Edge Chromium Blog

Investigating Edge Chromium Web Browser

19/05/2021 Wednesday

Microsoft Edge is a cross-platform web browser developed by Microsoft. It is known for its high speed, improved security, reading mode, tracking prevention, lightweight. It is also known for providing an organized and easy environment for its users with the integrated Microsoft 365 and Collections feature. The web browser is available for desktop (Windows, macOS, and Linux) and mobile devices (Android and iOS).

Digital Forensics Value of Edge Chromium Artifacts

Web browsers’ data can be critical to a digital investigation since they serve as a user's window and access point to the web and the rest of the world. Web browsers have become part of our daily lives, thus, they can reveal a significant amount of information about a user’s internet activities, synced devices, and accounts. As it stores data of every website visited, every search conducted, every image viewed, and so much more.

Location of Edge Chromium Artifacts

Edge Chromium web browser stores its files and folders at the following location:

C:\Users\%username%\AppData\Local\MicrosoftEdge\User\%profilename%.default

Structure of Edge Chromium Artifacts

The structure of files containing Edge Chromium web browser artifacts is SQLite Databases, each contains multiple tables with information regarding the users’ actions on the software; however, some of the artifacts are stored within JSON files such as Edge bookmarks.

Analyzing Edge Chromium Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to extract Edge Chromium artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Parser Selection Phase, you can select Edge Chromium artifacts:

ArtiFast can analyze Edge Chromium autofill, autofill profiles, bookmarks, cache, collection, cookies, credit cards, current session, current tabs, downloads, extensions, extension cookies, favicons, history, last session, last tabs, logins, shortcuts, search terms, site engagement, top sites, and visits. For demonstration purposes, all artifacts have been chosen but you have the option to parse artifacts individually as well.

Once ArtiFast parser plugins complete processing the artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Edge Chromium artifacts in ArtiFast software.

Edge Chromium Autofill Artifact

Microsoft Edge Chromium Autofill contains all of the values that the user has saved to fill in fields at a later date and time. The details you can view include:

Creation Date/Time - The date and time when the autofill was created.
Last Used Date/Time - The date and time when the autofill was used.
Field Name - The name of the field to fill in.
Field Value - The value typed by the user.
Count - Indicates the number of times the input was used.

Edge Chromium Autofill Profiles Artifact

Microsoft Edge Chromium Autofill Profiles contains profiles that are used to represent a person. The details you can view include:

Last Modified Date/Time - The last date and time a profile was modified.
Last Used Date/Time - The last date and time a profile was used.
Name - The name the person goes by or uses.
Email - The email address of the person.
Phone Number - Phone number of the person.
Company - The company the person works at.
Address - The person’s address.
City - The city the person lives in.
State - The state or province the person lives in.
Zipcode - The zip code the person lives in.
Country Code - The country the person lives in.
Use Count - Number of times profile used.

Edge Chromium Bookmarks Artifact

Microsoft Edge Chromium Bookmarks are the shortcuts to the favorite and bookmarked webpages. It contains information such as:

Added Date/Time - The date and time when the bookmark was added.
Modified Date/Time - The date and time when the bookmark was modified.
URL - The URL of the bookmarked webpage.
Bookmark ID - The bookmark ID.
Type - The type of the bookmark.
Bookmark Title - The title of the bookmark.
Thumbnail - The bookmark thumbnail.

Edge Chromium Cache Artifact

This artifact contains the cached entries in the Edge Chromium web browser. Edge Chromium Cache information includes:

Creation Date/Time - The date and time when the cached entry was created.
Cache Entry Last Used Date/Time - The date and time when the cached entry was last used.
Cache Entry Last Modified Date/Time - The date and time when the cached entry was last modified.
Reuse Count - The number of times the use used the cache file.
State - The state of the cache file.
Key - Represents the profile picture URL.
Content Size - The size of the cache file.
Content Type - The type of cache file.
File Name - Represents the cache file name.
Payload - Indicates the cache storage location.
Is Dirty - Indicates whether is dirty.
Refetch Count - Indicates the number of times the cached entry was refetched.
Long Key Data - Cache long key data.
HTTP content - HTTP header contents.

