Chromium-Based Microsoft Edge From A Forensic Point Of View

Forensic Focus - Articles

by Oleg Skulkin & Svetlana Ostrovskaya

Recently Microsoft finally released the Chromium-based version of Edge Browser, so it seems we’ll miss ESE databases soon (not). Of course, it may have a similar set of forensic artifacts to Chromium or Chrome, but we must check it anyway. What’s more, the browser is available not only for Windows, but also for macOS, Android and iOS. 

On Windows, Edge data is available under the following location:

C:Users%USERNAME%AppDataLocalMicrosoftEdgeUser DataDefault

Let’s start from bookmarks or “favorites”. They are stored in a JSON file with the same name – Bookmarks. You can open it with any text editor. The timestamps are stored in WebKit format – a 64-bit value for microseconds since Jan 1, 1601 00:00 UTC. 

Cache is stored in the Cache subfolder and consists of an Index file (index), Data Block files (data_#) and data files (f_######)…

View original post 920 more words