Forensic Examiners
Extract browser artifacts from suspect machines during forensic investigations. Read-only analysis preserves evidence integrity. CSV export feeds directly into forensic reports and case documentation.
Free Download
Sherlock Forensics Browser Viewer
Extract history, bookmarks, downloads and extensions from 8 browsers. Auto-detects all profiles. Forensically sound. Built by CISSP, ISSAP, ISSMP certified examiners.
Sherlock Forensics Browser Viewer is a free Windows desktop tool that extracts browsing history, bookmarks, downloads and extensions from Chrome, Edge, Firefox, Brave, Opera, Opera GX, Vivaldi and Tor. It auto-detects every profile, copies databases to a temp file for read-only analysis and works while browsers are open. The Forensic Edition at $29 USD adds CSV export of any filtered tab.
Linux requires: libgtk-3, libfontconfig1, libxkbcommon. See install instructions.
e52b07b98b5a15ce1423675b0994e0bc80d502ea2bb6dc09dcbdb483de1cc288
How to verify:
1. Open PowerShell (right-click Start menu, click Terminal)
2. Run: Get-FileHash .\sherlock-browser-viewer.exe
3. Compare the output with the hash above. If they match, the file has not been tampered with.
Forensic Context
Browser History Forensics for HR Investigations, Litigation and Compliance
Browser forensics extracts and analyzes browsing artifacts as digital evidence. The discipline matters across HR investigation browser reviews, civil litigation e-discovery, regulated-industry compliance audits, child internet monitoring and internal misconduct investigations. Sherlock Forensics Browser Viewer is built for the practical end of browser forensics: read-only extraction of browser history, bookmarks, downloads and extensions across 8 browsers, with optional CSV export for forensic reports and legal filings.
In an HR investigation browser review, the artifacts that matter are visited URLs (where the employee navigated), search queries (intent signals), browser timeline reconstruction (when activity occurred), downloaded files (data exfiltration evidence) and form data (account access patterns). For civil litigation e-discovery, browser history is increasingly listed in document requests alongside email and chat. For regulated industries (healthcare, finance, government), compliance auditors check browser activity against internet-usage policy. For parental monitoring, browser history reveals the platforms a child actually uses versus what they say they use.
Sherlock's read-only extraction model keeps the browser history evidence forensically sound. The Forensic Edition adds CSV export so investigators can deliver structured browser-evidence packets to HR, legal counsel or compliance officers without the back-and-forth screenshotting that wastes investigator time. Pair the tool with our browser history evidence in HR investigation guide and browser forensics extraction methodology walkthrough for the full operational playbook. See also the Browser Viewer 1.0 launch notes for the build history.
Compatibility
Supported Browsers
Chrome
Edge
Firefox
Brave
Opera
Opera GX
Vivaldi
Tor
Auto-detects every installed browser and all profiles on the system.
Extraction
Artifacts Extracted
Complete browsing history from all detected browsers and profiles.
- URLs
- Full URL of every visited page
- Page Titles
- Title of each visited page as recorded by the browser
- Visit Counts
- Number of times each URL was visited
- Timestamps
- Date and time of each visit in local and UTC format
All saved bookmarks with full folder hierarchy.
- Bookmark URL
- The saved URL
- Bookmark Title
- User-assigned or page-default title
- Folder Path
- Full folder path showing bookmark organization (e.g. