# Browser Data Structure Specifications
Authoritative reference for DFIR artifact knowledge covering Chrome/Chromium, Firefox, and Safari browser data structures. Parser implementations in `browser-forensic` should be validated against these specs.
**Last updated**: 2026-05-04
---
## Timestamp Epoch Reference
| Chrome/Chromium | WebKit | 1601-01-01 00:00:00 UTC | Microseconds (integer) | `(webkit_us - 11_644_473_600_000_000) * 1_000` |
| Firefox (history/cookies) | PRTime (Unix) | 1970-01-01 00:00:00 UTC | Microseconds (integer) | `unix_us * 1_000` |
| Firefox (logins/extensions/session) | Unix milliseconds | 1970-01-01 00:00:00 UTC | Milliseconds (integer) | `unix_ms * 1_000_000` |
| Chrome autofill (`Web Data`) | Unix seconds | 1970-01-01 00:00:00 UTC | Seconds (integer) | `unix_s * 1_000_000_000` |
| Safari | Core Data / Mac Absolute Time | 2001-01-01 00:00:00 UTC | Seconds (float64) | `(core_data_secs + 978_307_200) * 1_000_000_000` |
| Safari (Cookies.binarycookies) | Mac Absolute Time | 2001-01-01 00:00:00 UTC | Seconds (float64) | Same as Core Data |
**Critical pitfall**: Chrome's `autofill` table in `Web Data` uses Unix epoch **seconds**, NOT WebKit microseconds. Every other Chrome SQLite timestamp uses WebKit microseconds. Misapplying the epoch conversion yields dates in the 1600s.
---
## Chrome/Chromium
### 1. History SQLite (`History`)
**Location (per-profile)**:
- Windows: `%LOCALAPPDATA%\Google\Chrome\User Data\{Profile}\History`
- macOS: `~/Library/Application Support/Google/Chrome/{Profile}/History`
- Linux: `~/.config/google-chrome/{Profile}/History`
**Format**: SQLite 3, WAL mode
**Epoch**: WebKit microseconds (since 1601-01-01 UTC)
#### `urls` Table
```sql
CREATE TABLE urls (
id INTEGER PRIMARY KEY,
url LONGVARCHAR,
title LONGVARCHAR,
visit_count INTEGER DEFAULT 0 NOT NULL,
typed_count INTEGER DEFAULT 0 NOT NULL,
last_visit_time INTEGER NOT NULL,
hidden INTEGER DEFAULT 0 NOT NULL
);
CREATE INDEX urls_url_index ON urls (url);
```
| `id` | INTEGER | Primary key, auto-increment | Gap analysis for deleted records |
| `url` | LONGVARCHAR | Full URL | Primary browsing evidence |
| `title` | LONGVARCHAR | Page title | Context for visited pages |
| `visit_count` | INTEGER | Total visits across all sessions | Frequency analysis |
| `typed_count` | INTEGER | Times URL was typed (not clicked) | User intent indicator |
| `last_visit_time` | INTEGER | WebKit microseconds | Timeline anchor |
| `hidden` | INTEGER | 1 = hidden from default history view | Subframe/redirect pages |
#### `visits` Table
```sql
CREATE TABLE visits (
id INTEGER PRIMARY KEY,
url INTEGER NOT NULL,
visit_time INTEGER NOT NULL,
from_visit INTEGER DEFAULT 0 NOT NULL,
transition INTEGER DEFAULT 0 NOT NULL,
segment_id INTEGER DEFAULT 0 NOT NULL,
visit_duration INTEGER DEFAULT 0 NOT NULL,
incremented_omnibox_typed_score INTEGER DEFAULT 0 NOT NULL,
opener_visit INTEGER DEFAULT 0 NOT NULL,
originator_cache_guid TEXT,
originator_visit_id INTEGER DEFAULT 0 NOT NULL,
originator_from_visit INTEGER DEFAULT 0 NOT NULL,
originator_opener_visit INTEGER DEFAULT 0 NOT NULL,
is_known_to_sync INTEGER DEFAULT 0 NOT NULL,
consider_for_ntp_most_visited INTEGER DEFAULT 1 NOT NULL,
publicly_routable INTEGER DEFAULT 0 NOT NULL
);
CREATE INDEX visits_url_index ON visits (url);
CREATE INDEX visits_time_index ON visits (visit_time);
CREATE INDEX visits_from_index ON visits (from_visit);
```
| `id` | Visit ID | Gap analysis for deletions |
| `url` | FK to `urls.id` | Join to get actual URL |
| `visit_time` | WebKit microseconds | Per-visit timestamp |
| `from_visit` | ID of referring visit (0 = none) | Navigation chain reconstruction |
| `transition` | Bitmask (see below) | How user arrived at page |
| `segment_id` | Typed URL segment | URL bar autocomplete tracking |
| `visit_duration` | Microseconds on page | Engagement metric |
| `originator_cache_guid` | Sync origin device GUID | Cross-device attribution |
##### Transition Type Bitmask
The `transition` column is a 32-bit bitmask. Low 8 bits = core type, high 24 bits = qualifiers.
