Searching Browser Client-Side Storage

Is there anything you don't know? Google it! Bing it! Ask Jeeves! We sometimes forget how ubiquitous internet search is in our lives - Google in particular. We use Google Maps to find our way around, we use Google's search engine to find a good restaurant, we use Google for almost everything. That's why Google is great for finding information about a wayward spouse.

Web Browser Client-Side Storage

A lot of what internet browsers retain for data is kept in "client-side" storage. Most browsers retain a SQLite database in the user's directory. From our previous discussions we know a few tricks to get information from these SQLite sources already. Grab a SQL browser and we'll dive into the rabbit hole of what's on a hard drive.

File Location - Where's it at?

Firefox:
On Win7:  C:\Users\[UserName]\AppData\Roaming\Mozilla\Firefox\Profiles\[Profile]
On WinXP:  C:\Documents and Settings\[UserName]\Local Settings\Application Data\Mozilla\Firefox\Profiles\[ProfileName]

Chrome:
On Win7:  C:\Users\[UserName]\AppData\Local\Google\Chrome\User Data\[Profile]
On WinXP:  C:\Documents and Settings\[UserName]\Local Settings\Application Data\Google\Chrome\User Data\[Profile]

RockMelt:
On Win7:  C:\Users\[UserName]\AppData\Local\RockMelt\User Data\[Profile]

Internet Explorer (IE):
This is a different kind of beast. We'll discuss this later but it is important to note they do not have a SQLite db structure.
On Win7:  C:\Users\[UserName]\AppData\Local\Microsoft\Windows\Temporary Internet Files
On WinXP:  C:\Documents and Settings\[UserName]\Local Settings\Temporary Internet Files

Types of Storage

The following table is sourced from a Chrome Browser extension called Click&Clean. If their product is anywhere near as good as their chart on client-side storage - it should be excellent!

Below you can see Cookies, Local Storage, Web Databases (SQL), IndexedDB, File System, Application Cache, Flash Cookies, and Silverlight Cookies...

From Click&Clean

Cookies
I know what you're saying - "But everyone blocks cookies!" True. Everyone blocks 3rd Party Cookies. These are the cookies advertisers put on your system to track your behavior. What people usually don't block are 1st Party Cookies. These are cookies that are directly linked to the domain you choose to visit with your browser. They remember what's in your shopping cart, your login info (if you authorize autofill), your browser session state, etc. These cookies are delicious.

Local Storage,Web Databases (SQL)
The real big deal is in the local storage databases on your computer. These tables track downloads, search terms, archived history of URLs visited and more. See below for the schema and descriptions of the data present.

Application Cache
Nirsoft has a cache reader for you! Chrome, Firefox, Internet Explorer, Opera included. Even (gasp) Safari.

The cache is a set of already downloaded images and media from webpages that is stored on your hard drive. The browser uses these cached elements to speed the loading of webpages. The cache readers will recover images and the URLs that reference them. You will see a lot of elements like the graphic files for navigation buttons for a site, images for headers and/or other elements of a web page. If you are lucky... You may be able to retrieve images from online dating sites, Facebook images, and thumbnails of other incriminating evidence.

I strongly recommend reviewing the cache of every browser on the computer and recovering/saving files you find. The cache is fluid and can be flushed at any time or the relevant data may be overwritten by newer cached data. 

Flash Cookies & Silverlight Cookies
I haven't found anything worth noting in Flash or Silverlight Cookies. There may be data present that is interesting to an investigator but I haven't found it yet.

Local Storage, Web Databases (SQL)

Data Schema and Relevant Files
Here's a list of databases in the User's directory and a list of the data files contained within. There are many SQLite databases as well as flat files and cache files. There may be different tables present depending on the browser (Chrome, Firefox) and the browser version.

For a complete list of data files I've encountered, go here or click on the database you want to investigate below.

