Investigating web history in the new Edge Chromium browser

27 January 2020
On January 15th, 2020 Microsoft released the first stable version of their Chromium-based Edge web browser. It is compatible with Windows 7, 8, 8.1, 10 and macOS.

Edge joins a long list of web browsers based on the open-source Chromium browser, most notably Chrome. This means Edge now stores browsing history in an almost identical format to Chrome. On Windows 10 the Edge profile is typically in the following location:

C:\Users\<username>\AppData\Local\Microsoft\Edge\User Data\Default

We used SQLite Examiner to compare all SQLite databases created by the latest stable versions of Edge and Chrome and the only notable differences were within the Web Data SQLite database.

The Web Data database stores various autofill data such as HTML form entries. In a previous article we discussed how it was possible to link form history to web page URLs, and therefore get even more value from these artefacts.

Chrome currently stores autofill data as plain text in VARCHAR columns, but we can see that Edge is storing them in BLOB columns.



We were able to confirm this change is due to Edge encrypting autofill data before storing it in the Web Data database. The encryption method is the same as Chrome uses for encrypting passwords and cookie contents. On Windows, this is done using the Data Protection API (DPAPI). At the moment it’s not clear if Chrome or other Chromium-based browsers will follow Edge by encrypting autofill data. If so, this is an important artefact that will become much more difficult to access.

One of the features unique to the new Edge browser is Internet Explorer mode (IE Mode). This allows you to open a web page in Edge that renders using Internet Explorer.



We did some testing to confirm what artefacts are created by IE Mode, and found that pages rendered in IE Mode were recorded in both Edge and Internet Explorer web history.



Therefore, during investigations you may find Internet Explorer history even if Edge is the only browser that has been used.

Browser History Examiner and our free tools have now been updated to support the new Chromium-based Edge browser. The old version of Edge is still supported, therefore if you are analysing a machine that contains history from both the old and new versions of Edge, then our tools will capture and load history from both versions.

Visit our Downloads page for a free trial of Browser History Examiner.

Comparing SQLite schemas across multiple databases

    Prev Post

Cyber Challenge Walkthrough - Apr 2020

Next Post