Chromium-Based Microsoft Edge From A Forensic Point Of View

by Oleg Skulkin & Svetlana Ostrovskaya

Recently Microsoft finally released the Chromium-based version of Edge Browser, so it seems we’ll miss ESE databases soon (not). Of course, it may have a similar set of forensic artifacts to Chromium or Chrome, but we must check it anyway. What’s more, the browser is available not only for Windows, but also for macOS, Android and iOS. 

On Windows, Edge data is available under the following location:

C:\Users\%USERNAME%\AppData\Local\Microsoft\Edge\User Data\Default

Let’s start from bookmarks or “favorites”. They are stored in a JSON file with the same name – Bookmarks. You can open it with any text editor. The timestamps are stored in WebKit format – a 64-bit value for microseconds since Jan 1, 1601 00:00 UTC. 

Cache is stored in the Cache subfolder and consists of an Index file (index), Data Block files (data_#) and data files (f_######). You can easily parse these files with ChromeCacheView by NirSoft:

Microsoft Edge cache parsed with ChromeCacheView

Cookies are stored in an SQLite database called Cookies. We need the cookies table, here is the query:

Microsoft Edge cookies

As you can see, we can easily convert timestamps in WebKit format with datetime function.

Information about files downloaded with Microsoft Edge is available in the History SQLite database. You can get it from the downloads table:

Microsoft Edge downloads

One more useful table here is urls. Again, you can use a simple query to obtain information about visited sites and timestamps:

Microsoft Edge visited sites

Edge stores autofill information such as profiles, locations and card numbers in the Web Data database. Saved credentials are stored in the Login Data database. You can find URLs and associated login data in the logins table.

However, all of the passwords are encrypted. For decryption you can try ChromePass by Nirsoft. This tool allows you to recover passwords from a running system or external drive. There is no need to mention how easily you can mount your evidence item, e.g. with FTK Imager and use it as an external drive. The only thing you will need is the Windows profile password.

ChromePass settings

As a result you will be able to get such information as Origin and Action URLs, User Name, Password in plain text and its creation date.

Microsoft Edge saved credentials

Progressive Web Applications (PWA) is one of the top features of the Edge browser. It allows you to “install” any website on your device as a web application. In fact, there is msedge_proxy.exe that gets profile directory and application ID as arguments and runs an application shell (static template) to load necessary dynamic content from the URL described in the Manifest.

Installed webpage shortcut

The manifest file is stored under the Extensions\<App_ID> subfolder. 

Microsoft Edge extensions and applications

The same folder contains the source code of the newly added extensions. Each extension has its own subfolder named by the unique ID.

On Mac OS Edge files are pretty similar and can be found under:

/Users/%USERNAME%/Library/Application Support/Microsoft Edge/Default

Microsoft Edge profile directory

As you can see, information about bookmarks, visited URLs, downloads, cookies and so on is stored in the corresponding files and SQLite databases, so the previously described techniques could be used to obtain this data. 

Note that on Mac OS, cache is stored separately in the /Users/%USERNAME%/ Library/Caches/Microsoft Edge/Default/Cache folder. However, you still can use ChromeCacheView to parse it.

Our next stop is iOS. All of the Edge files are stored under: 

/private/var/mobile/Containers/Data/Application/<UUID>

Therefore, you need to match the UUID to Microsoft Edge. How to do it? Quite easy! All you need is applicationState.db located under /private/var/mobile/Library/FrontBoard/.

Let’s start from finding the right ID in the application_identifier_tab table. In our case, ID of com.microsoft.msedge is 121. Now we can look at the kvs table and filter the application_identifier column using the ID we just found. The value column contains binary plists we need to export, DB Browser for SQLite can be used to solve this task, for example. Once exported, it can be examined with your favorite plist viewer:

Exported binary plist contents

Now we know that Microsoft Edge’s UUID is 565EC255-F158-48E1-83C5-D426BC60D22D, so we can easily find application data.

First, you may want to check the OfflineCache SQLite database that keeps the history of visits and placed at the Documents subfolder. Visited URLs with the Apple NSDate formatted timestamps are stored in the ZONLINESEARCHHISTORY table and can be obtained with the following query:

Microsoft Edge browsing history

The OfflineCache database also stores added bookmarks and data saved in the browser, so you can check them as well using the same DB Browser for SQLite.

In addition to history of visits you can check the Library/Caches/WebKit/NetworkCache/Version 14/Records/ <Website_ID>/Resource subfolders to get a slight idea about downloaded content.

Microsoft Edge network cache

As you can see, there are different files and blob objects that could be opened with any text editor. If you are lucky, you can find some blobs with magic bytes and obtain the downloaded content itself:

Downloaded picture

Another useful location is the /Library/Cookies/ subfolder. Here you can find Cookies.binarycookies file that can be parsed with EdgeCookiesParser

Cookies.binarycookies parsed with EdgeCookiesParser

Last but not least is Android. The way of keeping Microsoft Edge’s data is identical to Windows and Mac OS. All necessary files and SQLite databases you can find in the /data/data/com.microsoft.emmx/app_chrome/Default folder. Cache is stored under /data/data/com.microsoft.emmx/cache/Cache location and can be parsed with ChromeCacheView. 

As you can see, extraction of most important browsing data is possible with a few quite simple SQL-queries. As we are dealing with SQLite databases, you should not forget about free lists and unallocated space – it may uncover even more artifacts, which may contain the key to your investigation.

About the Authors

Oleg Skulkin is senior digital forensic analyst at Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud. He holds a number of certifications, including GCFA, GCTI, and MCFE. Oleg co-authored Windows Forensics Cookbook, Practical Mobile Forensics and Learning Android Forensics, as well as many blog posts and articles on digital forensics and incident response you can find online.

Svetlana Ostrovskaya is digital forensic trainer at Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud. She co-authored many training programs, including Windows Memory Forensics, Advanced Windows Forensic Investigations and Windows Incident Response and Threat Hunting.

1 thought on “Chromium-Based Microsoft Edge From A Forensic Point Of View”

Leave a Comment