📘
DFIR
  • Networking
    • Networking
      • SDWAN
      • VLANs
      • Virtual Networking
      • Segmentation
      • Applications
        • PAM/SSO
          • Privileged Password Management
          • Authentik
          • Beyond Trust
          • Cyberark
        • Network Tools
          • Palo Alto
          • Sonicwall
          • ZScaler
          • Firewalls
  • Windows
    • Administration
      • Honeypot
      • Deployment
      • Rogue Devices on Network
    • Forensics
      • System Info
      • Memory
        • Pagefile.sys
        • PowerShell Dump
        • Memory Forensics
      • Network Logs
        • UAL
        • Page 1
      • File System
        • Mounting File Systems
        • Log2Timeline
        • Volume Shadow Copies
        • $I30
        • UsnJournal/$LogFile
        • MFT
        • NTFS
        • Shellbags
        • Recycle Bin
      • Registry
        • Logged in Accounts
        • TypedPaths
        • WordWheelQuery
        • Page 5
      • Network Share
      • Exfiltration
        • RDP Clipboard
        • Exfil Exercise
        • DNS Over HTTPS
      • Evidence of Execution
        • Sum UAL
        • Office Apps Forensics
          • LastVisitedPidlMRU
          • File MRU
          • Trusted Documents
        • Run MRU
        • RecentDocs
        • FeatureUsage
        • BAM
          • DAM
        • Prefetch
        • Shimcache
        • RecentApps
        • AmCache
        • PCA
        • MUICache
        • UserAssist
        • SRUM
        • LNK Files
        • JumpLists
      • Hacktool Artifacts
        • DCSync
        • Impackets
          • GetUserSPN.py/Kerberoasting
          • Page
        • Psexec
        • Web Shells
        • BloodHound
      • Event Logs
        • Event Log IDs
          • SMB
            • 30803 Failed to Establish a Network Connection
            • 31010 SMB Client Failed to Connect
            • 551 SMB Auth Failed
            • SMB Forensics
          • 4740 Account Lockout
          • 4642 Logon
          • 5156 Show App IP Connections
        • Windows Defender
        • LOLBins
          • WebDav
          • Crashes (WER)
          • PowerShell
          • Scheduled Tasks
          • Services
          • WinRS
          • WinRM
          • RDP
            • 1024 RDP ClientActiveX is trying to connect
          • WMI
        • DNS Logs
        • Application NTDS.dit
        • Kerberos
        • Exchange
        • GPOs and OUs
        • Anti Forensics
      • 3rd Party Apps
        • IIS
        • Kubernetes
        • GitHub
        • Jenkins
        • Snowflake
        • Misc
          • Veeam
          • MongoDB
        • "TA Tools"
          • Ngrok
          • 7-Zip
          • PDQ Deploy
          • TotalCMD
          • WinSCP
        • Identity Apps
          • Okta
        • Microsoft
          • Microsoft Teams
          • VS Code
          • Excel
          • Notepad
        • SysInternals
          • PsExec.exe
        • RMM
          • ScreenConnect Forensics
          • AnyDesk
        • Zoom
        • Browser Forensics
          • Recovering Deleted History
          • Browser Artifacts
      • Example Page
    • Cheat Sheet
      • Red Team:
      • Windows Event Logs
      • Quick Wins
      • Docker
      • Admin
      • Zimmerman
    • Investigation
      • Malware Analysis
        • Macros Analysis
        • Packers
      • Persistence
        • Host Based Persistence Cheatsheet
        • M365 Persistence Cheatsheet
      • DFIR Tools
        • Volatility
        • Velociraptor
        • KAPE
        • Logman
      • Insider Threats
      • Scattered Identity
    • Internals
      • Structure
        • SMB
          • Admin
          • Attacks
        • Alternate Data Streams
        • Protocols
          • Wdigest
          • DPAPI
          • Kerberos
          • NetLogon
        • WinAPI
        • COM Objects
        • Files Types
        • DLLs
          • Attacks
            • Reflective DLL Injection
            • DLL Hijacking
        • Folders of Interest
      • Privileges
        • UAC
      • Applications
        • Werfault
        • Process Creation
        • Pipes