Edge Chromium Collections Artifact

Microsoft Edge Chromium stores information about collections. The details you can view include:

Date/Time Item Created - The date and time an item was added.
Date/Time Item Modified - The date and time an item was last modified.
Date/Time Collection Created - The date and time collection were created.
Date/Time Collection Modified - The date and time collection were last modified.
Item Title - Title name of the item.
Collection Title - Title name of the collection.
Item URL - URL of the item.
Website Name - Website name of the item.
Favicon URL - The URL of the favicon for the item.
Canonical Image URL - URL of the canonical image for the item.
Text Content - Some text contained in the item.
Item Type - Type of the item.
Is Syncable - Is the item syncable.
Last Sync Date/Time - The date and time an item was last synced.

Edge Chromium Cookies Artifact

Microsoft Edge Chromium Cookies contains information about all of the cookies saved to the browser such as:

Creation Date/Time - The date and time when the cookies were created.
Expiration Date/Time - The Date/Time when the extension cookie will expire if it was set to expire.
Last Access Date/Time - The Date/Time when the cookie was last accessed.
Host - The host name of the cookies.
Name - The name of the cookies.
Value - The value of the cookies.
Path - The path to the cookies.
Is Secure - Indicates whether the connection is secure.
Is HTTP Only - Indicates whether the browser supports HttpOnly.

Edge Chromium Credit Cards Artifact

Microsoft Edge Chromium Credit Cards contains all of the credit card information the user has saved. The details you can view include:

Last Used Date/Time - The date and time when the credit card information was last used.
Expiration Date/Time - The date and time when the credit card expires.
Last Modified Date/Time - The date and time when the credit card information was last modified.
Card Name - The name of the credit card holder.
Origin - The origin of the credit card information.
Card Number - The credit card number.
Use Count - The number of times the card was used.

Edge Chromium Current Session Artifact

This artifact stores the browser's current available active session information from Edge Chromium web browser such as:

Date/Time Visited - The date and time when the webpage is visited.
Tab URL - The URL of the webpage.
Tab Title - The title of the webpage.
Referrer URL - If the webpage was a redirect, this attribute indicates the URL of the webpage.
Original Requested URL - Indicates whether a redirect took a place.
Tab Id - The webpage tab Id.
Tab Index - The webpage tab index.
Transition Type - Describes the cause of the navigation to the desired URL.
Transition Qualifier - Describes how the browser navigated to the desired URL.
Has Post Data - Indicates whether the webpage has POST data.

Edge Chromium Current Tabs Artifact

This artifact stores the multiple open tabs in the current available active session information from Edge Chromium web browser such as:

Date/Time Visited - The date and time when the webpage is visited.
Tab URL - The URL of the webpage.
Tab Title - The title of the webpage.
Transition Type - Describes the cause of the navigation to the desired URL.
Referrer URL - If the webpage was a redirect, this attribute indicates the URL of the webpage.
Original Requested URL - Indicates whether a redirect took a place.
Tab Id - The webpage tab Id.
Tab Index - The webpage tab index.
Transition Qualifier - Describes how the browser navigated to the desired URL.
Has Post Data - Indicates whether the webpage has POST data.

Edge Chromium Downloads Artifact

Microsoft Edge Chromium Downloads contains information about the downloaded files from Edge Chromium web browser. The details you can view include:

Start Date/Time -The date and time the download started.
End Date/Time - The date and time the download ended.
File Name - The name of the downloaded file.
Path - The absolute path on the device to the downloaded file.
Received Bytes - The downloaded bytes.
Download Source - The file download URL.
URL Chain - The file download URL chain.
Total Bytes - The download total bytes.
State - It indicates the state of the downloaded item (Download Complete, Download in Progress/Paused, Download Failed and Download Interrupted/Cancelled).

Edge Chromium Extension Artifact

This artifact contains the extension information from Edge Chromium web browser. The details you can view include:

Installation Date/Time - The date and time when the extension was installed.
Long Name - Name and short description of the extension.
Short Name - The name of the extension.
Description - The description of the extension.
Extension Path - Indicates the extension installation location.
State - Indicates whether the extension is enabled or disabled.
Version Number - The extension version number.
Installed By Default - Indicates whether it is installed by default.
Installed By OEM - Indicates whether it is installed by OEM.

Edge Chromium Extension Cookies Artifact

Edge Chromium stores the cookies used by the extensions. The details you can view include:

Creation Date/Time - The date and time when the extension cookies were created.
Expiration Date/Time - The Date/Time when the extension cookie will expire if it was set to expire.
Last Access Date/Time - The Date/Time when the cookie was last accessed.
Host - The host name of the cookies.
Name - The name of the cookies.
Path - The path to the cookies.
Value - The value of the cookies.
Encrypted Value - The value of the cookies encrypted.
Is HTTP Only - Indicates whether the browser supports HttpOnly.
Is Secure - Indicates whether the connection is secure.

