← All cases
AF-002 · Semantic
Selective Browser History Removal
✓ Validated browser-forensics sqlite-manipulation Windows 10
Contributed by @ioi-framework · 2025-01-01 · View IoI rule →
Dependent artifacts Chrome History IndexedDB $MFT $UsnJrnl
Sample JSON-LD History snippet MFT snippet USN snippet
Reproducibility bundle Zenodo DOI ↗

Summary

The adversary selectively deleted specific URL entries from the Chrome History SQLite database (Default/History) while leaving behind corresponding IndexedDB cache directories under Default/IndexedDB/. These cache directories contain subdirectories named after visited origins (e.g., https_www.youtube.com_0.indexeddb.leveldb), providing an indirect record of browsing activity that persists even after History deletion.

Scenario Steps

1. Set Up — Deployed Windows 10 VM, installed Google Chrome, browsed to multiple websites (nytimes.com, youtube.com, reddit.com).

2. Baseline Collection — Closed Chrome to flush memory to disk. Backed up the unmodified History SQLite file from C:\Users\resea\AppData\Local\Google\Chrome\User Data\Default\History.

3. Tampering — Opened the History file in DB Browser for SQLite. Deleted URL and visit entries related to youtube.com.

4. Evidence Collection — Collected both original and tampered versions of History. Extracted $MFT using Autopsy and $UsnJrnl:$J.

Ground Truth Criteria

  • $MFT shows IndexedDB folders for domains (e.g., youtube.com) that were visited
  • Chrome’s History DB no longer reflects visited sites like youtube.com
  • $UsnJrnl shows History file was modified with indicators: DataOverwrite, DataTruncation, or DataExtend

Expected Invariant

For every domain represented by an IndexedDB cache directory, a corresponding URL entry should exist in the Chrome History database.

Inconsistency Summary

The Chrome History SQLite database was deliberately modified to remove evidence of specific websites, but this did not erase related filesystem activity. The $MFT and $UsnJrnl show modifications to History even though the visit records no longer exist, demonstrating how SQLite tampering leaves residual traces detectable by cross-artifact comparison.

Detection Logic

-- Step 1: Find domains in MFT IndexedDB folders
FIND mft_indexeddb WHERE mft_indexeddb.ParentPath CONTAINS 'IndexedDB'
  EXTRACT domain FROM ParentPath
  RETURN domain, ParentPath

-- Step 2: Check if domain exists in History database
FIND history_urls WHERE history_urls.fullValue CONTAINS domain
  RETURN url_entry

-- Step 3: Check USN for History file tampering
FIND usn_entries WHERE usn_entries.fileName = 'History'
  AND usn_entries.updateReasons CONTAINS ('DataTruncation' OR 'DataOverwrite' OR 'DataExtend')
  RETURN updateReasons

-- Detection Rule
IF domain EXISTS IN mft_indexeddb
  AND domain NOT EXISTS IN history_urls
  AND usn_entries SHOWS tampering evidence
THEN FLAG 'AF-002: Selective Browser History Deletion Detected'

Performance

Artifact Input (MB) Triples Load (s)
$MFT 157.2 17,137,388 149.0
$UsnJrnl 54.1 6,905,772 65.3
History 0.012 116 3.3
Total   24,042,852 217.5

Query time: 4.32 s · Detections: 1 · False positives on baseline: 0