There are many instances where an investigator or administrator may want to review the web browser history of a live running system. This could be part of routine checks carried out by a network administrator or it may be an investigator wishing to check the browser history before deciding whether to take a full image of the computer for further offline investigation.
From the standpoint of a forensic investigator it is important to understand the implications of interacting with a live system as any actions undertaken will result in changes to the system such as timestamps, registry keys and volatile memory. Despite this there are many advantages to capturing data from a running system, which we won’t go into in this post, but it is worthwhile having plenty of data collection or triage tools on hand for when such a scenario arises.
Capturing browser history for Chrome and Firefox can be achieved by simply copying off the history files for further analysis. Capturing history for Internet Explorer 10/11 and Edge is a bit trickier since the main history database is permanently locked by the operating system. This means that even if the browser is not in use the database file cannot be copied using traditional methods.
This was one of the reasons we developed Browser History Capturer (BHC), a free tool that allows you to easily capture web browser history from a Windows computer. The data captured includes bookmarks, cached files, cookies, downloads, form history, saved logins, searches, session data, website history and more.
There are two main ways to use BHC:
- Physically access the target computer, log on as an Administrator and run BHC from a USB dongle. The browser history data can then be captured directly to the USB dongle.
- Use Windows Remote Desktop to remotely log on as an Administrator, copy BHC to the target computer and then run the tool. The captured files can then be copied off via the same method.
The only requirements to run BHC are that .NET Framework 4.0 (Client Profile) or higher is installed on the target system.
The browser history files are captured in their original format allowing them to be analysed later using your tool of choice. We provide two tools for analysing history captured using BHC:
The captured history can be easily loaded into BHV or BHE by simply pointing the software at the “Capture” folder that BHC stores the history files within.
To streamline the process of capturing browser history from a Windows computer on a network we have added a remote capture feature within BHE. This allows you to capture browser history from a remote computer on your network and copy the output directly to your own computer without needing physical access or using Remote Desktop.
In order to use this functionality you need to have administrator privileges and access to an administrative share on the remote computer. The remote computer must also accept WMI queries.
Once a connection to the remote computer has been established a number of options are provided to specify which data to capture.
The remote capture feature is fully functional within the BHE trial version, which means it can be used for free. As previously mentioned, the captured data can then be analysed using BHV, BHE or any other tool appropriate for the analysis task.
To see our remote capture feature in action, visit our Downloads page for a free trial of Browser History Examiner.