There’s a new (newish?) database in Microsoft Edge that is worth exploring a bit further. This blogpost is partially an intro, partially a placeholder, because I saw some conversation on a listserv about the database but almost nothing else online about it. There’s limited research, so let me know what you find and I can update the post!

Microsoft Edge (Chromium) has another sqlite database, WebAssistDatabase, that can contain Internet History.

The database contains three tables: meta, navigation_history, product_entities

Navigation_history is the only one I’ve found to be useful and has the following schema:

CREATE TABLE navigation_history ( url VARCHAR NOT NULL PRIMARY KEY, id INTEGER, title VARCHAR, metadata VARCHAR, last_visited_time INTEGER NOT NULL DEFAULT 0, num_visits INTEGER NOT NULL DEFAULT 1, product_entity_id VARCHAR, semantic_encoding VARCHAR, locale VARCHAR, titledata VARCHAR, urldata VARCHAR, page_profile VARCHAR);

There’s a few columns in here that immediately stand out – url, title, and last_visited_time, with the later being a standard unix timestamp.

The other columns, I’m sure are useful for their intended purpose, however I don’t think they’re going to be super useful for DFIR. I generally ignore num_visits because I don’t trust counters for Internet history. The metadata column may be – it seems to have keywords (sometimes missing letters though) from the webpage, but I’m not entirely sure of it’s purpose. The below screenshot shows all of the columns, some of which have data and some don’t.

Observations

I looked at this database on a few systems and have the following observations – please don’t take this as a significant amount of testing, ideally someone picks up the challenge of looking at the limitations of this database and tries to figure out how it all works. Unfortunately, Microsoft hasn’t made Chromium Edge open source, so we can’t just go look at the source code.

• As with history, there’s one of these for each Profile.
• You may get more than 90 days of history; The history database in Chromium only keeps history for the past 90 days. On one test system, the earliest last_visited_time of the WebAssistDatabase went back to 1 August 2023 (more than 90 days ago, but not too much more), and another it went back a couple of years. The one that went back longer only had a really small amount of Internet history (50-60 rows), so I’m not sure if that played into it.
• I deleted an entry from my Internet history, which will update the history database. The same url was updated in the WebAssistDatabase. I was hoping that we might be able to use this to recover deleted Internet history, but it doesn’t look like it.
• Not really a big finding, but something worth mentioning – this database is on Mac and Windows (I’d assume it’s wherever Edge runs)
• There’s also a file WebAssistDatabase-Journal – I haven’t looked at this file. On my Mac it’s currently an empty file.

One of my coworkers has put together an SQLecmd Map (just key columns only) which I’ve just made a pull request for, and I’ve also made a pull request to update the KAPE Edge Chromium target. I have made a Velociraptor artfact, but with the new SQLite hunter, it’s not worth pushing to the repo as we’ll get that incorporated automatically eventually.

The main usecase that I can see here is potentially being able to look back slightly further into Internet history which otherwise only lets us look back 90 days.

If anyone does any further testing let me know!