UC Blog

Investigating UC Web Browser

29/06/2021 Tuesday

UC Browser is a web browser developed by mobile internet company UCWeb. UC Browser is known for providing a fast, secure, video streaming, high-speed downloads, and an ad-free browsing experience. It is an easy-to-use and simple web browser. It is available for desktop (Windows and macOS) and mobile devices (Android and iOS).

Digital Forensics Value of UC Artifacts

Web browser data can be critical to a digital investigation since they serve as a user's window and access point to the World Wide Web and the rest of the world as well. Web browsers have become part of our daily lives thus, they can reveal a significant amount of information about a user’s internet activities, synced devices, and accounts. As it stores data of every website visited, every search conducted, every image viewed, and so much more.

Location of UC Artifacts

UC web browser creates individual folders (profiles) for each user at the following location:
C:\Users\%username%\AppData\Local\UCBrowser\User Data_i18n\%profilename%.default

Structure of UC Artifacts

The majority of UC web browser artifacts are maintained within SQLite database files, each contains multiple tables with information regarding the users’ actions on the software. Such as UC autofill, history, and downloads; however, some of the artifacts are stored within JSON files such as UC bookmarks.

Analyzing UC Artifacts with ArtiFast Windows

This section discusses how to use ArtiFast Windows to extract UC browser artifacts from Windows machines and what kind of digital forensic insights can be gained from the artifacts.

After you have created your case and added evidence for the investigation at the Artifact Parser Selection Phase, you can select UC web browser Artifacts:

ArtiFast can analyze UC Autofill, Autofill Profiles, Bookmarks, Cache, Cookies, Current Session, Last Session, Downloads, Favicons, History, Logins, Shortcuts, Search Terms, Site Engagement, Top Sites, Visits, Credit Cards, and Omnibox. For demonstration purposes, all artifacts have been chosen but you have the option to parse artifacts individually as well.

Once ArtiFast parser plugins complete processing artifacts for analysis, they can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of UC artifacts in ArtiFast software.

UC Autofill Artifact

The artifact contains all of the values that the user has saved to fill in fields at a later date and time. The details you can view include:

Creation Date/Time - The Date/Time when the autofill was created.
Last Used Date/Time - The Date/Time when the autofill was used.
Field Name - The name of the field to fill in.
Field Value - The value typed by the user.
Count - Indicates the number of times the input was used.

UC Autofill Profiles Artifact

The artifact contains all of the profiles that are used to represent a user. The details you can view include:

Last Modified Date/Time - The Date/Time that the profile was last modified.
Last Used Date/Time - The Date/Time that the profile was last used.
Name - The name of the user.
Email - The user's email address.
Phone Number - The user's phone number.
Company - The company the person works at.
Address - The user's address.
City - The city the person lives in.
State - The state or province the person lives in.
Zipcode - The zip code the person lives in.
Country Code - The country the person lives in.
Use Count - Number of times profile used.

UC Bookmarks Artifact

UC Bookmarks are the shortcuts to the favorite and bookmarked webpages. It contains information such as:

Added Date/Time - The Date/Time when the bookmark was added.
Modified Date/Time - The Date/Time when the bookmark was modified.
URL - The URL of the bookmarked webpage.
Bookmark ID - The bookmark ID.
Type - The type of the bookmark.
Bookmark Title - The title of the bookmark.
Thumbnail - The bookmark thumbnail.

UC Cache Artifact

This artifact contains the cached entries in the UC web browser. UC Cache information includes:

Creation Date/Time - The Date/Time when the cached entry was created.
Cache Entry Last Used Date/Time - The Date/Time when the cached entry was last used.
Cache Entry Last Modified Date/Time - The Date/Time when the cached entry was last modified.
Reuse Count - The number of times the use used the cache file.
State - The state of the cache file.
Key - Represents the profile picture URL.
Content Size - The size of the cache file.
Content Type - The type of cache file.
File Name - Represents the cache file name.
Payload - Indicates the cache storage location.
Is Dirty - Indicates whether is dirty or not.
Refetch Count - Indicates the number of times the cached entry was refetched.
Long Key Data - Cache long key data.
HTTP content - HTTP header contents.

