There are not many forensic articles on ‘Opera’. So I try to write something about it. This is my findings based on my observations. Definitely this posting is not complete and going to be an on-going project. If you are reading this, please drop me something, (a link, a tool, an article or anything!). And if you have written something on it, please share it with me.
This article is based on Opera 12.11 (build 1611) running on a Windows 7 machine.
- Win7: \Users\[user]\AppData\Local\Opera\
- Win7: \Users\[user]\AppData\Roaming\Opera\
- Win Vista: \Users\[user]\AppData\Local\Opera\
- Win Vista: \Users\[user]\AppData\Roaming\Opera\
- Win XP: \Documents and Settings\[user]\Application Data\Opera\
- Win XP: \Documents and Settings\[user]\Local Settings\Application Data\Opera\
- Mac OS X: ~/Library/Application Support/Opera
- Mac OS X: ~/Library/Caches/Opera
- Mac OS X: ~/Library/Opera
- Installation/Last update information: autoupdate_region.dat & operaprefs.ini
- Bookmarks: bookmarks.adr
- Cookies: cookies4.dat
- Download: download.dat
- Histories: global_history.dat
- Preferences: operaprefs.ini
- Search preferences: search.ini
- Search histories: search_field_history.dat
- Speeddial settings: speeddial.ini
- Typed URLs: typed_history.xml
- Last Sessions: autosave.win & autosave.win.bak
- Cache folder: \Users\[user]\AppData\Local\Opera\Opera\Cache
Bookmarks information are stored in a text file named “bookmarks.adr”. Some interesting information are:
- URL or Folder
- NAME: given name for bookmark (bookmark folder)
- CREATED: created timestamp (Unix & GMT)
- VISITED: visited timestamp (Unix & GMT)
- URL: URL for bookmark
Browsing histories are stored in a text format file named “global_history.dat”. This file provides information to:
- Window title
- Visited timestamp (Unix & GMT)
Search file histories can be found in a XML format file named “search_field_history.dat”.
Users’ typed URLs can be found in “typed_history.xml” which contained the the URLs and the associated timestamp (in GMT).
Last sessions which can be used to restore the website in the event of a program crashes can be found in text format file “autosave.win” & “autosave.win.bak”. Essentially, it recorded the state of the browser when the browser is in use. Among the most important information is the number of windows opened and the URLs.
Opera stored cache files starting with “opr” and are saved with “tmp” extension. The tool that I used is Nirsoft OperaCacheView. You have to copy out the cache folder and used Nirsoft OperaCacheView to parse the cache files.
Cookies are stored in a semi-binary file named “cookies4.dat”. If you do a search, you will probably find a few tool to parse cookies data. However as of this moment, I prefer to set up Opera on a virtual machine and import the Opera artifacts into the virtual machine, and used ‘Cookie Manager’ in Opera Preferences to view the data.
That is all for now. Moving on to other project and will definitely add more stuffs as and when I find new stuff. : )