Chromium-Based Microsoft Edge From A Forensic Point Of View

by Oleg Skulkin & Svetlana Ostrovskaya

Recently Microsoft finally released the Chromium-based version of Edge Browser, so it seems we’ll miss ESE databases soon (not). Of course, it may have a similar set of forensic artifacts to Chromium or Chrome, but we must check it anyway. What’s more, the browser is available not only for Windows, but also for macOS, Android and iOS.

On Windows, Edge data is available under the following location:

C:\Users\%USERNAME%\AppData\Local\Microsoft\Edge\User Data\Default

Let’s start from bookmarks or “favorites”. They are stored in a JSON file with the same name – Bookmarks. You can open it with any text editor. The timestamps are stored in WebKit format – a 64-bit value for microseconds since Jan 1, 1601 00:00 UTC.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Read More

1 thought on “Chromium-Based Microsoft Edge From A Forensic Point Of View”

  1. First of all, great article. Thanks for sharing it.

    Then a question: I checked the History file in C:\Users\[User]\AppData\Local\Microsoft\Edge\User Data\Default, but it seems not to be a sqlite-db file. It does not have an extension at all.
    Has something changed? Would like to hear.

Leave a Comment