Edge stores autofill information such as profiles, locations, card numbers in the Web Data database. Saved credentials are stored in the Login Data database. You can find URLs and associated login data in the logins table. However, all of the passwords are encrypted. For decryption you can try ChromePass by Nirsoft. This tool allows to recover passwords from the running system or external drive. There is no need to mention how easily you can mount your evidence item e.g. with FTK Imager and use it as an external drive. The only thing you will need is the Windows profile password.

As result you will be able to get such information as Origin and Action URLs, User Name, Password in plain text and its creation date.

Progressive Web Applications (PWA) is one of the top features of Edge browser. It allows to "install" any website on your device as a web application. In fact, there is msedge_proxy.exe that gets profile directory and application ID as arguments and runs application shell (static template) to load needed dynamic content from the URL described in the Manifest.

Manifest file is stored under Extensions\<App_ID> subfolder.

Same folder contains the source code of the newly added extensions. Each extension has its own subfolder named by the unique ID.

On Mac OS Edge files are pretty similar and can be found under:

/Users/%USERNAME%/Library/Application Support/Microsoft Edge/Default

As you can see, information about bookmarks, visited URLs, downloads, cookies and so on is stored in the corresponding files and SQLite databases, so the previously described techniques could be used to obtain this data.

Note, that on Mac OS cache is stored separately in the /Users/%USERNAME%/ Library/Caches/Microsoft Edge/Default/Cache folder. However, you still can use ChromeCacheView to parse it.

Great, our next stop is iOS. All of the Edge files are stored under:

/private/var/mobile/Containers/Data/Application/<UUID>

Therefore, you need to match UUID to Microsoft Edge. How to do it? Quite easy! All you need is applicationState.db located under /private/var/mobile/Library/FrontBoard/. Let's start from finding the right ID in the application_identifier_tab table. In our case, ID of com.microsoft.msedge is 121. Now we can look at kvs table and filter application_identifier column using the ID we just found. The value column contains binary plists we need to export, DB Browser for SQLite can be used to solve this task, for example. Once exported, it can be examined with your favorite plist viewer:

Now we know that Microsoft Edge's UUID is 565EC255-F158-48E1-83C5-D426BC60D22D, so we can easily find application data.

First, you may want to check OfflineCache SQLite database that keeps the history of visits and placed at the Documents subfolder. Visited URLs with the Apple NSDate formatted timestamps are stored in the ZONLINESEARCHHISTORY table and could be obtained with the following query:

OfflineCache database also stores added bookmarks and data saved in the browser, so you can check them as well using same DB Browser for SQLite.

In addition to history of visits you can check Library/Caches/WebKit/NetworkCache/Version 14/Records/ <Website_ID>/Resource subfolders to get a slight idea about downloaded content.

As you can see here are different files and blob objects that could be opened with any text editor. If you are lucky, you can find some blobs with magic bytes and obtain the downloaded content itself:

Another useful location is the /Library/Cookies/ subfolder. Here you can find Cookies.binarycookies file that can be parsed with EdgeCookiesParser (https://github.com/HikaruHikarin/EdgeCookiesParser).

Last but not least is Android. The way of keeping Microsoft Edge's data is identical to Windows and Mac OS. All needed files and SQLite databases you can find at the /data/data/com.microsoft.emmx/app_chrome/Default folder. Cache is stored under /data/data/com.microsoft.emmx/cache/Cache location and can be parsed with ChromeCacheView.

As you can see, extraction of most important browsing data is possible with a few quite simple SQL-queries. As we are dealing with SQLite databases, you should not forget about free lists and unallocated space – it may uncover even more artifacts, which may contain the key to your investigation.