Chromium-based Microsoft Edge from a Forensic Point of View
Oleg Skulkin
Senior Digital Forensics Analyst at Group-IB
Svetlana Ostrovskaya
Digital Forensics Trainer at Group-IB
Not long ago Microsoft finally released Chromium-based version of Edge Browser, so it seems we'll miss ESE databases soon (no). Of course, it may have the same or similar set of forensic artifacts as Chromium or Chrome, but we must check it anyway, of course. What's more, the browser is available not only for Windows, but also for macOS, Android and iOS.
On Windows, Edge data is available under the following location:
Let's start from bookmarks or "favorites". They are stored in a JSON files under the same name – Bookmarks. You can open it with any text editor. The timestamps are stored in WebKit format - a 64-bit value for microseconds since Jan 1, 1601 00:00 UTC.
Cache is stored in the Cache subfolder and consists of an Index file (index), Data Block files (data_#) and data files (f_######). You can easily parse these files with ChromeCacheView by NirSoft:
Figure 1. Microsoft Edge cache parsed with ChromeCacheView
Cookies are stored in an SQLite database called Cookies. We need cookies table, here is the query:
Figure 2. Microsoft Edge cookies
As you can see, we can easily convert timestamps in WebKit format with datetime function.
Information about files downloaded with Microsoft Edge is available in History SQLite database. You can get it from downloads table:
Figure 3. Microsoft Edge downloads
Another useful table here is urls. Again, you can use simple query to obtain information about visited sites and timestamps:
Figure 4. Microsoft Edge visited sites
Edge stores autofill information such as profiles, locations, card numbers in the Web Data database. Saved credentials are stored in the Login Data database. You can find URLs and associated login data in the logins table. However, all of the passwords are encrypted. For decryption you can try ChromePass by Nirsoft. This tool allows to recover passwords from the running system or external drive. There is no need to mention how easily you can mount your evidence item e.g. with FTK Imager and use it as an external drive. The only thing you will need is the Windows profile password.
Figure 5. ChromePass settings
As result you will be able to get such information as Origin and Action URLs, User Name, Password in plain text and its creation date.
Figure 6. Microsoft Edge saved credentials
Progressive Web Applications (PWA) is one of the top features of Edge browser. It allows to "install" any website on your device as a web application. In fact, there is msedge_proxy.exe that gets profile directory and application ID as arguments and runs application shell (static template) to load needed dynamic content from the URL described in the Manifest.
Figure 7. Installed webpage shortcut
Manifest file is stored under Extensions\<App_ID> subfolder.
Figure 8. Microsoft Edge extensions and applications
Same folder contains the source code of the newly added extensions. Each extension has its own subfolder named by the unique ID.
On Mac OS Edge files are pretty similar and can be found under:
As you can see, information about bookmarks, visited URLs, downloads, cookies and so on is stored in the corresponding files and SQLite databases, so the previously described techniques could be used to obtain this data.
Note, that on Mac OS cache is stored separately in the /Users/%USERNAME%/ Library/Caches/Microsoft Edge/Default/Cache folder. However, you still can use ChromeCacheView to parse it.
Great, our next stop is iOS. All of the Edge files are stored under:
Therefore, you need to match UUID to Microsoft Edge. How to do it? Quite easy! All you need is applicationState.db located under /private/var/mobile/Library/FrontBoard/. Let's start from finding the right ID in the application_identifier_tab table. In our case, ID of com.microsoft.msedge is 121. Now we can look at kvs table and filter application_identifier column using the ID we just found. The value column contains binary plists we need to export, DB Browser for SQLite can be used to solve this task, for example. Once exported, it can be examined with your favorite plist viewer:
Figure 10. Exported binary plist contents
Now we know that Microsoft Edge's UUID is 565EC255-F158-48E1-83C5-D426BC60D22D, so we can easily find application data.
First, you may want to check OfflineCache SQLite database that keeps the history of visits and placed at the Documents subfolder. Visited URLs with the Apple NSDate formatted timestamps are stored in the ZONLINESEARCHHISTORY table and could be obtained with the following query:
Figure 11. Microsoft Edge browsing history
OfflineCache database also stores added bookmarks and data saved in the browser, so you can check them as well using same DB Browser for SQLite.
In addition to history of visits you can check Library/Caches/WebKit/NetworkCache/Version 14/Records/ <Website_ID>/Resource subfolders to get a slight idea about downloaded content.
Figure 12. Microsoft Edge network cache
As you can see here are different files and blob objects that could be opened with any text editor. If you are lucky, you can find some blobs with magic bytes and obtain the downloaded content itself:
Figure 13. Downloaded picture
Another useful location is the /Library/Cookies/ subfolder. Here you can find Cookies.binarycookies file that can be parsed with EdgeCookiesParser (https://github.com/HikaruHikarin/EdgeCookiesParser).
Figure 14. Cookies.binarycookies parsed with EdgeCookiesParser
Last but not least is Android. The way of keeping Microsoft Edge's data is identical to Windows and Mac OS. All needed files and SQLite databases you can find at the /data/data/com.microsoft.emmx/app_chrome/Default folder. Cache is stored under /data/data/com.microsoft.emmx/cache/Cache location and can be parsed with ChromeCacheView.
As you can see, extraction of most important browsing data is possible with a few quite simple SQL-queries. As we are dealing with SQLite databases, you should not forget about free lists and unallocated space – it may uncover even more artifacts, which may contain the key to your investigation.