Last year I started a new open source project. It’s written in Python and the name is browser_forensics. This program reads the history data of three different web browsers (Firefox, Chrome and Safari). Currently this forensic tool can be used on macOS and Windows 10. Linux will be supported in an upcoming version.

Background: The history files

Each browser produces its own individual artifacts. And the browser’s history is one type of them. But what is the history of a browser? Well, every browser is saving information about each site a user has visited. Firefox, Chrome and Safari uses sqlite3 databases for this data (eg. visited site, date and time, frequency). The following table is showing the names of the database files.

Browser Database name
Firefox places.sqlite
Chrome History
Safari History.db

You can open each of these files with DB Browser for SQLite, an open source tool available for Windows, macOS and Linux. While a program like DB Browser shows the entire sqlite database with all existing tables, browser_forensics prints only selected types of data (e.g. visited site, date and time). I will expand this in future versions of this program.

How to use browser_forensics

You can clone the project from Github:

git clone https://github.com/niftycode/browser_forensics

Change to the browser_forensics directory and start the program with

# Chrome browser
python browser_forensics.py -c

# Firefox browser
python browser_forensics.py -f

# Safari browser
python browser_forensics.py -s

On UNIX-like operating systems python3 may be used instead of python.

This program is in an early stage. I use my spare time to evolve the code, so it can take a while to implement new features. But maybe the previous code is of interest for some of you. So feel free to folk this project and enhance this forensic tool.