In enterprise environments administrators can manage how Chrome/Edge updates are applied to users' computers, including the ability to roll back to a previous browser version. If the browser version is rolled back and a user has browser sync enabled, then their browser history will be retained. However, if they don't have sync enabled then their browser history will be automatically deleted.

To help in this scenario the Chrome/Edge browsers can store a snapshot of browser history locally on the user's device before each major version update. Then when a rollback occurs where the user does not have sync enabled the snapshot can be used to restore the user's browser history. By default, the three most recent snapshots are retained, but this setting can be overridden by administrators to store more/less snapshots.

For a browser history investigation it's worth reviewing snapshots as they may contain data that isn't present in the current browser history.

Snapshots are stored within a “Snapshots” folder in the same location as the current browser history. For example, Chrome on Windows stores snapshots in the following location:

C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Snapshots

Each snapshot folder is named with the browser version at the time it was taken e.g. 138.0.7204.169.

Within the version folders there is a folder per browser profile. Within the browser profile folders we can find the usual browser history files, such as the History SQLite file.

An example path to the History SQLite file of the Default profile which was stored when the browser version was 138.0.7204.169 would be:

C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Snapshots\138.0.7204.169\Default\History

Snapshots can include bookmarks, browsing history, session restore data, passwords, autofill, cookies, and browser sign-in state.

Browser History Examiner (BHE) v1.23.0 supports collecting and processing Chrome and Edge snapshot data on Windows. The data is automatically deduplicated as it’s loaded into BHE. Snapshot data can also be recovered from Volume Shadow Copies on Windows using BHE, potentially providing access to further historical data that otherwise wouldn’t be available.