**Core types** (mask: `transition & 0xFF`):
| 0 | `LINK` | User followed a hyperlink |
| 1 | `TYPED` | User typed URL in address bar |
| 2 | `AUTO_BOOKMARK` | Navigation via UI suggestion (e.g., top sites) |
| 3 | `AUTO_SUBFRAME` | Automatic subframe navigation (ads, iframes) |
| 4 | `MANUAL_SUBFRAME` | User-initiated subframe navigation |
| 5 | `GENERATED` | URL generated by command (e.g., search result) |
| 6 | `AUTO_TOPLEVEL` | Top-level auto navigation (e.g., pre-render) |
| 7 | `FORM_SUBMIT` | Form submission |
| 8 | `RELOAD` | Page reload (also used for session restore) |
| 9 | `KEYWORD` | Omnibox keyword/tab-to-search |
| 10 | `KEYWORD_GENERATED` | Keyword-generated visit |
**Qualifier flags** (mask: `transition & 0xFFFFFF00`):
| `0x00800000` | `BLOCKED` | Navigation was blocked |
| `0x01000000` | `FORWARD_BACK` | Forward/back button navigation |
| `0x02000000` | `FROM_ADDRESS_BAR` | Initiated from address bar |
| `0x04000000` | `HOME_PAGE` | Home page navigation |
| `0x08000000` | `FROM_API` | Initiated by extension/API |
| `0x10000000` | `CHAIN_START` | First in a redirect chain |
| `0x20000000` | `CHAIN_END` | Last in a redirect chain |
| `0x40000000` | `CLIENT_REDIRECT` | Client-side redirect (JS/meta refresh) |
| `0x80000000` | `SERVER_REDIRECT` | Server-side redirect (301/302) |
| `0xC0000000` | `IS_REDIRECT_MASK` | Either client or server redirect |
**Forensic example**: `transition = 0x80000001` means TYPED (`& 0xFF == 1`) + SERVER_REDIRECT (`& 0x80000000`).
#### `visit_source` Table
```sql
CREATE TABLE visit_source (
id INTEGER PRIMARY KEY,
source INTEGER NOT NULL
);
```
`id` is a foreign key to `visits.id`. A visit absent from this table was browsed locally (source 1 is omitted for efficiency).
| 0 | `SOURCE_SYNCED` | Synchronized from another device |
| 1 | `SOURCE_BROWSED` | Locally browsed (NOT STORED -- absence implies this) |
| 2 | `SOURCE_EXTENSION` | Added by a browser extension |
| 3 | `SOURCE_FIREFOX_IMPORTED` | Imported from Firefox |
| 4 | `SOURCE_IE_IMPORTED` | Imported from Internet Explorer |
| 5 | `SOURCE_SAFARI_IMPORTED` | Imported from Safari |
**Anti-forensic note**: A URL present in `urls`/`visits` but absent from `visit_source` was locally browsed. A URL present in `visit_source` with `source=0` was synced and may not have been visited on this device.
#### `keyword_search_terms` Table
```sql
CREATE TABLE keyword_search_terms (
keyword_id INTEGER NOT NULL,
url_id INTEGER NOT NULL,
term LONGVARCHAR NOT NULL,
normalized_term LONGVARCHAR NOT NULL
);
```
Recovers search queries entered via the omnibox. `keyword_id` references the `keywords` table in `Web Data` (search engine definitions). One of the highest-value history artifacts for determining user intent.
#### `downloads` Table (Modern Schema)
```sql
CREATE TABLE downloads (
id INTEGER PRIMARY KEY,
guid VARCHAR NOT NULL,
current_path LONGVARCHAR NOT NULL,
target_path LONGVARCHAR NOT NULL,
start_time INTEGER NOT NULL,
received_bytes INTEGER NOT NULL,
total_bytes INTEGER NOT NULL,
state INTEGER NOT NULL,
danger_type INTEGER NOT NULL,
interrupt_reason INTEGER NOT NULL,
hash BLOB NOT NULL,
end_time INTEGER NOT NULL,
opened INTEGER NOT NULL,
last_access_time INTEGER NOT NULL,
transient INTEGER NOT NULL,
referrer VARCHAR NOT NULL,
site_url VARCHAR NOT NULL,
tab_url VARCHAR NOT NULL,
tab_referrer_url VARCHAR NOT NULL,
http_method VARCHAR NOT NULL,
by_ext_id VARCHAR NOT NULL,
by_ext_name VARCHAR NOT NULL,
etag VARCHAR NOT NULL,
last_modified VARCHAR NOT NULL,
mime_type VARCHAR(255) NOT NULL,
original_mime_type VARCHAR(255) NOT NULL
);
```
All timestamps (`start_time`, `end_time`, `last_access_time`) are WebKit microseconds.
`hash` is a BLOB containing the SHA-256 hash of the downloaded file content (added in Chrome 26+).
**`state` values**:
| 0 | `IN_PROGRESS` |
| 1 | `COMPLETE` |
| 2 | `CANCELLED` |
| 3 | `INTERRUPTED` |
**`danger_type` values**:
| 0 | `NOT_DANGEROUS` | Safe |
| 1 | `DANGEROUS_FILE` | Dangerous file type (e.g., `.exe`) |
| 2 | `DANGEROUS_URL` | URL flagged by Safe Browsing |
| 3 | `DANGEROUS_CONTENT` | Content flagged by Safe Browsing |
| 4 | `MAYBE_DANGEROUS_CONTENT` | Potentially dangerous content |
| 5 | `UNCOMMON_CONTENT` | Uncommon download |
| 6 | `USER_VALIDATED` | User explicitly overrode a danger warning |
| 7 | `DANGEROUS_HOST` | Host flagged by Safe Browsing |
| 8 | `POTENTIALLY_UNWANTED` | PUA/PUP classification |
| 9 | `ALLOWLISTED_BY_POLICY` | Enterprise policy allowlisted |
| 10 | `ASYNC_SCANNING` | Asynchronous deep scanning in progress |
| 11 | `BLOCKED_PASSWORD_PROTECTED` | Password-protected archive blocked |
| 12 | `BLOCKED_TOO_LARGE` | File too large to scan |
| 13 | `SENSITIVE_CONTENT_WARNING` | Contains sensitive content (warning) |
| 14 | `SENSITIVE_CONTENT_BLOCK` | Blocked due to sensitive content |
| 15 | `DEEP_SCANNED_SAFE` | Passed deep scan, safe |
| 16 | `DEEP_SCANNED_OPENED_DANGEROUS` | Dangerous result from deep scan |
| 17 | `PROMPT_FOR_SCANNING` | Prompting user for scan decision |
| 18 | `BLOCKED_UNSUPPORTED_FILETYPE` | Unsupported file type blocked by policy |
**`interrupt_reason` ranges**:
| 0 | None (no interruption) |
| 1–9 | File errors (access denied, no space, path too long) |
| 10–19 | File errors continued (virus detected, blocked by policy) |
| 20–29 | Network errors (failed, timeout, disconnected) |
| 30–39 | Server errors (bad content, no range support) |
| 40–49 | User actions (cancelled, shutdown) |
| 50 | Crash |
#### `downloads_url_chains` Table
```sql
CREATE TABLE downloads_url_chains (
id INTEGER NOT NULL,
chain_index INTEGER NOT NULL,
url TEXT NOT NULL,
PRIMARY KEY (id, chain_index)
);
```
Full redirect chain for each download. `chain_index=0` is the initial URL.