• Archived History
• Meta
• URLs
• Visits
• Visit Source
• Keyword Search Terms
• Cookies
• Meta
• Cookies
• Extension Cookies
• Meta
• Cookies
• Favicons
• Meta
• Favicons
• Icon Mapping
• History
• Meta
• Downloads
• Presentation
• URLs
• Visits
• Visit Source
• Keyword Search Terms
• Segments
• Segment Usage
• History Index YYYY-MM
• Meta
• Pages
• Pages Content
• Pages Segments
• Pages SegDir
• Info
• Login Data
• Meta
• Logins
• Shortcuts
• Omni Box Shortcuts
• Top Sites
•  Meta
• Thumbnails
• Web Data
• Meta
• Keywords
• Autofill Profile
• Autofill Profile Emails
• Autofill Profile Phones
• Autofill Profile Trash
• Credit Cards
• Web Intents
• Keywords Backup
• Logins
• IE7 Logins

The following are flat files (non-database files) in the User's directory. These open with Notepad and display readable contents. 

• Bookmarks
• Current Session
• Current Tabs
• Last Session
• Last Tabs
• Preferences
• Visited Links

So.... Where do I start?

I've presented a lot of information. So naturally you want to know where's the best information for web behaviors found.

• Look into the History Index YYYY-MM, History, Archived History and Web Data databases first.
• Get a cache reader and review what is in the cache for each browser on the computer.

Analyzing this data should help you confirm or deny your suspicions.

 

What's in a URL?

You are very likely to recover URLs. Sometimes these are neat and clean to read but a lot of times the URL is a jumble of variables and escaped characters.

Google Search URL
Here are some common variables you will find in a Google search string:

• q = search term
• as_sitesearch = searches specified domain only
• sort = sorting parameter for results

The authoritative source for variables would be Google. They've posted a helpful, lengthy page on search parameters here.

URL Encoding - Escaped Characters
URLs often have characters in them (:, /, ., etc) which would cause problems for other parsing engines like Java or Flash. The characters are often replaced by a '%' and the two digit hexadecimal code for the character. For example ':' = %3A and '?' = %3F.

Here's a list of characters that are often replaced in a URL with a more script-friendly value. I generally use the substitute function in Excel to replace the hex value with the ASCII character.

 

TL;DR - Summary

1) Find the local storage on your machine
2) Open a SQLite files with a database browser
3) Save file as HTML, close the file, re-open with a spreadsheet program (Excel)
4) Repeat until you've opened all files and saved them all into one workbook
5) Utilize the pivot table function to investigate the data
6) Have a beer

V/r - DNS

Structure

So you have 1,000 emails, a 500,000 line file full of chats, 30,000 transactions from your cellphone bill, and credit card statements going back six years... What does it mean?

Structure Your Data

Just a thought for today... When compiling forensic data it is important to make it human readable. This isn't just to help those who aren't tech savvy. It is to help consolidate and present information in a coherent manner so it is more readily comprehensible. Isn't that what were doing at the Betrayed Spouses Club when we look at digital data? We're not only finding information we didn't have (or didn't want to see), we are trying to comprehend it. We are trying to put some structure into a subject matter that had suddenly and unexpectedly jumped from our subconscious insecurities into the ever-present lugubrious spotlight of our daily lives. For me, personally, no matter how badly my wife and I were getting along I never thought it I would be a member of this club. It was so horribly unfathomable that I find myself wondering which way is up more days than not. My search for the truth is paired with my need to structure it. I need the facts and a structure with which I can begin to comprehend them. That is why I took some time to write this post.

Mis En Scene

An important part of understanding "what" is to not take it out of context. Nobody lives in a vacuum. External events can be a frame of reference that can help with comprehension. I identified several events which could impact the decisions that were made by my wayward spouse.

It's important here to remember that no one can make someone cheat... No matter what happens the wayward spouse's decisions are their own. That said, the events which may have influenced those decisions can't be ignored. First, it can help you come to terms with what actually happened. Second, if you do try to reconcile, you will need to find and fix the vulnerabilities in your marriage, such as; poor stress coping skills, communication issues, lack of emotional support, etc.