UC Cookies Artifact

The artifact contains information about all of the cookies saved to the browser such as:

Creation Date/Time - The Date/Time when the cookie was created.
Expiration Date/Time - The Date/Time when the extension cookie will expire if it was set to expire.
Last Access Date/Time - The Date/Time when the cookie was last accessed.
Host - The host domain of the cookie.
Name - The name of the cookie.
Value - The value of the cookie.
Path - The path to the cookie.
Is Secure - Indicates whether the connection is secure or not.
Is HTTP Only - Indicates whether the browser supports HTTP Only or not.

UC Credit Cards Artifact

The artifact contains all of the credit card information the user has saved. The details you can view include:

Last Used Date/Time - The Date/Time when the credit card information was last used.
Expiration Date/Time - The Date/Time when the credit card expires.
Last Modified Date/Time - The Date/Time when the credit card information was last modified.
Card Name - The name of the credit card holder.
Origin - The origin of the credit card information.
Card Number - The credit card number.
Use Count - The number of times that it has been used.

UC Current Session Artifact

This artifact stores the browser's current available active session information from UC web browser such as:

Date/Time Visited - The Date/Time when the webpage is visited.
Tab URL - The URL of the webpage.
Tab Title - The title of the webpage.
Referrer URL - If the webpage was a redirect, this attribute indicates the URL of the webpage.
Original Requested URL - Indicates whether a redirect took a place.
Tab Id - The webpage tab Id.
Tab Index - The webpage tab index.
Transition Type - Describes the cause of the navigation to the desired URL.
Transition Qualifier - Describes how the browser navigated to the desired URL.
Has Post Data - Indicates whether the webpage has POST data.

UC Current Tabs Artifact

This artifact stores the multiple open tabs in the current available active session information from UC Web browser such as:

Date/Time Visited - The Date/Time when the webpage is visited.
Tab URL - The URL of the webpage.
Tab Title - The title of the webpage.
Transition Type - Describes the cause of the navigation to the desired URL.
Referrer URL - If the webpage was a redirect, this attribute indicates the URL of the webpage.
Original Requested URL - Indicates whether a redirect took a place.
Tab Id - The webpage tab Id.
Tab Index - The webpage tab index.
Transition Qualifier - Describes how the browser navigated to the desired URL.
Has Post Data - Indicates whether the webpage has POST data.

UC Downloads Artifact

The artifact contains information about the downloaded files from UC web browser. The details you can view include:

Start Date/Time - The Date/Time the download started.
End Date/Time - The Date/Time the download ended.
File Name - The name of the downloaded file.
Path - The absolute path on the device to the downloaded file.
Received Bytes - The bytes that were downloaded.
Download Source - The URL of the file that was downloaded.
URL Chain - The File download URL chain.
Total Bytes - The file size of the download.
State - It indicates the state of the downloaded item (Download Complete, Download in Progress/Paused, Download Failed and Download Interrupted/Cancelled).

UC Favicons Artifact

The artifact stores all the small icons associated with a particular webpage that the user has favorited. The details you can view include:

Last Update Date/Time - The icon last update Date/Time.
Page URL - The page URL.
Icon URL - The Icon file URL.

UC History Artifact

The artifact contains information about the visited URLs from UC browser profile. The details you can view include:

Last Visit Date/Time - The Date/Time when the webpage was last visited.
URL - The URL of the visited webpage.
Title - The title of the visited webpage.
Visit Count - The number of times that the user has visited the webpage.
Typed Count - The number of times that the user has manually typed the web webpage URL.
Is Hidden - Indicates whether the webpage is hidden.