**MITRE ATT&CK**: T1217 (Browser Information Discovery), T1005 (Data from Local System)
---
### 2. Cookies SQLite (`Cookies`)
**Location**: `{Profile}/Network/Cookies` (Chrome 96+; previously `{Profile}/Cookies`)
**Format**: SQLite 3, WAL mode
**Epoch**: WebKit microseconds for all timestamp columns
```sql
CREATE TABLE cookies (
creation_utc INTEGER NOT NULL,
host_key TEXT NOT NULL,
top_frame_site_key TEXT NOT NULL DEFAULT '',
name TEXT NOT NULL,
value TEXT NOT NULL,
encrypted_value BLOB DEFAULT '',
path TEXT NOT NULL,
expires_utc INTEGER NOT NULL,
is_secure INTEGER NOT NULL,
is_httponly INTEGER NOT NULL,
last_access_utc INTEGER NOT NULL,
has_expires INTEGER NOT NULL DEFAULT 1,
is_persistent INTEGER NOT NULL DEFAULT 1,
priority INTEGER NOT NULL DEFAULT 1,
samesite INTEGER NOT NULL DEFAULT -1,
source_scheme INTEGER NOT NULL DEFAULT 0,
source_port INTEGER NOT NULL DEFAULT -1,
last_update_utc INTEGER NOT NULL DEFAULT 0,
source_type INTEGER NOT NULL DEFAULT 0,
has_cross_site_ancestor INTEGER NOT NULL DEFAULT 0
);
```
`samesite` values: -1 = unspecified, 0 = no restriction, 1 = lax, 2 = strict.
#### Encryption of `encrypted_value`
In modern Chrome, `value` is empty and `encrypted_value` holds the actual cookie value.
**Encrypted blob structure**: `[3-byte version prefix][12-byte nonce/IV][ciphertext (variable)][16-byte GCM auth tag]`
| (none/raw) | -- | Pre-80 | Windows DPAPI directly | `CryptProtectData` |
| `v10` | `76 31 30` | 80+ | `Local State` -> `os_crypt.encrypted_key` (DPAPI-wrapped) | AES-256-GCM |
| `v11` | `76 31 31` | 80+ (variant) | Same as v10 | AES-256-GCM |
| `v20` | `76 32 30` | 127+ | `Local State` -> `os_crypt.app_bound_encrypted_key` (SYSTEM+User DPAPI) | AES-256-GCM |
**Key recovery chain (v10/v11) on Windows**:
1. Read `Local State` JSON -> `os_crypt.encrypted_key` (Base64 string)
2. Base64-decode the value
3. Strip first 5 bytes (`DPAPI` ASCII prefix: `44 50 41 50 49`)
4. Call `CryptUnprotectData` on the remaining bytes to get the 32-byte AES-256 key
5. For each cookie: strip 3-byte prefix, extract 12-byte nonce, AES-256-GCM decrypt remainder
**macOS key derivation**: Key is stored in macOS Keychain under service name "Chrome Safe Storage". Encryption is PBKDF2-HMAC-SHA1 (1003 iterations, salt "saltysalt") -> AES-128-CBC.
**Linux key derivation**: Hardcoded password `"peanuts"`, PBKDF2-HMAC-SHA1 (1 iteration, salt `"saltysalt"`), AES-128-CBC.
**MITRE ATT&CK**: T1539 (Steal Web Session Cookie), T1555.003 (Credentials from Web Browsers)
---
### 3. Login Data SQLite (`Login Data`)
**Location**: `{Profile}/Login Data`
**Format**: SQLite 3
**Epoch**: WebKit microseconds for all date columns
```sql
CREATE TABLE logins (
origin_url VARCHAR NOT NULL,
action_url VARCHAR,
username_element VARCHAR,
username_value VARCHAR,
password_element VARCHAR,
password_value BLOB,
submit_element VARCHAR,
signon_realm VARCHAR NOT NULL,
date_created INTEGER NOT NULL,
blacklisted_by_user INTEGER NOT NULL,
scheme INTEGER NOT NULL,
password_type INTEGER,
times_used INTEGER,
form_data BLOB,
display_name VARCHAR,
icon_url VARCHAR,
federation_url VARCHAR,
skip_zero_click INTEGER,
generation_upload_status INTEGER,
possible_username_pairs BLOB,
id INTEGER PRIMARY KEY,
date_last_used INTEGER NOT NULL DEFAULT 0,
date_password_modified INTEGER NOT NULL DEFAULT 0,
keychain_identifier BLOB DEFAULT ''
);
```
`password_value` uses identical encryption to cookie `encrypted_value` (v10/v20 prefix + AES-256-GCM on Windows).
**Forensic note**: `username_value` is stored in **plaintext** regardless of whether the user saves the password. When `blacklisted_by_user=1`, the user declined to save, but `origin_url` and `username_value` are still recorded — revealing login attempts for credentials never saved.
**MITRE ATT&CK**: T1555.003 (Credentials from Web Browsers)
---
### 4. Web Data SQLite (`Web Data`) — Autofill
**Location**: `{Profile}/Web Data`
**Format**: SQLite 3
**Epoch**: Unix **seconds** (NOT WebKit) for autofill timestamps — critical difference
#### `autofill` Table
```sql
CREATE TABLE autofill (
name VARCHAR,
value VARCHAR,
value_lower VARCHAR,
date_created INTEGER DEFAULT 0,
date_last_used INTEGER DEFAULT 0,
count INTEGER DEFAULT 1
);
```
`date_created` and `date_last_used` are Unix epoch **seconds**. Convert: `ts_ns = date_created * 1_000_000_000`.