Edge Chromium Favicons Artifact

Edge Chromium Favicons stores all the small icons associated with a particular webpage that the user has favorited. The details you can view include:

Last Update Date/Time - The icon last update date and time.
Page URL - The page URL.
Icon URL - The Icon file URL.

Edge Chromium History Artifact

The Edge Chromium History artifact contains information about the visited URLs from Edge Chromium browser profile. The details you can view include:

Last Visit Date/Time - The date and time when the webpage was last visited.
URL - The URL of the webpage.
Title - The title of the visited webpage.
Visit Count - The number of times that the user has visited the webpage.
Typed Count - The number of times that the user has manually typed the web webpage URL.
Is Hidden - Indicates whether the webpage is hidden.

Edge Chromium Last Session Artifact

This artifact stores the browser’s previous session information from Edge Chromium web browser. The details you can view include:

Date/Time Visited - The date and time when the webpage was last visited.
Tab URL - The URL of the webpage.
Tab Title - The title of the webpage.
Transition Type - Describes the cause of the navigation to the desired URL.
Referrer URL - If the webpage was a redirect, this attribute indicates the URL of the webpage.
Original Requested URL - Indicates whether a redirect took a place.
Tab Id - The webpage tab Id.
Tab Index - The webpage tab index.
Transition Qualifier - Describes how the browser navigated to the desired URL.
Has Post Data - Indicates whether the webpage has POST data.

Edge Chromium Last Tabs Artifact

This artifact stores the multiple open Tabs in the browser's last session from Edge Chromium web browser. The details you can view include:

Date/Time Visited - The date and time when the webpage was last visited.
Tab URL - The URL of the webpage.
Tab Title - The title of the webpage.
Transition Type - Describes the cause of the navigation to the desired URL.
Referrer URL - If the webpage was a redirect, this attribute indicates the URL of the webpage.
Original Requested URL - Indicates whether a redirect took a place.
Tab Id - The webpage tab Id.
Tab Index - The webpage tab index.
Transition Qualifier - Describes how the browser navigated to the desired URL.
Has Post Data - Indicates whether the webpage has POST data.

Edge Chromium Logins Artifact

This artifact stores a user’s login information. The details you can view include:

Creation Date/Time - The date and time when the data was stored.
Last Used Date/Time - The date and time the login credentials were last used.
Action URL - Login URL of the website.
Origin URL - Origin page URL.
Username Element - Username HTML element.
Username - The username value.
Black Listed - Indicates that the password is not saved for this item.
Password Element - Password HTML element.
Password - The password value.
Signon Realm URL– The Sign on realm URL.
Times Used - Number of times used.

Edge Chromium Search Terms Artifact

This artifact stores the user entered search terms. The details you can view include:

Last Visit Date/Time - The date and time when the webpage was last visited.
Search URL - The URL that was invoked because of the search.
Term - The keyword that was searched.
Page Title - The title of the invoked webpage.
Visit Count - The number of times that the user accessed the URL.

Edge Chromium Shortcuts Artifact

This artifact contains the Shortcuts from Edge Chromium web browser. The details you can view include:

Last Access Date/Time - The last access date and time of the webpage.
URL - The URL of the shortcut.
Search Term - The search term as interpreted by the browser.
Original Search Query - The original search query entered by the user.
Web Page Title - The title of the webpage.
Transition - Describes the cause of the navigation to the desired URL.
Hits - Hits of the shortcut.
Type - Shortcut type.

Edge Chromium Site Engagement Artifact

This artifact stores information on the user interaction with site. The details you can view include:

Last Engagement Date/Time - The last date and time a user engaged with the webpage.
Last ShortcutLaunch Date/Time - The last date and time user has launched the site through shortcut.
Last Modified Date/Time - The last date and time data was modified.
Website URL - The URL of website visited.
Raw Score - The score based on activity and usage.

Edge Chromium Top Sites Artifact

This artifact stores information about a user’s most frequently visited web pages such as:

URL - The URL to the webpage.
Title - The title of the webpage.
URL Rank - Indicates the order of the most visited webpage.
Redirects - Displays the redirection URL which contains the frequently used file path and parameters.

Edge Chromium Visits Artifact

This artifact contains information of all visit dates with their URLs. The details you can view include: