Browser Forensics Β· Web Activity Reconstruction

Windows Browser History Forensics: Chrome, Edge, Firefox

Reconstruct websites visited, searches performed, downloads received, forms filled, and cached content across Chrome, Edge, Firefox, and legacy Internet Explorer β€” including much of what users believe private-mode erases.

← Canonical HubThis page is part of the Windows Forensics cluster. Return to the hub for the full artifact index and cross-cluster context.

Quick Answer. Browser forensics parses each browser’s per-profile SQLite and ESE databases. Chromium (Chrome, Edge, Brave, Opera) stores history in History, downloads in the same DB, cookies in Cookies, autofill in Web Data, and cached content in Cache/. Firefox stores history in places.sqlite, cache in cache2/. Legacy IE / Edge Legacy uses ESE (WebCacheV01.dat). Deleted rows are recoverable from SQLite WAL/journal files and unallocated database pages. DNS resolver cache and packaged app state add web activity that survives history clearing.

Where each browser stores what

BrowserPathKey files
Chrome%LOCALAPPDATA%\Google\Chrome\User Data\\History, Cookies, Login Data, Web Data, Bookmarks, Preferences, Sessions/*, Cache/
Edge (Chromium)%LOCALAPPDATA%\Microsoft\Edge\User Data\\Same schema as Chrome; adds Collections and Sync
Firefox%APPDATA%\Mozilla\Firefox\Profiles\.default-release\places.sqlite, cookies.sqlite, formhistory.sqlite, downloads.sqlite (older), cache2/
IE 10-11 / Edge Legacy%LOCALAPPDATA%\Microsoft\Windows\WebCache\WebCacheV01.dat (ESE database)
Safari (Windows legacy)%APPDATA%\Apple Computer\Safari\History.plist, Downloads.plist

Chromium History schema in practice

The Chromium History SQLite database contains six essential tables:

  • urls β€” id, url, title, visit_count, typed_count, last_visit_time (WebKit epoch, microseconds since 1601-01-01 UTC).
  • visits β€” id, url, visit_time, from_visit (referrer chain), transition (typed, link, form-submit, reload, auto-bookmark, generated).
  • downloads / downloads_url_chains β€” target_path, referrer, tab_url, mime_type, received_bytes, danger_type, opened, hash, start_time, end_time.
  • keyword_search_terms β€” normalized search string for each search-engine URL visited.
  • segments / segment_usage β€” daily usage aggregation used by the “Most visited” tiles.

The transition field distinguishes user-typed URLs (1) from clicked links (0), form submissions (7), and background/reload navigations β€” critical when a defendant claims a URL was auto-loaded and not deliberately visited.

Recovering “deleted” browsing history

  • SQLite WAL and journal. When history is cleared, transactions may still live in History-wal / History-journal. We parse the WAL directly.
  • Unallocated SQLite pages. Deleted rows persist inside freelist pages until vacuum. Row carving recovers URLs, titles, and visit times.
  • Volume Shadow Copies. Prior versions of the History DB from previous restore points.
  • DNS resolver cache. ipconfig /displaydns or the DnsCache registry equivalent captures recently resolved hostnames independent of browser history.
  • Prefetch and Amcache. Show that the browser ran, when, and at what frequency β€” useful when the History DB itself has been deleted wholesale.
  • Enterprise sync / Google Takeout / Microsoft account activity. Cloud-side records recover history even after local wipe.

Incognito, InPrivate, and private-browsing residue

Private mode is not evidence-proof. Sites visited privately do not write to History, but multiple side channels routinely reveal them:

  • DNS cache and hosts resolution logs (Dnsapi ETW).
  • Pagefile and hibernation file β€” URL strings and titles remain in memory-swapped browser process pages.
  • Memory image β€” RAM capture reveals live tab titles, URLs, form data.
  • Video RAM / Thumbcache β€” Explorer thumbnails from downloads.
  • Router / firewall / DNS server logs when available.
  • SRUM (see Program Execution Forensics) records network bytes per app per hour, showing browser activity during “private” sessions.

Downloads and file provenance

Chromium’s downloads table records the referrer URL, the tab URL, the exact source URL, MIME type, danger classification, and end-state. NTFS records the download with a Zone Identifier alternate data stream (Zone.Identifier) whose ZoneId=3 flags Internet origin and includes the source URL and referrer. Combined, they conclusively establish where a file came from.

How Elite Digital Forensics helps

Elite Digital Forensics is an independent, defense-aligned Windows forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Windows Forensics hub for the full analytical framework we bring to every matter.

Related Windows forensics pages

Frequently asked questions

Can you recover cleared browser history?

Very often, yes. WAL fragments, unallocated SQLite pages, shadow copies, DNS cache, and cloud-sync accounts each recover different portions. It is rare that all channels are simultaneously clean.

Does incognito mode prevent forensic recovery?

It suppresses writes to the History database but does not defeat memory forensics, pagefile analysis, DNS cache, SRUM network attribution, or router-side logs.

How do you tell a typed URL from a redirect?

Chromium’s transition type on the visits row (bits including PAGE_TRANSITION_TYPED) and Firefox’s moz_historyvisits transition column identify user intent versus automatic navigation.

What about mobile Chrome sync into a Windows profile?

Sync writes remote-device visits into the local History as ordinary rows. We identify sync origin via the visits.originator_cache_guid (Chrome) or through the concurrent presence of Chrome Sync artifacts.

Ready to move on your windows browser history matter?

Tell us about the computer, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.

Request Confidential Consultation Call (833) 292-3733

Primary sources and references

  1. Chromium: History code documentation. source.chromium.org
  2. Mozilla: Places database schema. firefox-source-docs.mozilla.org
  3. Microsoft: Edge for enterprise. learn.microsoft.com

This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.

#BrowserForensics #ChromeForensics #EdgeForensics #FirefoxForensics #WindowsForensics #DFIR #EliteDigitalForensics

Assistant Icon Elite Digital Forensics Assistant
πŸ‘‹ Live Chat Now!
Free Virtual Consultation 24/7
Chat Now!

By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime.Β 

IMPORTANT: Please remember to check your spam or junk folder