#### `autofill_profiles` Table
```sql
CREATE TABLE autofill_profiles (
guid VARCHAR PRIMARY KEY,
company_name VARCHAR,
street_address VARCHAR,
city VARCHAR,
state VARCHAR,
zipcode VARCHAR,
country_code VARCHAR,
date_modified INTEGER NOT NULL DEFAULT 0,
use_count INTEGER NOT NULL DEFAULT 0,
use_date INTEGER NOT NULL DEFAULT 0,
label VARCHAR
);
```
All timestamps are Unix seconds. Related sub-tables: `autofill_profile_names`, `autofill_profile_emails`, `autofill_profile_phones`.
#### `credit_cards` Table
```sql
CREATE TABLE credit_cards (
guid VARCHAR PRIMARY KEY,
name_on_card VARCHAR,
expiration_month INTEGER,
expiration_year INTEGER,
card_number_encrypted BLOB,
date_modified INTEGER NOT NULL DEFAULT 0,
use_count INTEGER NOT NULL DEFAULT 0,
use_date INTEGER NOT NULL DEFAULT 0,
billing_address_id VARCHAR,
nickname VARCHAR
);
```
`card_number_encrypted` uses the same v10/v20 encryption as cookies.
---
### 5. Bookmarks JSON (`Bookmarks`)
**Location**: `{Profile}/Bookmarks` (also `Bookmarks.bak` backup)
**Format**: JSON (UTF-8)
**Epoch**: WebKit microseconds encoded as **decimal strings** (not JSON numbers)
```json
{
"checksum": "a3f1b2c4d5e6f7a8b9c0d1e2f3a4b5c6",
"roots": {
"bookmark_bar": { "...": "..." },
"other": { "...": "..." },
"synced": { "...": "..." }
},
"version": 1
}
```
`checksum` is an MD5 hex string over the concatenation of node ids, titles, and URLs in tree-walk order. A mismatch indicates external modification.
URL node fields: `date_added` (WebKit us as string), `date_last_used`, `guid`, `id`, `name`, `type: "url"`, `url`.
Folder node fields: `children`, `date_added`, `date_modified`, `guid`, `id`, `name`, `type: "folder"`.
`date_added` and `date_modified` are WebKit microseconds encoded as **strings** — parsers must call `s.parse::<i64>()` before epoch conversion.
IDs are assigned sequentially. Gaps in the ID sequence indicate deleted bookmarks.
**MITRE ATT&CK**: T1217 (Browser Bookmark Discovery)
---
### 6. Extensions Directory (`Extensions/`)
**Location**: `{Profile}/Extensions/{extension_id}/{version}/manifest.json`
Key `manifest.json` fields:
| `manifest_version` | 2 (legacy MV2) or 3 (current MV3) |
| `permissions` | API permissions: `"cookies"`, `"tabs"`, `"webRequest"` |
| `host_permissions` | URL match patterns; `"<all_urls>"` = access to all sites |
| `background.service_worker` | MV3 background script |
| `content_scripts[].matches` | URL patterns where scripts inject |
**High-risk combinations**: `"cookies"` + `"<all_urls>"` = all cookies. `"webRequest"` + `"<all_urls>"` = all traffic interception. `"nativeMessaging"` = native process communication.
**Install time**: Not in `manifest.json`. From `{Profile}/Preferences` -> `extensions.settings.{id}.install_time` (WebKit us as string).
---
### 7. Cache (SimpleCache Format)
**Location**: `{Profile}/Cache/Cache_Data/` (Chrome 97+)
**Format**: Proprietary binary (Very Simple Backend)
Entry filenames: `{16-hex-digit-hash}_{stream_number}`. Stream 0 = HTTP response headers. Stream 1 = response body.
**EOF Record** (last 20-28 bytes of each entry file):
- Bytes 0–3: final magic number
- Bytes 4–7: flags
- Bytes 8–11: `key_size` (u32 LE) — URL length
- Bytes 12–15: key CRC32
- Bytes 16–19: stream 0 size
**URL extraction**: Read `key_size` from bytes 8–11, then read `key_size` bytes immediately preceding the EOF record.
---
### 8. Local State JSON
**Location**: `{Chrome User Data}/Local State`
Key forensic fields:
| `os_crypt.encrypted_key` | Base64-encoded DPAPI-wrapped AES-256 key (v10 decryption) |
| `os_crypt.app_bound_encrypted_key` | Base64-encoded app-bound key (v20 decryption) |
| `profile.info_cache.{ProfileDir}.name` | Profile display name |
| `profile.info_cache.{ProfileDir}.gaia_id` | Google Account ID |
| `profile.info_cache.{ProfileDir}.user_name` | Google Account email |
| `profile.last_used` | Last-used profile directory name |
| `browser.last_known_google_account` | Signed-in Google account email |
| `sync.has_setup_completed` | Whether Chrome Sync is configured |
| `uninstall_metrics.installation_date2` | Chrome installation timestamp |
---
### 9. Preferences JSON
**Location**: `{Profile}/Preferences`
Key forensic fields:
| `extensions.settings.{id}.install_time` | Extension install time (WebKit us as string) |
| `extensions.settings.{id}.state` | 1 = enabled, 0 = disabled |
| `download.default_directory` | Default download location |
| `partition.per_host_zoom_levels` | Per-site zoom levels (reveals visited domains) |
| `profile.created_by_version` | Chrome version that created this profile |
---
### 10. Session / Tab Recovery (SNSS Format)
**Location (Chrome 86+)**: `{Profile}/Sessions/Session_{timestamp}` and `{Profile}/Sessions/Tabs_{timestamp}`
**Location (Chrome < 86)**: `Current Session`, `Last Session`, `Current Tabs`, `Last Tabs`
**Format**: SNSS binary (NOT SQLite, NOT JSON)
```
Offset Size Endian Field
0 4 -- Magic: "SNSS" (0x53 0x4E 0x53 0x53)
4 4 LE Version: always 1 (u32)
--- Repeated command records ---
N 2 LE Command payload size in bytes (u16)
N+2 1 -- Command ID (u8)
N+3 P -- Command payload (Pickle-serialized, P = payload size - 1)
```
Key Command IDs:
| 6 | `UpdateTabNavigation` | URL, title, transition, referrer, page state |
| 7 | `SetSelectedNavigationIndex` | Active back/forward position |
| 8 | `SetSelectedTabInIndex` | Active tab in window |
| 21 | `SetPinnedState` | Whether tab is pinned |
**Forensic significance**: Session files capture the full back/forward navigation stack per tab. Persist even after the user clears browsing history. `Last Session`/`Last Tabs` capture state at last clean shutdown.