Here are some of my events.

• Holidays
• My wife's birthdays
• Big arguments over money
• My spouse's mental condition
• A death in the family
• My diagnosis with cancer
• Loosing my job and health benefits

I plot these on the same structure along with milestones I found in my conversations with my spouse and my search for digital information. Here are a few.

• Meet-ups with the other people
• Calls, texts, chats, pic/video to the other people
• Initiating a new relationship with another other person

The Timeline

A chronological structure can begin to help you fit the puzzle pieces together. There are a few options; calendar, timelines and Gantt Chart are what I'll cover here.

Calendar

To start, begin adding the data that you've collected which identify external events and events during the affair(s). I wouldn't recommend going to such detail as to record every text sent or received. You will need to stay at a high level of detail to make sure the calendar doesn't become cluttered and unreadable.

Tools

• Any calendar app
• Google Calendar
• Google Docs - now Google Drive ($0) has drawing templates for calendars

Timelines

Timelines offer an advantage over the calendar because they can manage the duration component of your data more effectively. The duration could be the time your spouse has associated with one other person or another or it could help identify times where your spouse was well-behaved and acted with the appropriate respect for your marital vows. The basic structure of a timeline is a big arrow signifying time moving from a discreet point in the past and moving forward. Single events are marked as bullets, or milestones, along the path. Events with a duration can be listed with a callout (bracket) that is large enough to cover the span of time in the duration. This makes a better visual representation than a basic calendar and provides quick reference to the concept of duration.

Tools

• Microsoft Visio ($$$)
• Microsoft Excel ($$)
• Google Docs - now Google Drive ($0) has drawing templates for timelines

Gantt Chart

A Gantt Chart is a project planning tool from the IT world. It's supposed to let a project planner identify tasks and events which need to occur on the timeline of a project. Additionally, resources needed for the project, costs, materials, dependencies, and all other sorts of project information can be associated with the tasks. The project manager can use it to keep his eye on the dizzying amount of data that is needed to ensure the project gets completed to spec. Now, this isn't a PMP certification blog so that's as far as I'm going to go in the proper use of the Gantt Chart. What it does well that suits our purposes is manage lots of information related to events, the duration of activities, and dependencies on external events.

I prefer the Gantt Chart to an ordinary timeline for a couple of reasons. First, you can add a lot of detail. A normal timeline would get fairly cluttered with a lot of detail is added. Second, you can roll-up activities into a parent task. This is really handy when you are working with a complex data set like figuring out WTF happened to your life to make it go to sh*t.

Tools

• Microsoft Project ($$$$$)
• Microsoft Visio ($$$)
• GanttProject ($0)

Thematic Analysis

This approach takes the events you have compiled and places them in relation to a key concept. A key concept may be "arguments" or "business trips" or "health/getting older" or whatever you and your spouse feel are major influences on the affair(s). You will need to spend some time to classify or label your events with the appropriate concepts. Once you are done, you can begin to see how these themes correlate to the behavior leading to affairs. For example, you find that your spouse is out late at the local meat market club on weekends (event) when they had a health scare (theme), birthday (theme), or a close friend passed (theme). You will be able to cut through the noise of too much data to see relationship between theme and event. If you're lucky, you just may be able to find a better understanding of their decisions and perhaps some hope by finding something you both can work on to strengthen your marriage.

Tools

• TaggedFrog allows you to make a tag cloud from Windows files
• Many Eyes is cool site to see thematic visualization in action

It doesn't paint a pretty picture but it is a picture. With structure, I can see more clearly what events influenced her decisions. That gives me a better ability to understand what happened and how to work on the marriage to ensure it never does again.

Nota Bene: if you do use the Google tools make sure you're not sharing that with anyone! Set it to private so your bar buddies don't get a sneak peek at why you're always ordering double whiskeys.

---DNS