Microsoft Edge Browser Forensics – Exploring Project Spartan

Formerly known as Internet Explorer and then as Project Spartan, Microsoft Edge Browser has evolved a lot. From the User Interface to the technology it’s built upon, the browser has completely changed in its variant meant for Windows 10. This post will provide an insight into the artifacts left behind on the local machine by the successor to the Internet Explorer web browser. From the location, type and gathering of these artifacts, this post explains and throws light on all aspects of Edge Browser Forensics. However, you will discover that the functioning and backend of Project Spartan aka Edge Browser is no different from the Internet Explorer latest version. Let us take a look at it.

Starting With Browser Forensics

Web browsers are the primary source of undertaking most offensive activities online. Therefore, it also becomes the primary source of information in any digital forensics investigation case as well. Many open source applications can capably conduct forensic examination of most web browsers. Nevertheless, these applications work on the architecture of browsers and require working with them in order to detect and interpret their data.
Edge Browser And Its Forensics
Edge is the latest browser developed by Microsoft as a successor to Internet Explorer. However, being built specifically for Windows 10 its usage has all of a sudden risen due to the increasing number of the latest OS users. Edge Browser also leaves behind artifacts on the user machine in order to store browsing information.

Exploring Edge Storage: Moreover, compared to its predecessor, Edge browser by Microsoft no longer stores the browser related information like history, keyword searches, and similar information in an Index.DAT file. Previously, this information used to get stored within a file type with a .dat extension. On the other hand, the file was replaced in Edge to an ESE database like the one generated by Windows for storing information related to searches conducted on Windows Explorer.
The file type is known as an Extensible Storage Engine database file. Not just the browsing history, but also most of the other artifacts generated by this browser are stored in this format only. This database format is also popularly known as an EDB database or Jetblue, which is a technology that corroborates the database for Microsoft Search, Edge Browser and Cortana (a digital personal assistant developed Windows mobile and desktops) as well.

Unearthing The Artifacts: Edge ESE Database
Settings for Edge browser are stored in an ESE database, which is located on a Windows machine at the following folder path:

\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxxx\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\xxxxx\DBStore\spartan.edb

Even though the suspect might be using Edge browser, Windows 10 still has a provision for Internet Explorer version 11. Surprisingly the browsing history for both is stored at the same location, which is:

\Users\user_name\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Cached file location would be in the following directory path:
\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxxx\AC\#!001\MicrosoftEdge\Cache\
Examining The Artifacts: Search for Evidence

As discussed previously, there are plenty of open source utilities available to offer a look inside the ESE Database on a standalone mode, i.e. without external support required. However, this entirely depends on the state in which the database is present. Being ESE database, in case of a dirty shutdown of the machine, there is high possibility of the extracted artifacts to be found in a dirty dismount state. Therefore, in that case, the examiner would first have to process it with Extensible Storage Engine Utilities provided by Microsoft Windows in order to further parse it in search of evidence.
History being the most majorly important database has been used an example for explaining the exploration of evidence in an ESE Database using a viewer or open source ESE DB reader.
Below are the tables that can be found within a History ESE database of Edge Browser:

AppCache_n
AppCacheEntry_n
Container_n
DependencyEntry_n
HstsEntry_n
LeakFiles
MSysLocales
MSysObjects
MSysObjectsShadow
MSysObjids
Partitions
Facts: Container_n tables store information like cookie detail, websites visited, cache file entry, and more, which is relevant and significant from investigative point of view. In addition, the timestamp recorded by ESE database is in Google’s Chrome Value format. In the local machine’s timezone, however, the information can be decoded using a decode utility or even the esedbexport tool can decode the value, if the examination is being performed with it.

What Complicates The Investigation?

A Twist in the Examination!
There is something quite unusual about Edge browser. Suppose you have logged onto your Windows 10 PC with a Microsoft Account and then later on you use the same account to log into some other PC. What happens here is that Microsoft chooses to synchronize your web browser’s history details across the devices logged in with the account.
Therefore, the websites visited by a suspect can be portrayed as the websites also visited by the victim at the very same time, making it tricky to make out who is who. Thus, the investigation is complicated.
There is no certain method from a forensics standpoint to find out the source machine for the captured details. This will resultantly make it challenging to pin down a user to a specific machine and thus, the root behind all the browsing history.

Edge-y Loophole: Private Browsing

The forensic examination of most web browsers has proven that they don’t have a provision for storing the details of privately browsed web sessions. Private browsing is provided for a purpose, i.e. privately browsing the web, which is being delivered.
However, in the case of Microsoft Edge even the private browsing isn’t as private as it seems. Previous investigations of the browser have resulted in revealing that websites visited in private mode are also stored in the browser’s WebCache file.
NOTE: The Container_n table stores web history. There a field named ‘Flag’ will be available. A website visited in the private mode will have a flag value as ‘8’. Generally the purpose of storing this information is to retrieve crashed private sessions.

\Users\user_name\AppData\Local\Microsoft\Windows\WebCache


Therefore any skilled investigator can easily spot the difference and get concrete evidence against a person’s wrongdoings. Plenty of artifacts are maintained by the browser, which makes examination quite easy. However, there are stages where evidence is not so easy to find. The not-so-private browsing featured by Edge makes its very purpose seem to fail.

Fuente: http://articles.forensicfocus.com/2015/10/14/microsoft-edge-browser-forensics-exploring-project-spartan/