---
## Firefox
### 11. places.sqlite (History + Bookmarks + Downloads)
**Location**:
- Windows: `%APPDATA%\Mozilla\Firefox\Profiles\{profile}.default\places.sqlite`
- macOS: `~/Library/Application Support/Firefox/Profiles/{profile}.default/places.sqlite`
- Linux: `~/.mozilla/firefox/{profile}.default/places.sqlite`
**Format**: SQLite 3, WAL mode
**Epoch**: Unix microseconds (PRTime format)
#### `moz_places` Table
```sql
CREATE TABLE moz_places (
id INTEGER PRIMARY KEY,
url LONGVARCHAR,
title LONGVARCHAR,
rev_host LONGVARCHAR,
visit_count INTEGER DEFAULT 0,
hidden INTEGER DEFAULT 0 NOT NULL,
typed INTEGER DEFAULT 0 NOT NULL,
frecency INTEGER DEFAULT -1 NOT NULL,
last_visit_date INTEGER,
guid TEXT,
foreign_count INTEGER DEFAULT 0 NOT NULL,
url_hash INTEGER DEFAULT 0 NOT NULL,
description TEXT,
preview_image_url TEXT,
origin_id INTEGER
);
```
| `rev_host` | Reversed+dotted hostname (`moc.elpmaxe.` for `example.com`) |
| `typed` | 1 = user typed this URL directly |
| `frecency` | Frequency+recency score for omnibox ranking |
| `foreign_count` | Count of bookmarks referencing this place; `> 0` = currently bookmarked |
| `hidden` | 1 = redirect or subframe (not visited by user directly) |
#### `moz_historyvisits` Table
```sql
CREATE TABLE moz_historyvisits (
id INTEGER PRIMARY KEY,
from_visit INTEGER,
place_id INTEGER,
visit_date INTEGER,
visit_type INTEGER,
session INTEGER DEFAULT 0
);
```
##### `visit_type` Enum
| 1 | `TRANSITION_LINK` | User clicked a hyperlink |
| 2 | `TRANSITION_TYPED` | User typed the URL |
| 3 | `TRANSITION_BOOKMARK` | User clicked a bookmark |
| 4 | `TRANSITION_EMBED` | Embedded content (not a top-level visit) |
| 5 | `TRANSITION_REDIRECT_PERMANENT` | HTTP 301 redirect |
| 6 | `TRANSITION_REDIRECT_TEMPORARY` | HTTP 302 redirect |
| 7 | `TRANSITION_DOWNLOAD` | URL was downloaded |
| 8 | `TRANSITION_FRAMED_LINK` | User followed link in a frame |
| 9 | `TRANSITION_RELOAD` | Page was reloaded |
#### `moz_bookmarks` Table
```sql
CREATE TABLE moz_bookmarks (
id INTEGER PRIMARY KEY,
type INTEGER,
fk INTEGER DEFAULT NULL,
parent INTEGER,
position INTEGER,
title LONGVARCHAR,
keyword_id INTEGER,
dateAdded INTEGER,
lastModified INTEGER,
guid TEXT,
syncStatus INTEGER NOT NULL DEFAULT 0,
syncChangeCounter INTEGER NOT NULL DEFAULT 1
);
```
| 1 | `TYPE_BOOKMARK` — URL bookmark; `fk` -> `moz_places.id` |
| 2 | `TYPE_FOLDER` — Container |
| 3 | `TYPE_SEPARATOR` — Visual separator |
#### `moz_bookmarks_deleted` Table
```sql
CREATE TABLE moz_bookmarks_deleted (
guid TEXT PRIMARY KEY,
dateRemoved INTEGER NOT NULL DEFAULT 0
);
```
Persists GUIDs and deletion timestamps for bookmarks removed since last sync. An explicit anti-forensic detection artifact — deletion is recorded even after removal from `moz_bookmarks`.
#### `moz_inputhistory` Table
```sql
CREATE TABLE moz_inputhistory (
place_id INTEGER NOT NULL,
input LONGVARCHAR NOT NULL,
use_count INTEGER,
PRIMARY KEY (place_id, input)
);
```
Stores literal text the user typed in the address bar. Reveals actual user input even when it differs from the final URL.
#### Downloads via `moz_annos` / `moz_anno_attributes`
Downloads are recorded as annotations on `moz_places` entries:
- `downloads/destinationFileURI` — local file path
- `downloads/metaData` — JSON: `{"state":1,"endTime":1648000000000,"fileSize":1048576}`
---
### 12. cookies.sqlite
**Format**: SQLite 3, WAL mode
**Epoch**: `creationTime` and `lastAccessed` = Unix **microseconds**; `expiry` = Unix **seconds**
```sql
CREATE TABLE moz_cookies (
id INTEGER PRIMARY KEY,
originAttributes TEXT NOT NULL DEFAULT '',
name TEXT,
value TEXT,
host TEXT,
path TEXT,
expiry INTEGER,
lastAccessed INTEGER,
creationTime INTEGER,
isSecure INTEGER,
isHttpOnly INTEGER,
sameSite INTEGER DEFAULT 0,
rawSameSite INTEGER DEFAULT 0,
schemeMap INTEGER DEFAULT 0,
isPartitionedAttributeSet INTEGER DEFAULT 0,
CONSTRAINT moz_uniqueid UNIQUE (name, host, path, originAttributes)
);
```
**Critical mixed-unit alert**: `expiry` is Unix **seconds**, while `creationTime` and `lastAccessed` are Unix **microseconds**. The unit difference is 1,000,000x.
