Analysing synchronised browser history

17 June 2019
Both Chrome and Firefox offer the ability to sync various browser data between multiple devices by signing in with a Google or Firefox account. This data includes autofill, bookmarks, extensions, passwords, preferences, open tabs and website visits. This post will focus on syncing website visits between devices and the impact this has on an investigation involving browser history.

Chrome
Chrome has the option to “sync everything” or to select which data types are synchronised. The default option is “sync everything”. Therefore, if you have sync enabled and login to Chrome on a new device, by default all of your browser data will be automatically synced over to the new device.



Chrome only synchronises typed URLs between devices. This means you can’t sync all website visits, just visits where the URL has been typed into the browser.

Chrome website visits are stored in the 'History' SQLite database, within the 'visits' table. A separate ‘visit_source’ table can be used to determine the origin of a website visit. The visit_source table contains two columns, id and source. The id column contains the ID of a record in the visits table, and the source column contains an integer value with the following mapping:

  • Synchronised from another device = 0
  • User browsed = 1
  • Added by an extension = 2
  • Imported from Firefox = 3
  • Imported from IE = 4
  • Imported from Safari = 5


For website visits performed by the user on the local device there generally will not be a visit_source record. It is our understanding that a visit_source record with a value of SOURCE_BROWSED = 1 would indicate that the user made the website visit on the local device and therefore would be the same as having no visit_source record present.

We can use the following SQL query to get a list of all website visits with their corresponding source value.





We can also determine which Google account is being used for syncing browser data and which types of data are being synced. This information is stored within the Preferences file located within the Chrome profile folder.

The Preferences file is in JSON format and contains an account_info object at the root level where we can find the account name and email address:



There is also a sync object at the root level which contains information such as which data types are being synchronised and when the first/last sync was performed. Timestamps are stored as the number of microseconds since 01/01/1601 00:00:00.



Our testing has revealed a couple of edge cases to be aware of:
  1. If the default sync settings have not been changed then the sync object may not contain any flags to indicate which data types are being synced. In this case the last_synced_time property should indicate that sync is enabled and “sync everything” is selected.
  2. The sync object can remain in the Preferences file after sync has been disabled. Therefore, the last_synced_time property should also be considered to determine if a particular data type is still being synchronised.

Firefox



Unlike Chrome, Firefox offers the ability to synchronise your complete browsing history between devices. However, from an investigative point of view it does not appear to offer the ability to determine which website visits were performed on the local device and which were synchronised from another device. We can at least determine if the history sync feature is enabled by viewing the prefs.js file within the profile directory. This contains the timestamp for when the browser history was last synchronised:



The timestamp is stored as the number of seconds since 01/01/1970 00:00:00 (known as Unix time).

We can also determine the username of the Firefox account used for synchronisation:



Browser History Examiner
To simplify the process of analysing browser sync data we have updated Browser History Examiner (BHE) to include a Visit Source column to indicate the origin of Chrome website visits.



We have also added a new Browser Settings artefact type where various synchronisation related properties are displayed such as the last sync time or the sync username.

Chrome sync settings:




Firefox sync settings:




In a future post we will look into how other synchronised data types are stored such as autofill, bookmarks, passwords and open tabs.

Analysing Firefox Session Restore data

    Prev Post

Introducing SQLite Examiner

Next Post