        • AMSI
        • LOLBins
          • xCyclopedia Index (EXEs)
          • WMI
          • Certutil.exe
          • Rundll32.exe
          • Schtasks.exe
          • Svchost.exe
          • DLLHOST.exe
          • MSIExec.exe
        • PowerShell
          • VBS
          • Forensics
          • Classes
          • Logging
          • PowerShell Modules
        • LSASS
          • Lsass Forensics
    • Active Directory
      • Internals
        • Sysvol
        • Attributes
      • Secure AD
        • Logs
        • Credentials
          • Restricted Admin Mode
          • LAPS
      • Attacks
        • Vulnerabilities
          • ViewState
          • ProxyShell
          • OWASSRF
        • Credential Theft
          • DCSync
        • ADCS
      • MSSQL
        • Admin
        • Attacks
    • MISC
      • Offensive Tool Analysis
      • Investigating Specific Activity
        • User Account Deleted
      • Dumping Domain Hashes with IFM Images
      • Lateral Movement
      • Advanced Obfuscation
      • SCCM
      • Malware Traffic
  • Linux
    • Forensics
      • Cron Jobs
      • File System Types and Timestamps
      • LD_PRELOAD
      • Linux Auditing Logs
      • example page
      • Process Accounting (pacct)
      • mlocate.db
    • SSH
    • Linux WebShells
    • Directories of Interest
    • Internals
      • Logs
      • File Descriptors
      • GTFOBins
  • Enterprise Architecture
    • CI/CD Pipline
      • Jenkins
    • Citrix
      • XenApp
      • Pentesting Guide
      • Forensics
    • Web Applications
      • JWT: JSON Web Tokens
      • Apache
        • CGI-Bins
      • ColdFusion
        • Attacking ColdFusion
    • The Cloud
      • AWS
        • Cases
        • Misconfigurations
        • Attacking AWS
          • SES
          • Privilege Escalation
        • Fundementals
          • Hierarchy
          • Roles
          • Security Services
          • IAM
            • Keys
          • CloudTrail
          • Services
            • S3
            • SES
      • Azure
        • Hunting
        • Admin
        • Securing Azure
          • CA Policies
        • CheatSheet
        • Detections
        • Forensics
        • Attacking Azure
          • Persistence
            • Cloud VMs
            • Applications
            • SSPR/MFA
          • Credential Theft
            • Golden SAML Theft
            • Attacking key vaults
            • Skeleton Keys (PTA Abuse)
            • Family of Client IDs
            • Token Theft
          • Initial Access
            • Subdomain Takeover
            • Authenticated Recon
            • Unauthenticated Recon
            • Password Spraying M365
            • Password Spraying OWA
            • OAuth 2.0 Abuse
            • Device code authentication abuse
            • M365 Business Email Compromise
          • Page 6
          • Test Page
        • Fundementals
          • Security/Service Principals
          • Tokens
          • Hierarchy
          • Roles
          • Architecture
          • Conditional Access
        • Logging
          • Audit Logs
      • M365
        • Forensics
          • Tokens
        • Business Email Compromise
        • Hardening
      • Cloud Labs
    • vSphere
      • Forensics
      • Hardening
      • Admin
    • Containers
      • Troubleshooting
      • Linxserver.io
      • Container Forensics
        • Docker Logs
      • Kubernetes
    • Troubleshooting
      • Cheatsheet
  • Mac
    • Forensics
      • Page 3
  • Attacker Information
    • Adversary Operations
      • c99 Webshell
      • Page 2
    • Actor Playbooks
      • TA Infrastructure
    • Abused Domains
  • IR Playbook
    • Activity from Unmanaged Host
    • Recommendations
  • Reverse Engineering
    • Python - Pyinstaller
Powered by GitBook
On this page
  • Recovering Cleared Browser History From Cached Sessions
  • Scenario 1: User cleared their history and did not use Chrome since
  • Scenario 2: A user clears their history and re-opened ONE new session
  • Scenario 3: A user clears their history and re-opened several sessions since
  1. Windows
  2. Forensics
  3. 3rd Party Apps
  4. Browser Forensics

