What is Sherlock Browser Viewer?

Sherlock Browser Viewer is a forensic tool that extracts browsing history, bookmarks, downloads and cached data from 8 browsers including Chrome, Firefox, Edge, Brave, Opera, Vivaldi, Tor Browser and Chromium. The Free edition displays artifacts in a read-only viewer. The Forensic Edition at $29 USD adds CSV export with full timestamps for evidentiary use.

Which browsers does Sherlock Browser Viewer support?

Sherlock Browser Viewer supports 8 browsers: Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, Vivaldi, Tor Browser and Chromium. It reads each browser's native SQLite databases and JSON configuration files to extract history, bookmarks, downloads and cached data without modifying the source files.

Is Sherlock Browser Viewer free?

The Free edition lets you view all browser artifacts in a read-only interface at no cost. There is no trial period or feature countdown. The Forensic Edition at $29 USD adds CSV export with full timestamps, which is required for producing evidentiary reports. The $29 price is a one-time purchase with no subscription or renewal fees.

Does Sherlock Browser Viewer modify browser data?

No. Sherlock Browser Viewer operates in read-only mode. It copies the browser's SQLite database files to a temporary location before reading them. The original browser data files are never opened in write mode and are never modified. This read-only approach preserves forensic integrity and ensures the tool does not alter the evidence it is examining.

How does Sherlock Browser Viewer compare to enterprise forensic suites?

Enterprise browser forensics modules from vendors like Magnet AXIOM or X-Ways cost hundreds to thousands of dollars per year. Sherlock Browser Viewer costs $29 USD as a one-time purchase. It focuses specifically on browser artifact extraction from 8 browsers with CSV export. It does not perform full disk forensics or mobile acquisition. For investigators who need browser artifacts without a full forensic suite, it provides the same data at a fraction of the cost.

Browser Forensic Viewer for $29 | Sherlock Forensics

Why We Built a Browser Forensics Tool

Browser artifacts are the single most requested data type in digital forensic examinations. Every civil investigation, every HR matter, every insurance fraud case and every family law dispute eventually involves the question: what websites did someone visit and when did they visit them? Browsing history is the digital equivalent of a diary that the user never intended to write.

The problem is that extracting browser history in a forensically sound manner has traditionally required one of two approaches. The first is a full disk forensic suite like EnCase, X-Ways or Magnet AXIOM. These tools cost hundreds to thousands of dollars per year and require significant training. They perform full disk analysis when all you need is the browser data. The second approach is manual SQLite database extraction, which requires technical expertise with database query tools and command-line operations that most investigators do not possess.

We built Sherlock Browser Viewer as the middle path. A focused tool that does one thing properly: extract browser artifacts from 8 browsers in a forensically sound, read-only manner and export them as structured CSV data for evidentiary use. Nothing more. Nothing less.

What Sherlock Browser Viewer Does

The tool scans the local computer for installed browsers and reads their native data stores. Every major browser stores its data in SQLite databases and JSON configuration files. Sherlock Browser Viewer knows where each browser stores these files and how to interpret their internal schemas.

It supports 8 browsers:

Google Chrome including all user profiles
Mozilla Firefox including all profile directories
Microsoft Edge (Chromium-based)
Brave Browser
Opera
Vivaldi
Tor Browser (residual artifacts where available)
Chromium (open-source base)

For each browser, Sherlock Browser Viewer extracts 4 artifact categories:

Artifact Type	Data Extracted	Free Edition	Forensic Edition
Browsing History	URLs visited, page titles, visit timestamps, visit count, transition type	View in app	View + CSV export
Bookmarks	Bookmark URLs, titles, folder structure, date added, date modified	View in app	View + CSV export
Downloads	Downloaded file URLs, local file paths, file sizes, download timestamps	View in app	View + CSV export
Cached Data	Cached URLs, content types, access timestamps, cache entry sizes	View in app	View + CSV export

The extraction process is straightforward. You install the tool, click "Scan Computer" and it automatically locates every supported browser on the system. You select the browsers and artifact types you want to examine. The Free edition displays all results in the built-in viewer. The Forensic Edition exports structured CSV files with complete timestamps that you can attach to your report or import into your case management system.

