Blog

Microsoft Edge Forensics – Where to Find Artifacts?

John Doe | October 24th, 2017 | Updates

The web surfing has marked a remarkable change with Microsoft’s next-generation browser- the Edge. Edge browser is a replacement for Internet Explorer in Windows 10 and is a lightweight browser developed under the codename “Project Spartan”. It is the default browser of Windows 10 PC as well as phones, implemented with a new mode of a layout called EdgeHTML. The main specialty noted is, Edge is unified with Cortana to grant search features, voice control etc. With the Edge browser, users can share information searched through emails instantly, make notes on the web page and share, keep Reading lists for reading the articles later and much more.

Since the technology has changed to a new phase, browsing has become the source origin of collecting information for forensic investigations. You will have come across many tools that lead the way for evidence collection. Almost all of them are implemented by maintaining the structure of web browsers. This informative session discusses the ways through which one can collect the evidence or do the forensic search on Edge browser, thus, elaborating the complete procedure of Microsoft Edge Forensics.

What information can be collected from Edge? How can one carve the evidence with the help of Edge browser? Where does the data get stored?

Investigators need to collect information for closing their cases. Each and every case maybe one way or other linked to the web. So, proper collection of information is essential and for that, agents will have to thoroughly check the browser storage. The Edge browser stores data i.e. artifacts in ESE database.

Where To Find Artifacts?

Database:

As said, you can find the artifacts in ESE (Extensible Storage Engine) database i.e. in;

microsoft edge forensics

Don’t get confused with ‘Spartan’, it is Edge itself. What can be found in this database? Users can find many tables under this such as; FileCleanup, Folder, ReadingList, RowId, MSysObjids, MSysObjects, FolderStash, MSysLocales, and MSysObjectsShadow.

Microsoft Edge Cache Forensics:

Similar to the Internet Explorer, Edge has four cache folders in the directory. All the browsed content details will be stored such as HTML pages, downloads, images etc.

project spartan browser forensics

Bookmark:

With Edge browser users can keep the bookmark on the contents seemed to be important and is found in;

forensic analysis of Microsoft Edge

Last Browse Session:

To search the last session which was browsed, users will have to visit;

Spartan Browser Microsoft Edge

History:

As similar to all the other browsers, Microsoft Edge also keeps the history of the browsing carried out. The interesting thing is that the history of both IE and Edge is stored in same database location.

Browser History

The history also records HTTP POST, Cookies etc. and the tables contained are:

AppCache_n, AppCacheEntry_n, DependencyEntry_n, HstsEntry_n, Container_n, LeakFiles, MSysLocales, MSysObjects and MSysObjectsShadow.

The important data like; cache file entries, cookie details, websites visited etc. are contained in the Container_n table.

Web Notes:

Web Notes are stored in the location;

img6

Reading lists:

When the lists are viewed with the help of any tool, you can see details in,

img7

InPrivate Browsing

Edge browser also allows the users to do private browsing as well. The history of the browsed session will not be available through this browsing. No trials will be left back and in this way, users can keep their secret surfing. For secret browsing, users should open the window using InPrivate Browsing tab.

Though with this browsing mode the data will not be stored in a device, it will be recorded in the Edge WebCacheV01.dat ESE database.

How Is Information Collection Possible In Private Browsing?

The Container_n table in the history stores all these. It has a field called ‘Flag’, if it is ‘8’ then, shows that the browsing is done using InPrivate mode.

If the last session of web surfing was done with InPrivate mode, the information can be collected from;

microsoft edge browser forensics

The information can even be collected from the log files and also from cache directory.

Log file:

microsoft edge forensics

Cache directory:

project spartan browser forensics

So, it is clear that even if the browsing is done with the InPrivate Browser window, a trained agent can carve out the evidence. From the ESE database, investigators can get the details of all the websites visited through the Microsoft Edge browser forensics.