Blog >> 360 Secure Browser

Investigating 360 Secure Browser

08/07/2022 Friday

360 Secure Browser is based on the Chromium project. It was first released in September 2008 by Qihoo. The company claims that 360 Secure Browser is the safest browser in the world, and it is the second most popular web browser in China.

Digital Forensics Value of 360 Secure Browser Artifacts

Analysis of program executions is essential to digital forensics and incident response investigations, such as in tracing malware and detecting anti-forensic tools. UserAssist artifact provides valuable information that helps in identifying the presence and execution history of malicious programs on a system even after deletion.

Location and Structure of 360 Secure Browser Artifacts

When 360 Secure Browser is installed, a folder named “360se6” is created under the C:\Users\<Username>\AppData\Roaming directory. All user related activities such as cache, autofill, bookmarks, cookies, and logins are stored under this folder. The majority of 360 Secure Browser artifacts are maintained within SQLite database files.

Analyzing 360 Secure Browser Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to extract 360 Secure Browser artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifact.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select 360 Secure Browser artifacts:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the 360 Secure Browser artifacts in ArtiFast.

360 Secure Browser Artifacts
The artifact contains information related to 360 Secure Browser. The details you can view include:

360 Secure Browser Autofill: Information about the values that the user has saved to fill in fields at a later date and time

• Created Date/Time - The date and time when the autofill was first created.
• Name - The name of the field to fill in.
• Value - The value to perform the fill in with.
• Count - Count The number of times that the autofill has been used.
• Last Used Date/Time - The last time the autofill was used.

360 Secure Browser Autofill Profiles: Information about the profiles that are used to represent a person

• Last Modified Date/Time - The last date and time that the person modified the profile.
• Name - The name that the person goes by or uses.
• Email - The email address to use to contact the person.
• Telephone Number - The telephone number to use to contact the person.
• Company Name - The company the person works at.
• Street Address - The address of the person.
• City - The city that the person lives in.
• State - The state or province that the person lives in.
• Zipcode - The ZIP Code that the person lives in.
• Country Code - The country that the person lives in.

360 Secure Browser Cookies: Information about the cookies saved to the browser

• Created Date/Time - The date and time that the cookie was created.
• Host - The host that created the cookie.
• Name - The name of the cookie.
• Value - The cookie value.
• Accessed Date/Time - The date and time that the cookie was last accessed.
• Expiration Date/Time - The date and time that the cookie expires.
• Is Secure - Indicates whether the connection is secure or not.
• Is Http Only - Indicates whether the browser supports HttpOnly or not.

360 Secure Browser Downloads: Information about the files that have been downloaded by the user

• Start Date/Time - The date and time when the download was started.
• File Name - The name of the file being downloaded.
• Download Source - The source URL where the file was downloaded from.
• Saved To - The local file location.
• State - The current state of the download.
• Danger Type - Indicates the level of how dangerous the downloaded file is.
• Interrupt Reason - Indicates the reason the downloaded file was interrupted.
• Is Opened - Indicates whether the downloaded file was opened by the user.
• End Date/Time - The date and time when the download finished.
• Bytes Downloaded - The number of bytes download.
• File Size - The size of the file in Bytes.

360 Secure Browser FavIcons: Information about the icons that belong to common webpages the user goes to.

• Last Updated Date/Time - The date and time when the Icon URL was last updated.
• Page URL - The URL of the webpage.
• Icon URL - The URL to the icon image.

360 Secure Browser Keyword Search Terms: Information about the Keword Terms that the user searched about.

• Keyword Search Term - The keyword that was searched.
• URL - The URL that was invoked because of the search.

360 Secure Browser Saved Credit Cards: Information about the credit cards information the user has saved

• GUID - The identifier of the credit card.
• Name on Card - The name on the credit card.
• Card Number - The number of the credit card.
• Modified Date/Time - The date and time when the credit card information was last modified.
• Expiry Date - The date the credit card is supposed to expire.
• Use count - Count The number of times that it has been used.

360 Secure Browser Top Sites: Information about the top visited websites by the user.

• URL - The URL to the webpage.
• Title - The title of the webpage.
• Redirects - Displays the redirection URL which contains the frequently used file path and parameters
• Last Updated Date/Time - The last time that the information for the top site was updated.
• Rank - Displays an integer according to its arrangement from the most visited.

360 Secure Browser Shortcuts: Information about the shortcuts used by 360 Secure Browser for user entered URLs.

• Original Search Query - The original search query entered by the user.
• Search Term - The search term as interpreted by the browser.
• URL - The URL of the shortcut.
• Last Access Date/Time - The last access time of the shortcut.
• Web Page Title - The title of the webpage.
• Times Used - The number of times that the shortcut has been used.
• Transition - Describes how the browser navigated to this URL.
• Type - The type of shortcut.

360 Secure Browser Web History: Information about the the websites the user has gone to

• Title - The title of the webpage
• URL - The URL that was accessed by the user.
• Visited Date/Time - The date and time that the URL was last visited.
• Typed Count - The number of times that the user has manually typed the web site URL.
• Transition - Describes how the browser navigated to this URL.
• Visit Source - The source of the visit.

360 Secure Browser Current Session: Information about the sessions that are currently in use by the browser.

• Tab URL - The webpage URL
• Tab Title - The title of the webpage.
• Date Visited - The date and time that the URL was last visited.

360 Secure Browser Current Tabs: Information about all of the open tabs in the browser.

• Tab URL - The webpage URL
• Tab Title - The title of the webpage.
• Date Visited - The date and time that the URL was last visited.

360 Secure Browser Last Session: Information about all of the sessions that were last open.

• Tab URL - The webpage URL
• Tab Title - The title of the webpage.
• Date Visited - The date and time that the URL was last visited.
• Referrer URL - The URL to use to redirect.

360 Secure Browser Last Tabs: Information about all the tabs that were last open

• Tab URL - The webpage URL
• Tab Title - The title of the webpage.
• Date Visited - The date and time that the URL was last visited.
• Referrer URL - The URL to use to redirect.

360 Secure Browser Bookmarks: Information about all of the bookmarks saved by the user

• Created Date/Time - The date and time that the bookmark was created
• Last Modified Date/Time - The date and time that the bookmark was last modified
• Bookmark Name - The name used for this bookmark
• URL - The URL for the bookmarked website
• Bookmark Type - Indicates whether the bookmark is a folder or not

360 Secure Browser Cache: Information about all of the cache files saved by this browser

• HTTP Content - The HTTP content of this cache
• Content Type - The type for this cache content
• key - The URL of the webpage for that cache
• File Name - The title of the website
• Content Size - The size of this cache in bytes
• Is Dirty - Indicates whether this cache is dirty or not
• Long Key Data - The long key data of this cache
• Payload - The path of this cache file
• Refetch Count - The number of times that cache has been refetched
• Reuse Count - The number of times that cache has been used
• State - The state of this cache
• Creation Time - The date and time that this cache was created
• Cache Entry Last Modified Time - The date and time that this cache was last modified
• Cache Entry Last Used Time - The date and time that this cache was last used

For more information or suggestions please contact: ummulkulthum.wambai@forensafe.com