UC Last Session Artifact

This artifact stores the browser’s previous session information from UC Web browser. The details you can view include:

Date/Time Visited - The Date/Time when the webpage was last visited.
Tab URL - The URL of the webpage.
Tab Title - The title of the webpage.
Transition Type - Describes the cause of the navigation to the desired URL.
Referrer URL - If the webpage was a redirect, this attribute indicates the URL of the webpage.
Original Requested URL - Indicates whether a redirect took a place.
Tab Id - The webpage tab Id.
Tab Index - The webpage tab index.
Transition Qualifier - Describes how the browser navigated to the desired URL.
Has Post Data - Indicates whether the webpage has POST data.

UC Last Tabs Artifact

This artifact stores the multiple open tabs in the browser's last session from UC web browsers. The details you can view include:

Date/Time Visited - The Date/Time when the webpage was last visited.
Tab URL - The URL of the webpage.
Tab Title - The title of the webpage.
Transition Type - Describes the cause of the navigation to the desired URL.
Referrer URL - If the webpage was a redirect, this attribute indicates the URL of the webpage.
Original Requested URL - Indicates whether a redirect took a place.
Tab Id - The webpage tab Id.
Tab Index - The webpage tab index.
Transition Qualifier - Describes how the browser navigated to the desired URL.
Has Post Data - Indicates whether the webpage has POST data.

UC Logins Artifact

This artifact stores a user’s login information. The details you can view include:

Creation Date/Time - The Date/Time when the data was stored.
Action URL - Login URL of the website.
Username Element - Username HTML element.
Username - The username value.
Black Listed - Indicates that the password is not saved for this item.
Origin URL - Base URL of the webpage.
Password Element - Password HTML element.
Password - The password value.
Signon Realm URL - The Sign on realm URL.
Times Used - Number of times used.

UC Search Terms Artifact

This artifact stores the user entered search terms. The details you can view include:

Last Visit Date/Time - The Date/Time when the webpage was last visited.
Search URL - The URL that was invoked because of the search.
Term - The keyword that was searched.
Page Title - The title of the invoked webpage.
Visit Count - The number of times that the user accessed the URL.

UC Shortcuts Artifact

This artifact contains the shortcuts from UC web browser. The details you can view include:

Last Access Date/Time - The last access Date/Time of the shortcut.
URL - The URL of the shortcut.
Search Term - The search term as interpreted by the browser.
Original Search Query - The original search query entered by the user.
Web Page Title - The title of the webpage.
Transition - Describes the cause of the navigation to the desired URL.
Hits - Hits of the shortcut.
Type - Shortcut type.

UC Browser Site Engagement Artifact

This artifact stores information on the user interaction with site. The details you can view include:

Last Engagement Date/Time - The last Date/Time a user engaged with the webpage.
Last Shortcut Launch Date/Time - The last Date/Time user has launched the site through shortcut.
Website URL - The website URL.
Block Inner Ads - Block Inner Ads.
Custom Rule - Custom adblocker rule.

UC Top Sites Artifact

This artifact stores information about a user’s most frequently visited web pages. The details you can view include:

Last Update Date/Time - The last update Date/Time.
URL - The URL to the webpage.
Title - The title of the webpage.
URL Rank - Indicates the order of the most visited webpage.
At Top - At top.
Redirects - Displays the redirection URL which contains the frequently used file path and parameters.

UC Visits Artifact

This artifact contains information of all visit dates with their URLs. The details you can view include:

Visit Date/Time - The Date/Time when the webpage is visited.
Visit URL - The URL of the visited webpage.
Visit Title - The title of the visited webpage.
Visit Duration - Visit Duration in Milliseconds.
Transition - Describes how the browser navigated to this URL.
Source URL - The source URL.
Source Title - The source title.
Segment Name - The segment name.

UC Omnibox Artifact

This artifact contains information about omnibox usage. The details you can view include: