Browsers and applications generate extensive artifacts on Windows systems. These artifacts store information about user activity, communication, downloads, logins, searches, installed software, and sometimes even deleted activity. Because users spend most of their time interacting with browsers and applications, these artifacts are critical for reconstructing behavior during a forensic investigation.

This chapter covers the major browser artifacts (Chrome, Edge, Firefox) and common application-level artifacts that hold valuable forensic evidence.

Importance of Browser & Application Artifacts

Browser and application data helps investigators determine:

Websites visited
Search history
Login activity
Downloaded files
Installed extensions or plugins
Communication history
Cloud sync activity
Application execution patterns
Cached content and cookies
Malware interactions

These artifacts often reveal a user’s intent and actions more clearly than system logs or registry entries alone.

Browser Artifacts

Google Chrome Artifacts

Default Location:
C:\Users\<User>\AppData\Local\Google\Chrome\User Data\Default\

Important Chrome artifacts:

1. History

Stored in an SQLite database:
History

Contains:

URLs visited
Visit timestamps
Referrer URLs
Typed URLs
Page transition types
Download links

2. Cookies

Stored in:
Cookies

Contains:

Session tokens
Authentication cookies
Persistent tracking cookies

Cookies often confirm logins even if browser history is deleted.

3. Cache

Location:
Cache/ and Code Cache/

Contains:

Saved images
Web content fragments
Cached scripts

Cache can reveal visited content even without history.

4. Downloads

Stored in:
History → Downloads table

Includes:

Downloaded file names
Source URLs
Timestamps
File path
Download success or failure

5. Login Data

Location:
Login Data

Encrypted database containing:

Saved usernames
Password hints
Login timestamps

Password decryption requires system-level access.

6. Extensions

Location:
Extensions/

Contains metadata about:

Installed extensions
Malicious add-ons
Data stolen through extensions

Microsoft Edge / Internet Explorer Artifacts

Default Location:
C:\Users\<User>\AppData\Local\Microsoft\Edge\User Data\Default\

Artifacts are similar to Chrome because both are Chromium-based.

Key artifacts:

History
Cookies
Cache
Downloads
Top Sites
Preferences
Favicons
Autofill data

Legacy Internet Explorer artifacts include:

WebCacheV01.dat
Temporary files
Legacy cookies
Index.dat (older systems)

Mozilla Firefox Artifacts

Default Location:
C:\Users\<User>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile>\

Key Firefox artifacts:

1. Places.sqlite

Contains:

History
Bookmarks
Visit timestamps

2. Cookies.sqlite

Stores all cookies.

3. Cache2 Folder

Contains cached web content.

4. Form History

Stored in:
formhistory.sqlite

Includes autocomplete, form submissions, and login attempts.

5. Downloads.sqlite

Contains download records.

6. Add-ons & Extensions

Firefox extensions can store additional artifacts.

Application Artifacts

Apart from browsers, many applications generate high-value forensic evidence.

Messaging Applications

WhatsApp Desktop

Location:
C:\Users\<User>\AppData\Roaming\WhatsApp\

Artifacts include:

Chat logs
Media files
Session data
Phone sync status

Telegram Desktop

Location:
C:\Users\<User>\AppData\Roaming\Telegram Desktop\

Contains:

Cache files
User profiles
Chat histories

Discord

Location:
C:\Users\<User>\AppData\Roaming\discord\

Artifacts:

Channel activity
Direct messages
Cached images
Tokens

Email Applications

Outlook

Outlook stores emails in:

.OST (cached mailbox)
.PST (local mailbox)

Location:
C:\Users\<User>\AppData\Local\Microsoft\Outlook\

Artifacts include:

Emails
Attachments
Calendar entries
Contact lists
Deleted email remnants

Office Suite Artifacts

Microsoft Office products store:

Recent document lists
Template usage
Auto-save files
Temporary backup files

Locations include:

C:\Users\<User>\AppData\Roaming\Microsoft\Office\Recent\

These reveal:

Documents opened
Editing patterns
File movement
Unsaved versions

Cloud Sync Applications

OneDrive

Location:
C:\Users\<User>\AppData\Local\Microsoft\OneDrive\

Artifacts include:

Synced files
Sync logs
File version history
Deletion logs

Google Drive

Location:
C:\Users\<User>\AppData\Local\Google\DriveFS\

Artifacts:

Cached data
File sync history
Activity logs

Cloud apps often reveal data exfiltration attempts.

Multimedia & File-Sharing Apps

VLC

Stores:

Recently played media
Network stream URLs

BitTorrent Clients

Artifacts include:

Torrent files
Magnet links
Partial downloads
Transfer logs

Useful for piracy or suspicious file distribution investigations.

Malware & Suspicious Application Artifacts

Malware often leaves traces in:

AppData\Local
AppData\Roaming
Temp folders
Browser extensions
Scheduled tasks
Startup registry keys

Analyzing application folders helps identify:

Persistence mechanisms
Dropped payloads
Logs tampered by malware

Analysis Techniques

1. Compare Browser Data With System Logs

Correlate:

Visit timestamps
Download times
Login events

with Windows Event Logs and Prefetch.

2. Recover Deleted Browser Data

SQLite records often leave remnants even after deletion.

3. Timeline Construction

Combine:

Browser history
Cache timestamps
Download logs
Application logs

to build a full activity timeline.

4. Look for Suspicious Extensions

Extensions often serve as spyware or data stealers.

5. Analyze Cache for Deleted Content

Even if the user clears history, cache often remains.

Summary

Browser and application artifacts provide deep insights into user actions, browsing history, communication patterns, downloads, cloud sync activity, and malware behavior. Collecting and analyzing artifacts from Chrome, Edge, Firefox, messaging apps, Office tools, and cloud applications is essential for reconstructing events during an investigation. These artifacts often reveal the most direct evidence of user intent, data access, and suspicious or malicious activity.