**Firefox cookie values are stored in plaintext** in the `value` column. No encryption.
`originAttributes`: Firefox container context. Empty = default. Format: `^userContextId=N` where N is container ID.
**MITRE ATT&CK**: T1539 (Steal Web Session Cookie)
---
### 13. formhistory.sqlite (Autofill)
**Epoch**: Unix microseconds for `firstUsed` and `lastUsed`
```sql
CREATE TABLE moz_formhistory (
id INTEGER PRIMARY KEY,
fieldname TEXT NOT NULL,
value TEXT NOT NULL,
timesUsed INTEGER,
firstUsed INTEGER,
lastUsed INTEGER,
guid TEXT
);
```
`fieldname` is the HTML `name` attribute. High forensic value: recovers search queries, usernames, and other typed PII.
---
### 14. logins.json (Credentials)
**Epoch**: Unix milliseconds for all timestamp fields
```json
{
"logins": [{
"id": 1,
"hostname": "https://example.com",
"formSubmitURL": "https://example.com/login",
"usernameField": "email",
"passwordField": "password",
"encryptedUsername": "MDIEEPg...",
"encryptedPassword": "MDIEEPg...",
"guid": "{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}",
"encType": 1,
"timeCreated": 1648000000000,
"timeLastUsed": 1650000000000,
"timePasswordChanged": 1648000000000,
"timesUsed": 5
}]
}
```
**Encryption**: 3DES-CBC, ASN.1 DER encoded, then Base64. Key stored in `key4.db` (SQLite, Firefox 58+). If user has a Primary Password, key4.db is additionally encrypted via PBKDF2 with the master password.
**Firefox 144+**: Updated NSS encryption. Older decryption tools may fail without updating to libnss3 >= 3.113.
**MITRE ATT&CK**: T1555.003 (Credentials from Web Browsers)
---
### 15. extensions.json
**Epoch**: Unix milliseconds for `installDate`, `updateDate`
Key fields per addon: `id`, `version`, `type`, `location`, `active`, `userDisabled`, `installDate`, `sourceURI`, `signedState`, `foreignInstall`, `userPermissions.permissions`, `userPermissions.origins`.
**`location` values**:
| `app-profile` | User-installed from AMO or local file |
| `winreg-app-global` | Installed via Windows Registry (enterprise) |
| `temporary-install` | Developer sideload (removed on restart) |
**`signedState` values**: -1=NOT_REQUIRED, 0=MISSING, 1=PRELIMINARY, 2=SIGNED, 3=SYSTEM, 4=PRIVILEGED.
`foreignInstall: true` + `signedState: 0` is a strong indicator of malicious sideloaded extension.
---
### 16. sessionstore.jsonlz4 / recovery.jsonlz4
**Locations**:
- `{Profile}/sessionstore.jsonlz4` — created on clean shutdown
- `{Profile}/sessionstore-backups/recovery.jsonlz4` — updated every ~15 seconds while running
- `{Profile}/sessionstore-backups/recovery.baklz4` — previous recovery backup
- `{Profile}/sessionstore-backups/previous.jsonlz4` — last clean shutdown state
**Format**: Mozilla's custom mozLz4 framing (NOT standard LZ4 frame format)
#### mozLz4 Binary Layout
```
Offset Size Endian Field
0 8 -- Magic: "mozLz40\0" (0x6D 0x6F 0x7A 0x4C 0x7A 0x34 0x30 0x00)
8 4 LE Uncompressed size of JSON data (u32)
12 N -- LZ4 block-compressed JSON (raw LZ4 block, no frame header)
```
**Critical**: Uses LZ4 **block** format (raw), NOT LZ4 **frame** format. Use `lz4_flex::block::decompress(&data[12..], uncompressed_size)`.
Key decompressed JSON fields:
| `tabs[].lastAccessed` | Unix ms | Last time the user switched to this tab |
| `tabs[].entries[]` | -- | Back/forward history stack per tab |
| `tabs[].userContextId` | -- | Firefox Multi-Account Container ID |
| `session.lastUpdate` | Unix ms | When session file was last written |
| `_closedTabs[]` | -- | Explicitly closed tabs (restorable via Ctrl+Shift+T) |
| `_closedWindows[]` | -- | Explicitly closed windows |
**Forensic significance**: Session files survive `Ctrl+Shift+Del`. `_closedTabs` may reveal URLs closed before history was committed to `places.sqlite`. `recovery.jsonlz4` captures near-live state.
---
### 17. Firefox Cache2 (`cache2/entries/`)
**Location**: `{Profile}/cache2/entries/`
**Format**: Proprietary binary per-entry files
Entry filename = uppercase hex SHA-1 of the URL (cache key).