The Read-Only, Forensically Sound Approach

Forensic integrity is not optional. It is the entire point of using a forensic tool instead of manually browsing through someone's browser settings.

Sherlock Browser Viewer never opens the original browser database files in write mode. Instead, it creates a temporary copy of each SQLite database file before querying it. The original files remain untouched on disk. This means the tool can be run on a live system without altering the evidence, which is critical for examinations where you do not have a forensic disk image.

If you are working from a forensic image mounted as a read-only drive, the tool respects that read-only mount. It reads the browser databases from their standard locations on the mounted image and copies them to the examiner's working directory for analysis.

This read-only methodology is aligned with NIST SP 800-86 guidelines for handling digital evidence. The tool does not inject itself into running browser processes. It does not modify registry entries. It does not alter file timestamps on the source data. The evidence is preserved exactly as it existed before the examination began.

Why $29

The pricing logic is the same as every Sherlock Forensics tool. We do not have a sales team. We do not attend trade shows. We do not have channel partners extracting a 40% margin. We do not have venture capital investors expecting exponential returns.

Enterprise forensic suites bundle browser artifact extraction as one module within a larger platform. You pay for disk forensics, mobile acquisition, cloud analysis and a dozen other capabilities you may never use. If browser artifacts are all you need, you are paying for an aircraft carrier when you need a fishing boat.

Sherlock Browser Viewer costs $29 USD. One-time purchase. No subscription. No annual renewal. No per-seat licensing. No "maintenance fees" that arrive six months after purchase. You pay $29 once and you own the license. Updates within the major version are included.

The $29 price reflects what it actually costs to build and maintain a focused browser forensics tool. The Free edition handles viewing. The Forensic Edition adds the CSV export functionality that investigators need for evidentiary documentation. That export feature costs engineering time to implement with proper timestamp formatting, UTF-8 encoding and structured data output. Twenty-nine dollars covers that engineering work with a reasonable margin.

Free Edition vs. Forensic Edition

The Free edition is not a crippled trial version with a countdown timer. It is a fully functional browser artifact viewer that you can use indefinitely. Every artifact that the Forensic Edition can extract, the Free edition can display. The distinction is output.

Free Edition (no cost): View all browser artifacts from 8 browsers in the built-in viewer. Filter by date range. Search across all artifacts. Sort by any column. No CSV export. No data leaves the application. Designed for investigators who need to view browser data on screen without producing a formal export.
Forensic Edition ($29 USD): Everything in the Free edition plus structured CSV export with full timestamps. Each export produces one CSV file per artifact type per browser. Timestamps are formatted in ISO 8601 for unambiguous interpretation. UTF-8 encoding handles international characters. The CSV files can be attached directly to a forensic report, imported into timeline analysis tools or submitted as exhibits.

The reason for this split is practical. Many investigators need to quickly check what browsers are installed on a system and whether there is relevant browsing data before deciding whether to pursue a full examination. The Free edition handles that triage. When the investigator determines that the browser data is relevant and needs to be formally documented, the Forensic Edition provides the export capability.

Where Browsers Store Data

Understanding where browsers store their artifacts is essential for any forensic examination. Sherlock Browser Viewer automates this process, but the underlying forensic knowledge matters for testimony and report writing.

Chromium-based browsers (Chrome, Edge, Brave, Opera, Vivaldi) store browsing history in a SQLite database file named History located within each user's profile directory. On Windows, this is typically at %LOCALAPPDATA%\Google\Chrome\User Data\Default\History. Bookmarks are stored in a JSON file named Bookmarks in the same directory. The database uses Chrome epoch timestamps (microseconds since January 1, 1601) which differ from standard Unix timestamps.