Recovering Deleted History

PreviousBrowser ForensicsNextBrowser Artifacts

Last updated 1 year ago

Recovering Cleared Browser History From Cached Sessions

A good indicator for recovering what a user was doing when they deleted their chrome browser history is by checking inside the C:\Users\<name>\AppData\Local\Google\Chrome\User Data\Default\Sessions folder. The two files you need to look at are named:

  • Session_<Webkit/Chrome date>

  • Tabs_<Webkit/Chrome date>

The session file stores session information and the tabs file stores what tabs they had opened. In a certain situation when a user CLEARS their Chrome history, what they were browsing can persist within these files.

There are a few potential cases that could have occurred, and we will go through all of them:

  • A user cleared their history and did not use Chrome since

  • A user clears their history and re-opened ONE new session

  • A user clears their history and re-opened several sessions since

Scenario 1: User cleared their history and did not use Chrome since

When a user clears their Chrome history (by all time or even by the last hour) and has not opened Chrome since, everything they were looking at during the session is STILL STORED inside the session files. This is great news because the session file is dated with the exact Webkit/Chrome timestamp in the name of the file. Why is this the case? I don't work for Google so I have nfi.

In this instance the files I’m looking at were named:

  • Session_13311227045752079

  • Tabs_13311227047407569

Does this look like a flipping mess? Yes. I know, but it's actually well structured and I'll show you what it looks like in a timeline output. This is a full timeline of what our strange sysadmin was looking at:

Scenario 2: A user clears their history and re-opened ONE new session

Firstly, how do you even know they did this? Let your girl help you out. In this instance two session files and tab files will exist in the directory!

Now one of these sessions will correspond to the previously “deleted” files This is sadge days T_T, because the actual content of the “cleared” session will be deleted other than evidence that the history was cleared. The only data you can go off from this is:

  • Session cleared date you pull from the session Webkit/Chrome epoch name

You have some other options like considering pulling from Volume Shadow Copies or looking at Chrome crash dumps (if any). But the data itself appears to be nulled in these files.

Scenario 3: A user clears their history and re-opened several sessions since

This is GG for us forensically. Previously, the Favicons file would store potentially “cleared” websites a user visited. But I found this to be very inconsistent and not in line with the results I got during my testing:

  • C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Favicons

The only location I found consistently referencing “deleted” search terms was inside this file:

  • C:\Users\<name>\AppData\Local\Google\Chrome\User Data\Default optimization_guide_prediction_model_downloads/b0b608bd-983f-4cf9-aee4-99fc96c39371/global-entities_metadata

It appears that when you “search” certain terms, Google tries to optimise your searches and stores some of this data inside here. Unfortunately, it also stores a whole lot of other nonsensical uninteresting things, so I’m not sure this is a good forensic artefact.

Using this time converter (), you can see the time when the user “exited” the session was at 2022-10-26T03:04:05Z. You can see a full timeline of what the user did by viewing the contents of the file. Please note there are no corresponding “timestamps” captured within this file unfortunately. This is what the file looks like:

In the case of this user, they were searching “Naruto Feet Pics” UwU and this is what they were looking at. They opened a Google search for “Naruto feet pics” and then this image is what they proceeded to “click”. The image source is .

https://www.epochconverter.com/webkit
https://www.deviantart.com/tag/temaritoes
Advanced evidence collection and analysis of web browser activity
Logo
Browser forensics and the case of Casey Anthony
Logo
Recovering Cleared Browser History - Chrome Forensics
Logo