnail Cache in Windows: Tools thumbcache_viewer_64 ---------------------------------------------------------------------------------------------------------- Recycle Bin Forensic Importance:  Stores deleted files before permanent removal. Article: Windows Recycle Bin Forensics: Recovering Deleted Files Analyzing Recycle Bin Metadata with RBCmd and $I_Parse ---------------------------------------------------------------------------------------------------------- User Typed Paths Registry Path:  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths Forensic Importance:  Tracks file paths typed in the Windows Explorer address bar. Article: Windows Registry Artifacts: Insights into User Activity (Typed Path) ---------------------------------------------------------------------------------------------------------- Windows Search Database Artifact:  Windows.edb Forensic Importance:  Stores indexed metadata of files searched on the system. Article: Unlocking Windows Search Indexing for Forensics: A Deep Dive A Deep Dive into Windows Search Database Parsing (WinSearchDBAnalyzer / SQLite / SIDR) ---------------------------------------------------------------------------------------------------------- Search WordWheelQuery Registry Hive:  NTUSER.DAT Registry Key:  NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery Forensic Importance:   Stores user-searched keywords from the Start menu. Analysis Tool:   Registry Explorer ---------------------------------------------------------------------------------------------------------- Conclusion Analyzing deleted files and file existence artifacts plays a vital role in forensic investigations. By leveraging Windows registry artifacts, cache files, and search history, investigators can reconstruct user activity, track deleted files, and build a strong case with digital evidence. A structured approach to investigating these artifacts ensures efficiency and thoroughness in forensic analysis. When investigating digital forensics cases, confirming which files are deleted or file existed is crucial. Whether tracking user activity or validating forensic evidence, understanding where and how to find artifacts plays a key role in uncovering the truth. -------------------------------------------------Dean------------------------------------------------------