Opera Forensics

There are not many forensic articles on ‘Opera’. So I try to write something about it. This is my findings based on my observations. Definitely this posting is not complete and going to be an on-going project. If you are reading this, please drop me something, (a link, a tool, an article or anything!). And if you have written something on it, please share it with me.

This article is based on Opera 12.11 (build 1611) running on a Windows 7 machine.

File Locations:

  • Win7: \Users\[user]\AppData\Local\Opera\
  • Win7: \Users\[user]\AppData\Roaming\Opera\
  • Win Vista: \Users\[user]\AppData\Local\Opera\
  • Win Vista: \Users\[user]\AppData\Roaming\Opera\
  • Win XP: \Documents and Settings\[user]\Application Data\Opera\
  • Win XP: \Documents and Settings\[user]\Local Settings\Application Data\Opera\
  • Mac OS X: ~/Library/Application Support/Opera
  • Mac OS X: ~/Library/Caches/Opera
  • Mac OS X: ~/Library/Opera

File Artifacts:

  • Installation/Last update information: autoupdate_region.dat & operaprefs.ini
  • Bookmarks: bookmarks.adr
  • Cookies: cookies4.dat
  • Download: download.dat
  • Histories: global_history.dat
  • Preferences: operaprefs.ini
  • Search preferences: search.ini
  • Search histories: search_field_history.dat
  • Speeddial settings: speeddial.ini
  • Typed URLs: typed_history.xml
  • Last Sessions: autosave.win & autosave.win.bak
  • Cache folder: \Users\[user]\AppData\Local\Opera\Opera\Cache

Bookmarks

Bookmarks information are stored in a text file named “bookmarks.adr”. Some interesting information are:

  • URL or Folder
  • NAME: given name for bookmark (bookmark folder)
  • CREATED: created timestamp (Unix & GMT)
  • VISITED: visited timestamp (Unix & GMT)
  • URL: URL for bookmark

History

Browsing histories are stored in a text format file named “global_history.dat”. This file provides information to:

  • Window title
  • URL
  • Visited timestamp (Unix & GMT)

Search Histories

Search file histories can be found in a XML format file named “search_field_history.dat”.

Typed URLs

Users’ typed URLs can be found in “typed_history.xml” which contained the the URLs and the associated timestamp (in GMT).

Screen Shot 2012-12-15 at 11.41.39 PM

Last Sessions

Last sessions which can be used to restore the website in the event of a program crashes can be found in text format file “autosave.win” & “autosave.win.bak”. Essentially, it recorded the state of the browser when the browser is in use. Among the most important information is the number of windows opened and the URLs.

Cache

Opera stored cache files starting with “opr” and are saved with “tmp” extension. The tool that I used is Nirsoft OperaCacheView. You have to copy out the cache folder and used Nirsoft OperaCacheView to parse the cache files.

Cookies

Cookies are stored in a semi-binary file named “cookies4.dat”. If you do a search, you will probably find a few tool to parse cookies data. However as of this moment, I prefer to set up Opera on a virtual machine and import the Opera artifacts into the virtual machine, and used ‘Cookie Manager’ in Opera Preferences to view the data.

Link:

That is all for now. Moving on to other project and will definitely add more stuffs as and when I find new stuff. : )

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s