Firefox uses a different database schema. Browsing history and bookmarks are stored in places.sqlite within the Firefox profile directory. Downloads are tracked in the same database. Firefox uses PRTime timestamps (microseconds since January 1, 1970). The profile directory uses a randomized name like xxxxxxxx.default-release which Sherlock Browser Viewer resolves automatically by reading profiles.ini.

Tor Browser is based on Firefox but configured to minimize forensic artifacts. It clears history on exit by default. However, residual data may exist in the places.sqlite file between sessions or if the user has modified the default privacy settings. Sherlock Browser Viewer will extract whatever data exists in the Tor Browser profile directory without making assumptions about what should or should not be present.

Use Cases

Sherlock Browser Viewer addresses specific investigative scenarios where browser artifacts are the primary evidence source:

Employee internet usage investigations: HR departments and corporate investigators examining whether an employee accessed prohibited websites on company equipment. The Free edition provides immediate on-screen verification. The Forensic Edition produces CSV exports for the investigation file.
Insurance fraud investigations: Investigators examining a claimant's browser history for evidence that contradicts their stated disability, injury timeline or financial position. Browser history showing travel bookings, employment searches or financial transactions during a claimed period of incapacity.
Family law and custody matters: Attorneys examining browser history for evidence relevant to custody evaluations. Search queries, website visits and download history that may be relevant to parenting fitness assessments.
Civil litigation and eDiscovery: Law firms that need to collect browser data from workstations as part of document production. CSV export integrates with eDiscovery platforms like Relativity and Nuix.
Incident response triage: Security teams examining browser artifacts to determine whether a compromised workstation was used to access malicious sites, download malware or exfiltrate data through web-based services.
Internal compliance audits: Compliance officers verifying that employees are not accessing unauthorized cloud storage services, personal email or competitor websites from corporate machines.

In every one of these scenarios, the investigator needs browser artifacts specifically. They do not need full disk forensics. They do not need mobile acquisition. They need to know what websites were visited, what was downloaded, what was bookmarked and when these actions occurred. Sherlock Browser Viewer provides exactly that data.

Forensic Integrity for Testimony

Every design decision in Sherlock Browser Viewer was made with courtroom admissibility in mind. The tool was built by certified forensic examiners (CISSP, ISSAP, ISSMP) who have testified in court and understand what opposing counsel will challenge.

The read-only acquisition method means you can testify that the tool did not alter the source data. The temporary copy approach means the original evidence remains pristine for verification by opposing counsel's expert. The CSV export with ISO 8601 timestamps means there is no ambiguity about when events occurred. The structured output means the data can be independently verified by any examiner with a SQLite query tool.

If you are examining a live system, you should document the system time at the start of examination and note any discrepancy with actual time. Sherlock Browser Viewer records the system clock at the time of extraction for inclusion in your report. Clock skew is a common challenge point in digital evidence and the tool accounts for it.

What Sherlock Browser Viewer Does Not Do

Transparency about limitations is a forensic obligation. Sherlock Browser Viewer does not:

Recover deleted browser history. Once a user clears their browsing data or the browser's internal cleanup process runs, the records are removed from the SQLite database. Recovery of deleted SQLite records requires specialized carving tools and is not guaranteed.
Decrypt encrypted browser data. Saved passwords, autofill data and cookies stored in encrypted format are not extracted. The tool focuses on inherently unencrypted artifact types: history, bookmarks, downloads and cached data.
Capture browser data from mobile devices. It is a desktop tool for desktop browsers. For mobile browser data, a mobile acquisition tool like Sherlock Android Acquirer is required.
Perform real-time browser monitoring. It is a point-in-time extraction tool. It captures what exists at the moment of examination.

These limitations are by design. Each excluded feature would increase complexity and expand the attack surface for opposing counsel to challenge. A focused tool with clear boundaries is more defensible than a broad tool that attempts everything.