**Metadata at end of file** (read last 4 bytes as BE u32 -> `metadata_offset`):
```
[metadata_offset position:]
4 bytes version (u32 LE)
4 bytes fetch_count (u32 LE)
4 bytes last_fetched (u32 LE, Unix seconds)
4 bytes last_modified (u32 LE, Unix seconds)
4 bytes frecency (u32 LE)
4 bytes expiration (u32 LE, Unix seconds)
4 bytes key_size (u32 LE)
N bytes key (URL string)
variable HTTP response headers (text, line-delimited)
```
---
## Safari
### 18. History.db
**Location**: `~/Library/Safari/History.db`
**Format**: SQLite 3, WAL mode
**Epoch**: Core Data / Mac Absolute Time (float64 seconds since 2001-01-01 UTC)
**Conversion**: `unix_ns = (core_data_secs + 978_307_200) * 1_000_000_000`
#### `history_items` Table
```sql
CREATE TABLE history_items (
id INTEGER PRIMARY KEY AUTOINCREMENT,
url TEXT NOT NULL UNIQUE,
domain_expansion TEXT,
visit_count INTEGER NOT NULL,
daily_visit_counts BLOB,
weekly_visit_counts BLOB,
autocomplete_triggers TEXT,
should_recompute_derived_visit_counts INTEGER,
visit_count_score INTEGER NOT NULL DEFAULT 0,
status_code INTEGER NOT NULL DEFAULT 0
);
```
#### `history_visits` Table
```sql
CREATE TABLE history_visits (
id INTEGER PRIMARY KEY AUTOINCREMENT,
history_item INTEGER NOT NULL REFERENCES history_items(id) ON DELETE CASCADE,
visit_time REAL NOT NULL,
title TEXT,
load_successful BOOLEAN NOT NULL DEFAULT 1,
http_non_get BOOLEAN NOT NULL DEFAULT 0,
synthesized BOOLEAN NOT NULL DEFAULT 0,
redirect_source INTEGER UNIQUE REFERENCES history_visits(id),
redirect_destination INTEGER UNIQUE REFERENCES history_visits(id),
origin INTEGER NOT NULL DEFAULT 0,
generation INTEGER NOT NULL DEFAULT 0,
attributes INTEGER NOT NULL DEFAULT 0,
score INTEGER NOT NULL DEFAULT 0
);
```
| `visit_time` | Core Data float64 seconds |
| `http_non_get` | 1 = POST/PUT/DELETE (form submission indicator) |
| `synthesized` | 1 = programmatic (redirect/prefetch, not direct user navigation) |
| `redirect_source` / `redirect_destination` | Redirect chain reconstruction |
#### `history_tombstones` Table
```sql
CREATE TABLE history_tombstones (
id INTEGER PRIMARY KEY AUTOINCREMENT,
start_time REAL NOT NULL,
end_time REAL NOT NULL,
url TEXT,
generation INTEGER NOT NULL DEFAULT 0
);
```
**Most explicit anti-forensic detection artifact of any major browser.** When a user clears history, Safari creates tombstone records rather than simply deleting rows.
| `url IS NULL`, wide time range | User cleared history for a preset period |
| `url IS NOT NULL`, `start_time == end_time` | Single specific URL deleted |
| `url IS NULL`, `start_time == 0` | "Clear All History" |
| Multiple tombstones, same `generation` | Batch deletion in one operation |
| `end_time` close to now | Very recent deletion |
Tombstones persist even after subsequent history clears.
---
### 19. Cookies.binarycookies (Binary Cookie Format)
**Location**: `~/Library/Cookies/Cookies.binarycookies`
**Format**: Custom Apple binary format (NOT SQLite, NOT plist)
**Epoch**: Mac Absolute Time (float64 seconds since 2001-01-01 UTC)
**Note**: Modern macOS Safari may use `~/Library/Cookies/Cookies.db` (SQLite).
#### Complete Binary Layout
```
=== File Header ===
Offset Size Endian Field
0 4 -- Magic: "cook" (0x63 0x6F 0x6F 0x6B)
4 4 BE Number of pages (u32)
8 N*4 BE Page sizes array (N u32 values, one per page)
=== Page N ===
0 4 LE Page header magic: 0x00000100
4 4 LE Number of cookies in this page (u32)
8 M*4 LE Cookie offsets: M u32 values (byte offset from page start)
=== Cookie Record ===
Offset Size Endian Field
0 4 LE Record size in bytes (u32)
4 4 LE Unknown/version (u32)
8 4 LE Flags bitmask: bit 0=Secure, bit 2=HTTPOnly
12 4 LE Unknown (u32)
16 4 LE Byte offset to domain string
20 4 LE Byte offset to name string
24 4 LE Byte offset to path string
28 4 LE Byte offset to value string
32 4 LE Byte offset to comment string (0 if none)
36 4 -- Reserved (0x00000000)
40 8 LE Expiry date (f64, Mac Absolute Time)
48 8 LE Creation date (f64, Mac Absolute Time)
56+ var -- Null-terminated strings (domain, name, path, value, comment)
=== File Footer ===
8 -- SHA-1 checksum of preceding content
```
**Endianness warning**: File header (page count, page sizes) uses **big-endian**. Page internals and cookie records use **little-endian**. This is the most common source of parser bugs.
---
### 20. Downloads.plist
**Location**: `~/Library/Safari/Downloads.plist`
**Format**: Binary plist
**Epoch**: `NSDate` = Mac Absolute Time (float64 seconds since 2001-01-01)
Key fields per entry:
| `DownloadEntryURL` | Source URL |
| `DownloadEntryPath` | Local filesystem destination path |
| `DownloadEntryDateAddedKey` | Mac Absolute Time when download started |
| `DownloadEntryDateFinishedKey` | Mac Absolute Time when download completed |
| `DownloadEntryProgressTotalToLoad` | Total bytes (-1 if unknown) |
| `DownloadEntryProgressBytesSoFar` | Bytes downloaded at time of record |
---
### 21. Bookmarks.plist
**Location**: `~/Library/Safari/Bookmarks.plist`
**Format**: Binary plist (recursive tree)
Tree structure: Root (WebBookmarkTypeList) -> Children[] -> BookmarksBar, BookmarksMenu, com.apple.ReadingList.
URL node (`WebBookmarkTypeLeaf`): `WebBookmarkUUID`, `URLString`, `URIDictionary.title`.
Reading List entries additionally contain `ReadingList.DateAdded` (NSDate), `ReadingList.PreviewText`.
**MITRE ATT&CK**: T1217 (Browser Bookmark Discovery)
---
### 22. Safari Extensions
**Location (Legacy, Safari < 14)**: `~/Library/Safari/Extensions/Extensions.plist`
**Location (Modern, Safari 14+)**: Extensions as `.appex` bundles within `.app` packages (App Store installed)
Legacy `Extensions.plist` key fields per extension: `Archive File Name`, `Bundle Identifier`, `Display Name`, `Enabled`, `Developer Identifier`.
