Releases: acquiredsecurity/forensic-webhistory
Releases · acquiredsecurity/forensic-webhistory
WebX v2.0.0 — Multi-Artifact Forensic Extraction
What's New in v2.0.0
Major release adding 7 new browser artifact types for comprehensive forensic extraction.
New Artifact Types
- Downloads — Full download history with file paths, sizes, MIME types, and danger ratings
- Cookies — Cookie names, domains, values, expiry, security flags, and SameSite policy
- Autofill / Form History — Form field names, submitted values, and usage counts
- Bookmarks — URLs, titles, and full folder paths (e.g., "Bookmarks Bar > Work > Research")
- Login Data — Login URLs, usernames, timestamps, usage counts (passwords are NEVER extracted)
- Keyword Searches — Search queries extracted from Chrome/Chromium keyword_search_terms
- Extensions — Installed browser extensions with IDs, versions, permissions, and install times
Browser Support
All artifact types work across Chrome, Edge Chromium, Brave, Opera, Vivaldi, Arc (Chromium-based) and Firefox (Gecko). History extraction continues to support Safari and IE/Edge Legacy.
Key Improvements
- All 8 artifact types extracted by default — just run
webx scan -d <dir> -o <output> --artifactsflag for selective extraction (e.g.,--artifacts downloads,cookies)- Schema version handling for older Chromium databases (graceful column detection)
- Safari opens databases read-only directly, falls back to copy only if locked
- Firefox downloads parsed from both modern
moz_annosand legacymoz_downloadstables - Username extraction uses
rfindfor correct path resolution on analyst workstations - NaturalLanguage column on all artifact types for semantic indexing
- Updated interactive menu showing all artifact types
- Updated README with full artifact coverage matrix
Artifact Coverage Matrix
| Artifact | Chrome/Edge/Brave | Firefox | Safari | IE/Edge |
|---|---|---|---|---|
| History | ✅ | ✅ | ✅ | ✅ |
| Downloads | ✅ | ✅ | — | — |
| Keyword Searches | ✅ | — | — | — |
| Cookies | ✅ | ✅ | — | — |
| Autofill | ✅ | ✅ | — | — |
| Bookmarks | ✅ | ✅ | — | — |
| Login Data | ✅ | ✅ | — | — |
| Extensions | ✅ | ✅ | — | — |
| Deleted History Carving | ✅ | ✅ | ✅ | — |
Testing
Tested against 4 KAPE triage datasets (Chrome, Edge, Brave, IE), local macOS Chrome (4 profiles), Firefox, and Safari — 31,799+ entries extracted with 0 errors. All 13 unit tests pass.
Usage
# Extract all artifacts from a triage folder
webx scan -d /path/to/triage -o /path/to/output
# Extract only specific types
webx scan -d /path/to/triage -o /path/to/output --artifacts history,downloads,cookies
# Single file extraction
webx extract -i /path/to/History -o output.csv
# Carve deleted history
webx carve -i /path/to/History -o carved.csvBinary
webx-v2.0.0-macos-arm64.tar.gz— macOS Apple Silicon (M1/M2/M3/M4)
What's Changed
- Add 7 new browser artifact types for full forensic coverage by @acquiredsecurity in #1
New Contributors
- @acquiredsecurity made their first contribution in #1
Full Changelog: https://github.com/acquiredsecurity/forensic-webhistory/commits/v2.0.0
Contributors
acquiredsecurity