Email & Web Browser Forensics

PST/OST Analysis, Email Headers & Browser Artifacts

Section 9 of 12

Email Forensics Overview

Definition: Analysis of email messages, headers, attachments, and mailbox files to investigate crimes, data breaches, and communication patterns.

What Can Be Found

  • Communication Records: Who contacted whom
  • Timestamps: When messages were sent
  • IP Addresses: Origin of emails
  • Attachments: Files, malware
  • Deleted Messages: Recovery from mailbox files
  • Authentication: SPF, DKIM, DMARC status

Email File Formats

  • .PST - Outlook Personal Storage Table
  • .OST - Outlook Offline Storage Table
  • .MBOX - Unix mailbox format
  • .EML - Individual email messages
  • .MSG - Outlook message format
  • .DBX - Outlook Express mailbox

Email Header Analysis

Email headers contain critical metadata about message routing and authenticity.

Sample Email Headers

From: sender@example.com

To: recipient@company.com

Subject: Important Document

Date: Wed, 3 Dec 2025 10:15:00 -0500

Message-ID: <abc123@example.com>

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="----=_Part_123"

Received: from mail.example.com (192.168.1.50)

by mx.company.com with ESMTP id ABC123

Wed, 3 Dec 2025 10:15:05 -0500

Return-Path: <sender@example.com>

X-Originating-IP: [203.0.113.45]

X-Mailer: Microsoft Outlook 16.0

Key Header Fields

  • Received: Mail server path (read bottom-up)
  • Return-Path: Bounce address
  • X-Originating-IP: Sender's IP address
  • Message-ID: Unique identifier
  • X-Mailer: Email client used
  • Authentication-Results: SPF/DKIM/DMARC

Spoofing Indicators

  • • Mismatched From/Return-Path
  • • Failed SPF/DKIM checks
  • • Suspicious originating IPs
  • • Modified Received headers
  • • Unusual X-Mailer values
  • • Time zone inconsistencies

PST/OST File Analysis

Outlook Data Files

PST (Personal Storage Table): Stores local copies of emails, calendar, contacts

OST (Offline Storage Table): Cached copy of Exchange mailbox

Default Locations

Windows PST:

C:\Users\[user]\Documents\Outlook Files\

C:\Users\[user]\AppData\Local\Microsoft\Outlook\

File Characteristics

  • • Can be very large (GBs)
  • • Binary format
  • • May contain deleted items
  • • Optional password protection

Analysis Tools

  • Kernel PST Viewer - Free viewer
  • SysTools PST Viewer - Free reader
  • libpst (readpst) - Convert PST to MBOX
  • Autopsy - Email module

readpst Usage

# Convert PST to MBOX

readpst -o output_dir mailbox.pst

# Detailed output

readpst -D -o output/ mailbox.pst

# Separate folders

readpst -S -o output/ mailbox.pst

Web Browser Forensics Overview

Browsers store extensive data about user activity, including visited sites, downloads, searches, and autofill data.

Browser Artifacts

Core Artifacts

  • History: URLs, timestamps, visit counts
  • Cookies: Session data, preferences, tracking
  • Cache: Downloaded files, images, scripts
  • Downloads: File download history
  • Bookmarks: Saved URLs
  • Autofill: Form data, usernames

Privacy Artifacts

  • Saved Passwords: Encrypted credentials
  • Session Storage: Active session data
  • Local Storage: Persistent app data
  • Extensions: Installed add-ons
  • Thumbnail Cache: Page previews
  • Prefetch: DNS prefetch records

Note

Private/Incognito mode reduces but doesn't eliminate all artifacts. DNS cache, router logs, and ISP logs may still contain evidence.

Chrome/Chromium Forensics

Chrome User Data Location

Windows:

C:\Users\[user]\AppData\Local\Google\Chrome\User Data\Default\

macOS:

~/Library/Application Support/Google/Chrome/Default/

Linux:

~/.config/google-chrome/Default/

Key SQLite Databases

  • History - URLs, downloads, search terms
  • Cookies - Website cookies
  • Login Data - Saved passwords
  • Web Data - Autofill, credit cards
  • Top Sites - Most visited sites
  • Favicons - Site icons

Query History

# Open Chrome history

sqlite3 History

# View browsing history

SELECT url, title,

visit_count,

datetime(last_visit_time/1000000-11644473600, 'unixepoch')