---
## Anti-Forensic Detection Indicators
### Chrome/Chromium
| History row deletions | Gaps in `visits.id` auto-increment sequence |
| Visit count mismatch | `urls.visit_count` > actual matching rows in `visits` |
| Full history clear | `urls` and `visits` empty but `meta` table `last_visit_time` > 0 |
| Incognito mode use | No SQLite artifacts; detect via DNS cache, prefetch files |
| WAL-resident deleted records | `History-wal` contains pre-commit versions of deleted pages |
| Chrome Sync preservation | `Sync Data/LevelDB/` may retain synced history deleted locally |
| Cookie clearing signatures | `Cookies-wal` may retain pre-deletion records |
### Firefox
| History row deletions | Gaps in `moz_historyvisits.id` sequence |
| Visit count mismatch | `moz_places.visit_count` > count of `moz_historyvisits` rows |
| Bookmark deletions | `moz_bookmarks_deleted` table — explicit deletion log |
| Private browsing leaks | `content-prefs.sqlite`, `permissions.sqlite` may record domains from private mode |
| WAL-resident data | `places.sqlite-wal`, `cookies.sqlite-wal` |
| Session file divergence | `recovery.jsonlz4` contains URLs absent from `places.sqlite` |
### Safari
| History deletion (range) | `history_tombstones` rows with `url IS NULL` |
| History deletion (specific URL) | `history_tombstones` rows with `url IS NOT NULL` |
| Full history clear | Tombstones spanning entire timeframe |
| Private browsing | No `History.db` entries; detect via DNS cache, keychain entries |
| WAL artifacts | `History.db-wal` may retain visits after deletion |
| Preferences evidence | `com.apple.Safari.plist` may contain `ClearedBrowserDataDateAndTime` |
---
## Memory-Resident Browser Artifacts
### Chrome/Chromium Process Memory
| `content::NavigationEntry` | URL, title, transition type, timestamp, page state | Full tab history including back/forward entries not in SQLite |
| `net::CookieMonster` | Decrypted in-memory cookie store | All cookies in cleartext — only way to recover without DPAPI key |
| `password_manager::PasswordStore` | Decrypted credentials | Plaintext passwords while browser runs |
| `autofill::PersonalDataManager` | Autofill profiles, credit card numbers (decrypted) | PII including full card numbers |
**Heap scanning**: Chrome V8 strings preceded by map pointer and length. Search for `https://` or `http://` byte sequences.
### Firefox Process Memory
| `nsNavHistory` | History database LRU visit cache |
| `nsCookieService` | Active cookie list (`nsCookie` objects with plaintext values) |
| SpiderMonkey GC heap | JavaScript heap including `document.cookie` strings |
### Safari/WebKit Process Memory
| `WebCore::HistoryItem` | URL, title, scroll position, visit time |
| `WebCore::CookieJar` | In-memory cookie store with plaintext values |
| `WebCore::ResourceRequest` | Full HTTP request: URL, method, headers |
---
## Cross-Browser Correlation Opportunities
| Same URL visited | `urls.url` | `moz_places.url` | `history_items.url` |
| Same cookie domain | `cookies.host_key` | `moz_cookies.host` | Cookie domain field |
| Same download URL | `downloads_url_chains.url` | `moz_annos` content | `Downloads.plist DownloadEntryURL` |
| Timestamp (all to Unix ns) | WebKit us -> Unix ns | Unix us -> Unix ns | Core Data s -> Unix ns |
| Same credential site | `logins.origin_url` + `username_value` | `logins[].hostname` | Keychain (external) |
| Search terms | `keyword_search_terms.term` | `moz_formhistory.value` | N/A |
| Import evidence | `visit_source.source` = 3/4/5 | N/A | N/A |
---
## References
### Official Source Code
- Chromium History schema: `components/history/core/browser/history_database.cc` at chromium.googlesource.com
- Chromium page transition types: `ui/base/page_transition_types.h`
- Chromium SimpleCache design: [Very Simple Backend](https://www.chromium.org/developers/design-documents/network-stack/disk-cache/very-simple-backend/)
- Firefox places schema: `toolkit/components/places/Database.cpp` at hg.mozilla.org
- Firefox cookie schema: `netwerk/cookie/CookiePersistentStorage.cpp`
- Firefox sessionstore: `browser/components/sessionstore/`
### Forensic Tools
- [Hindsight](https://github.com/obsidianforensics/hindsight) — Chromium browser artifact parser (Python)
- [FQLite](https://github.com/pawlaszczyk/fqlite) — SQLite deleted record recovery
- [firefox_decrypt](https://github.com/unode/firefox_decrypt) — Firefox `logins.json` credential extraction
- [BinaryCookieReader](https://github.com/as0ler/BinaryCookieReader) — Safari `Cookies.binarycookies` parser
- [ccl-ssns](https://github.com/cclgroupltd/ccl-ssns) — Chrome SNSS session file parser
- [Chrome App-Bound Encryption Research](https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption/blob/main/docs/RESEARCH.md)
### Research References
- [Chrome Values Lookup Tables](https://dfir.blog/chrome-values-lookup-tables/) — Complete enum reference
- [Chrome Transition Values](https://dfir.blog/chrome-transition-values/) — Transition bitmask analysis
- [Forensic Analysis of SQLite Databases](https://belkasoft.com/sqlite-analysis) — Belkasoft
- [Analysing Firefox Session Restore Data](https://www.foxtonforensics.com/blog/post/analysing-firefox-session-restore-data-mozlz4-jsonlz4) — Foxton Forensics
- [Forensic Analysis of iOS Binary Cookie Files](https://onlinelibrary.wiley.com/doi/abs/10.1111/1556-4029.15499) — Journal of Forensic Sciences, 2024
### MITRE ATT&CK Techniques
- **T1217** — Browser Information Discovery
- **T1539** — Steal Web Session Cookie
- **T1555.003** — Credentials from Web Browsers
- **T1005** — Data from Local System
- **T1070.004** — Indicator Removal: File Deletion