Linking form history to web page URLs
09 February 2016
Both Chrome and Firefox store values entered into HTML forms in order to provide an autocomplete option the next time the web page is visited. This data can be very useful for an investigator as it may help establish usernames and email addresses used to log into various online services, even if the user has chosen not to save the associated password.
Further useful information such as street addresses and phone numbers can also often be extracted from stored form history.
In Firefox, this data is stored within the 'moz_formhistory
' table of the 'formhistory.sqlite
' database file. In Chrome, this data is stored within the 'autofill
' table of the 'Web Data
' SQLite database file. Both browsers record the name of the HTML element, the value entered, the date the value was first entered, the date it was last entered and the total number of times it has been entered.
Neither browser records the associated URL as part of the form entry record, therefore the autocomplete functionality works entirely off the HTML element name. If a user visits two separate websites which happen to use the same name for a username field in a login form, and the user enters the same username on each website then a single record is stored by the browser in the form history. This record would reflect that the username had been entered twice, and the first/last time it had been entered. However, it would not be clear that the username had been entered on two different websites. In this same scenario if the user entered different usernames on each website then separate records would be stored in the form history.
For these reasons it isn't possible to definitively state which URL a particular form value was entered against. However, we can calculate with a certain level of accuracy which domain a form value was first or last entered against. Our testing has shown that both Chrome and Firefox typically record a website visit within a couple of seconds of recording the associated form history record. We can therefore make use of the first/last used timestamp on the form history record and the timestamp on the website visit records to try and determine the URL a form value is associated with. It should be noted that this URL will not necessarily represent the web page containing the form, it may be a page that the user is redirected to following the form submission. Therefore, we are mainly interested in the domain of this associated URL.
We built a SQL query to simply select the website visit which occurred the closest in time after the form history record. However, it became apparent that not all form history records have an associated website visit recorded. To reduce the level of false positives we modified the query to only consider a website visit if it occurred within a certain number of seconds after the form entry was logged. During our testing we found that a limit of 5 seconds provided the best results in terms of linking as many records as possible while keeping false positives to a minimum.
The SQL query for Chrome can be seen below:
As the website visit history in Chrome is stored in a separate 'History' SQLite database file you must attach the 'History' database with an alias of 'HistoryDb' before running this query.
We have recently added support for this functionality in Browser History Examiner
(BHE). As shown in the screenshot below Form History records from both Chrome and Firefox now include two additional columns. These columns show the domain of the associated Website Visit for the first and last time the form value was used.