Avatar of roy_batty
Flag for United Kingdom of Great Britain and Northern Ireland asked on

How to access users browser history

A customer has a staff member who is being investigated for misconduct.

He uses a Azure AD joined Windows 10 PC. I encouraged him to use Edge but he may have installed his own browser.

Management have asked to view his browser history. What is the easiest way of getting this information. I know I could log in as the user on his PC but I don't know his password and if I change his password he will become aware something is going on.

I have Azure AD admin access.

Any help would be appreciated.

AzureWindows OSWindows 10

Avatar of undefined
Last Comment
Pau Lo

8/22/2022 - Mon

Do you know which browser he installed?

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

If this is going to be a legal investigation, you should be making a clone of the disk.  Don't just start it up.  The very least thing you should do is to copy the user profile from the user's AppData folder before you even start.  You should then be working on the copied data, not on the actual user's computer and account.
Pau Lo

I would agree with some of the previous comments, in that you would use a forensically sound disc imaging utility such as FTK Imager on the hard disc drive in the users device:
FTK Imager Version 4.5 | AccessData

Most often, the specialists who do digital forensics work on a day-to-day basis would be using something like Encase Forensics to do their analysis. However, as pointed out there are free browser history reporting tools from the likes of Nirsoft. I seem to recall though trying to parse some of the history logs on foreign systems did not always produce complete results.

Often forensics artefacts such as this are actually SQL Lite databases, so you can always download a free database browser for SQL Lite databases and run queries on the information that way.
Assuming its Chrome:
Google Chrome - Forensics Wiki

Certainly check your HR policies (or gain advice from that team) around your rights to interrogate this information, before proceeding.  And make sure your analysis considers what your company defines as acceptable use levels for Internet usage on works time.

Also if you are an administrator why would you need their password, as surely you have local admin over their device and local storage where such files would reside through the relevant AD/AAD security groups and roles? As mentioned, you may be able to extract browser history reports from your content control software without having to even touch the users device. Obtaining browser history logs from the users device would be the "Plan B". I know for a fact, many organizations purposely use content control software to just block access to certain categories of sites from their users devices, as opposed to double up as a reporting/history reporting mechanism. Therefore, the history is not available from the interface for privacy reasons.
Your help has saved me hundreds of hours of internet surfing.