FROM urls

ORDER BY last_visit_time DESC

LIMIT 20;

Other Important Files

  • Cache\ folder: Cached web content
  • Preferences: JSON config file
  • Extensions\ folder: Installed extensions
  • Sync Data\: Google account sync settings

Firefox Forensics

Firefox Profile Location

Windows:

C:\Users\[user]\AppData\Roaming\Mozilla\Firefox\Profiles\[random].default\

macOS:

~/Library/Application Support/Firefox/Profiles/[random].default/

Linux:

~/.mozilla/firefox/[random].default/

Key SQLite Databases

  • places.sqlite - History, bookmarks, downloads
  • cookies.sqlite - Cookie data
  • logins.json - Saved passwords (encrypted)
  • formhistory.sqlite - Form autofill
  • permissions.sqlite - Site permissions
  • favicons.sqlite - Site icons

Query Firefox History

# Open places database

sqlite3 places.sqlite

# View history

SELECT url, title,

visit_count,

datetime(last_visit_date/1000000, 'unixepoch')

FROM moz_places

ORDER BY last_visit_date DESC

LIMIT 20;

Other Important Files

  • cache2\ folder: Cached content
  • sessionstore.jsonlz4: Open tabs & windows
  • extensions.json: Installed add-ons
  • prefs.js: User preferences

Internet Explorer / Edge Forensics

Internet Explorer Locations

History (index.dat):

%LocalAppData%\Microsoft\Windows\History\

Cache:

%LocalAppData%\Microsoft\Windows\Temporary Internet Files\

Cookies:

%AppData%\Microsoft\Windows\Cookies\

Registry:

HKCU\Software\Microsoft\Internet Explorer\TypedURLs

Microsoft Edge (Chromium) Locations

User Data:

C:\Users\[user]\AppData\Local\Microsoft\Edge\User Data\Default\

Edge now uses Chromium engine, same structure as Chrome:

  • • History (SQLite)
  • • Cookies (SQLite)
  • • Login Data
  • • Web Data

IE Analysis Tools

  • IEHistoryView (NirSoft) - Parse index.dat files
  • IECacheView (NirSoft) - View IE cache
  • ESEDatabaseView - For Edge legacy (pre-Chromium)
  • DB Browser for SQLite - For Edge Chromium

Browser Forensics Tools

DB Browser for SQLite

Open-source SQLite viewer

  • • Browse database tables
  • • Execute SQL queries
  • • Export results to CSV
  • • Free, cross-platform

BrowsingHistoryView (NirSoft)

Multi-browser history viewer

  • • Supports Chrome, Firefox, IE, Edge
  • • Single unified view
  • • Export to HTML/CSV
  • • Free

Hindsight

Chrome/Chromium forensics

  • • Python-based parser
  • • Timeline generation
  • • JSON/Excel output
  • • Free, open-source

Browser History Examiner

Commercial forensic tool

  • • All major browsers
  • • Detailed reporting
  • • Recover deleted history
  • • Commercial

Autopsy (Web Module)

Integrated browser analysis

  • • History, cookies, downloads
  • • Timeline integration
  • • Keyword search
  • • Free, open-source

Manual Analysis

# Copy browser profile

cp -r ~/.mozilla/firefox/*.default/ /case/firefox/

# Use SQLite

sqlite3 History

.tables

SELECT * FROM urls;

Cookie & Cache Analysis

Cookie Forensics

What Cookies Reveal:

  • Authentication: Session tokens
  • Tracking: User behavior across sites
  • Preferences: Language, settings
  • Timestamps: Last visit, expiration
  • Site Access: Which sites were visited

Query Chrome Cookies

SELECT host_key, name,

value,

datetime(creation_utc/1000000-11644473600, 'unixepoch')

FROM cookies

WHERE host_key LIKE '%facebook%';

Cache Analysis

Cache Contents:

  • Images: Photos viewed
  • HTML Pages: Page content
  • Scripts: JavaScript, CSS
  • Videos: Streamed content
  • Documents: Downloaded files

Tools:

  • ChromeCacheView (NirSoft)
  • MozillaCacheView (NirSoft)
  • IECacheView (NirSoft)
  • Foremost - Carve cache files

Important

Always create forensic copies before analysis. Close the browser before accessing SQLite databases to avoid corruption.