Chapter 18 — Key Takeaways

The big idea

The browser profile is the most intimate and most revealing record on most machines, and reading it is one skill repeated across four formats: locate the store, copy it safely, parse the structure, convert the timestamp correctly, and correlate. History tells you a person went somewhere, typed something, intended something — and stamps the intent to the microsecond. No single row makes a case: a TYPED visit is a lead, but a TYPED visit plus a matching cookie last-access plus an SRUM byte-count plus a DNS-cache entry is a finding. And because deleted is not destroyed, the activity a suspect clears — and the session they run in "private" — is routinely the activity that proves what happened.

Almost everything is SQLite — handle it correctly

  • Chrome, Edge, Firefox, Safari, and most others store their core artifacts in SQLite, recognizable by the magic SQLite format 3\0 (53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33 00).
  • Browsers run WAL mode: recent activity lives in <db>-wal (with <db>-shm). Copy the trio together or you analyze a stale database and lose the latest hours.
  • Never let the engine write. A default connection can checkpoint the WAL and change both files' hashes. Work on copies, open read-only, set PRAGMA query_only.
  • Cleared rows survive in freelist pages and page slack until a VACUUM or page reuse — recoverable with undark, walitean, FQLite.

Four formats, three epochs, one method

Epoch Browser(s) Unit / zero date → Unix seconds
WebKit Chrome, Edge, Brave, Opera µs since 1601-01-01 t/1e6 − 11644473600
PRTime Firefox (places, formhistory, cookie creation/lastAccessed) µs since 1970-01-01 t/1e6
Mac/Cocoa Safari s since 2001-01-01 t + 978307200
FILETIME IE / legacy Edge WebCacheV01.dat 100-ns since 1601 t/1e7 − 11644473600

Trap to memorize: Firefox moz_cookies.expiry is plain Unix seconds, not µs — mixing it with the µs columns misdates a cookie a million-fold. Sanity-check every conversion against a known anchor; name the epoch in your notes.

Intent vs. incident: the transition field

  • Chromium visits.transition: the low byte (& 0xFF) is the core type. TYPED (1) and FORM_SUBMIT (7) are deliberate; AUTO_SUBFRAME (3), CLIENT_REDIRECT, and SERVER_REDIRECT are not user navigations. Decode before you say "the user went here," and never inflate visit_count with subframes and redirects.
  • Firefox visit_type mirrors it with its own numbering (1 LINK, 2 TYPED, 7 DOWNLOAD).
  • Cache records what was seen. It carves by signature (FF D8 FF, 89 50 4E 47) with a source URL and fetch time — but caching can be automatic, so the law separates it from knowing possession: establish intent with TYPED navigation, search terms, downloads, and dwell time before claiming the user viewed anything.

What private browsing does NOT remove

Incognito only skips the persistent profile. The session still appears in: the OS DNS cache; RAM (and pagefile/hiberfil); SRUM per-app bytes sent/received; favicons in some builds; and proxy/firewall/network logs. "I used incognito" is a confession of method, not a defense.

Cloud sync is a second road off the machine

Client Local store to parse Proves
Dropbox info.json (.dbx are SQLCipher) linked account email + sync-folder path
Google Drive DriveFS\<id>\metadata_sqlite_db (items) synced filenames, sizes, timestamps + content_cache
OneDrive settings\Personal\<cid>.* + logs\*.odl synced items, account cid, file-level activity

You can now…

  • ☐ Locate, preserve (the db/-wal/-shm trio), and query browser SQLite databases read-only without altering the evidence, and recognize the SQLite, mozLz40, bplist00, and cook signatures.
  • ☐ Parse Chromium History/Cookies/Login Data/Web Data, decode transition core types and qualifiers, and convert WebKit, PRTime, Mac/Cocoa, and FILETIME correctly.
  • ☐ Examine Firefox and Safari stores, dodge the moz_cookies unit trap, and extract autofill, saved-login metadata, downloads, bookmarks, and session/tab data.
  • ☐ Distinguish cache-as-evidence from automatic caching, and recover cached media and deleted history rows from the WAL, the freelist, and carved files.
  • ☐ Prove what private browsing does not remove — DNS, RAM/pagefile, SRUM, network logs — and read Dropbox/Drive/OneDrive footprints as exfiltration evidence.

Looking ahead

Chapter 19 — Email, Chat, and Social Media Forensics. The conversation moves off the web page and into the inbox and the DM: PST/OST and mbox/EML stores, message headers, and the chat and social-platform artifacts where so much modern intent is recorded. Technology changes; principles don't.

One sentence to carry forward: The browser is the diary a person never meant to keep — and the act of clearing it, or hiding it in a private window, is usually just one more dated entry.