Link to home
Start Free TrialLog in
Avatar of roy_batty
roy_battyFlag for United Kingdom of Great Britain and Northern Ireland

asked on

How to access users browser history

A customer has a staff member who is being investigated for misconduct.

He uses a Azure AD joined Windows 10 PC. I encouraged him to use Edge but he may have installed his own browser.

Management have asked to view his browser history. What is the easiest way of getting this information. I know I could log in as the user on his PC but I don't know his password and if I change his password he will become aware something is going on.

I have Azure AD admin access.

Any help would be appreciated.

Avatar of kenfcamp
Flag of United States of America image

Do you know which browser he installed?
Avatar of McKnife
Flag of Germany image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If this is going to be a legal investigation, you should be making a clone of the disk.  Don't just start it up.  The very least thing you should do is to copy the user profile from the user's AppData folder before you even start.  You should then be working on the copied data, not on the actual user's computer and account.
Avatar of Pau Lo
Pau Lo

I would agree with some of the previous comments, in that you would use a forensically sound disc imaging utility such as FTK Imager on the hard disc drive in the users device:
FTK Imager Version 4.5 | AccessData

Most often, the specialists who do digital forensics work on a day-to-day basis would be using something like Encase Forensics to do their analysis. However, as pointed out there are free browser history reporting tools from the likes of Nirsoft. I seem to recall though trying to parse some of the history logs on foreign systems did not always produce complete results.

Often forensics artefacts such as this are actually SQL Lite databases, so you can always download a free database browser for SQL Lite databases and run queries on the information that way.
Assuming its Chrome:
Google Chrome - Forensics Wiki

Certainly check your HR policies (or gain advice from that team) around your rights to interrogate this information, before proceeding.  And make sure your analysis considers what your company defines as acceptable use levels for Internet usage on works time.

Also if you are an administrator why would you need their password, as surely you have local admin over their device and local storage where such files would reside through the relevant AD/AAD security groups and roles? As mentioned, you may be able to extract browser history reports from your content control software without having to even touch the users device. Obtaining browser history logs from the users device would be the "Plan B". I know for a fact, many organizations purposely use content control software to just block access to certain categories of sites from their users devices, as opposed to double up as a reporting/history reporting mechanism. Therefore, the history is not available from the interface for privacy reasons.