Affiliate disclosure

Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases โ€” at no additional cost to you.

Chapter 18 โ€” Further Reading

Browser and internet forensics moves fast โ€” schemas, epochs, and encryption change with browser versions โ€” so anchor yourself in the primary format references first, then keep current with the tool authors and DFIR blogs who track each release.

Foundations (๐Ÿ”ฌ deeper / format-level)

  • The SQLite file format documentation (sqlite.org/fileformat2.html). The authoritative byte-level spec for the header, B-tree pages, the freelist, and the WAL. When you must explain why a deleted row survived in page slack โ€” or defend a recovery on the stand โ€” this is where the answer lives.
  • The Chromium source and Ryan Benson's "Hindsight" write-ups (obsidianforensics.com). The definitive treatment of Chromium history, the transition field and its qualifiers, the WebKit epoch, and the v10/v11 cookie/login encryption. Benson's posts are the reason most examiners understand "Chrome time" at all.
  • Mozilla's source documentation for the places and cookies schemas. The primary reference for moz_historyvisits.visit_type, PRTime, and the moz_cookies unit split (ยตs creation vs. seconds expiry) that trips up so many reports.

Approachable explanations (everyone)

  • 13cubed (Richard Davis), YouTube. Short, rigorous, free walk-throughs of Chromium history, the WAL, cache, and "what incognito leaves behind." The best fast on-ramp to this chapter's artifacts.
  • SANS DFIR "Browser Forensics" posters and blog. A single-page map of the major browsers' stores, paths, and epochs โ€” exactly the cheat sheet to tape to your bench.
  • Apple and Microsoft developer docs (binary plists; ESE/WebCacheV01.dat). Authoritative sources for the bplist00 format and the Extensible Storage Engine behind legacy Edge/IE โ€” cite them, don't memorize a forum post.
  • ๐Ÿ” Hindsight, NirSoft BrowsingHistoryView, and DB Browser for SQLite (read-only). Hindsight ingests a whole Chromium profile and decodes transitions/epochs/WAL; BrowsingHistoryView triages Chrome, Edge, Firefox, and IE at once; DB Browser lets you run your own confirming SQL on a copy.
  • ๐Ÿ’พ undark, walitean, FQLite, and R-Studio/DMDE. The first three recover deleted SQLite rows from the freelist and WAL; the recovery suites pull a whole profile (and carve cached images) off a failing drive, as in Case Study 2.
  • ๐Ÿ›ก๏ธ SrumECmd / SRUM-Dump and Volatility. SRUM parsing quantifies per-app upload volume; Volatility reads "private" sessions straight out of a memory image โ€” the spine of Case Study 1.
  • ๐Ÿ“œ DFIR reviews of the cache-possession question. For the legal/eDiscovery reader, survey how courts distinguish automatic caching from knowing possession (handled clinically) โ€” it is decided with the very transition/search-term technique this chapter teaches.

Reference (this book)

Do, don't just read

  • Query your own profile, read-only. Copy your History trio to a scratch folder, open it mode=ro, and convert a real last_visit_time to UTC by hand โ€” you do not understand the WebKit epoch until you have matched a converted row to something you actually did.
  • Recover what you cleared. Clear a test profile's history, then recover the rows with undark --freespace and walitean. Watch them vanish after you trigger a VACUUM โ€” feeling the recovery window close teaches theme five better than any warning.
  • Break your own incognito. Browse three sites privately, then find them in your DNS cache, SRUM, and memory. Once you have recovered a "private" session yourself, you will never again accept "I used incognito" as a defense.

Next: Chapter 19 โ€” Email, Chat, and Social Media Forensics: the conversation moves off the web page and into the inbox and the DM โ€” PST/OST and mbox/EML stores, message headers, and the chat and social artifacts where modern intent is recorded.