Affiliate disclosure
Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases โ at no additional cost to you.
Chapter 18 โ Further Reading
Browser and internet forensics moves fast โ schemas, epochs, and encryption change with browser versions โ so anchor yourself in the primary format references first, then keep current with the tool authors and DFIR blogs who track each release.
Foundations (๐ฌ deeper / format-level)
- The SQLite file format documentation (sqlite.org/fileformat2.html). The authoritative byte-level spec for the header, B-tree pages, the freelist, and the WAL. When you must explain why a deleted row survived in page slack โ or defend a recovery on the stand โ this is where the answer lives.
- The Chromium source and Ryan Benson's "Hindsight" write-ups (
obsidianforensics.com). The definitive treatment of Chromium history, thetransitionfield and its qualifiers, the WebKit epoch, and thev10/v11cookie/login encryption. Benson's posts are the reason most examiners understand "Chrome time" at all. - Mozilla's source documentation for the
placesandcookiesschemas. The primary reference formoz_historyvisits.visit_type, PRTime, and themoz_cookiesunit split (ยตs creation vs. seconds expiry) that trips up so many reports.
Approachable explanations (everyone)
- 13cubed (Richard Davis), YouTube. Short, rigorous, free walk-throughs of Chromium history, the WAL, cache, and "what incognito leaves behind." The best fast on-ramp to this chapter's artifacts.
- SANS DFIR "Browser Forensics" posters and blog. A single-page map of the major browsers' stores, paths, and epochs โ exactly the cheat sheet to tape to your bench.
- Apple and Microsoft developer docs (binary plists; ESE/
WebCacheV01.dat). Authoritative sources for thebplist00format and the Extensible Storage Engine behind legacy Edge/IE โ cite them, don't memorize a forum post.
In practice (๐พ Recovery ยท ๐ Examiner ยท ๐ก๏ธ IR ยท ๐ Legal)
- ๐ Hindsight, NirSoft BrowsingHistoryView, and DB Browser for SQLite (read-only). Hindsight ingests a whole Chromium profile and decodes transitions/epochs/WAL; BrowsingHistoryView triages Chrome, Edge, Firefox, and IE at once; DB Browser lets you run your own confirming SQL on a copy.
- ๐พ
undark,walitean, FQLite, and R-Studio/DMDE. The first three recover deleted SQLite rows from the freelist and WAL; the recovery suites pull a whole profile (and carve cached images) off a failing drive, as in Case Study 2. - ๐ก๏ธ SrumECmd / SRUM-Dump and Volatility. SRUM parsing quantifies per-app upload volume; Volatility reads "private" sessions straight out of a memory image โ the spine of Case Study 1.
- ๐ DFIR reviews of the cache-possession question. For the legal/eDiscovery reader, survey how courts distinguish automatic caching from knowing possession (handled clinically) โ it is decided with the very transition/search-term technique this chapter teaches.
Reference (this book)
- Appendix A โ File Signatures Reference: SQLite, JPEG/PNG,
mozLz40,bplist00, andcookmagics for spotting and carving browser artifacts. - Appendix D โ Forensic Artifact Locations: cross-platform profile paths and the epoch field guide.
- Appendix C โ Tool Reference: Hindsight, BrowsingHistoryView, ESEDatabaseView, undark/walitean syntax.
- Chapter 7 โ File Carving, Chapter 22 โ Memory Forensics, Chapter 29 โ Encrypted Device Forensics, Chapter 31 โ Cloud Forensics: carving cached media, reading private sessions from RAM, decrypting
v10/v11values, and the server-side cloud picture.
Do, don't just read
- Query your own profile, read-only. Copy your
Historytrio to a scratch folder, open itmode=ro, and convert a reallast_visit_timeto UTC by hand โ you do not understand the WebKit epoch until you have matched a converted row to something you actually did. - Recover what you cleared. Clear a test profile's history, then recover the rows with
undark --freespaceandwalitean. Watch them vanish after you trigger aVACUUMโ feeling the recovery window close teaches theme five better than any warning. - Break your own incognito. Browse three sites privately, then find them in your DNS cache, SRUM, and memory. Once you have recovered a "private" session yourself, you will never again accept "I used incognito" as a defense.
Next: Chapter 19 โ Email, Chat, and Social Media Forensics: the conversation moves off the web page and into the inbox and the DM โ PST/OST and mbox/EML stores, message headers, and the chat and social artifacts where modern intent is recorded.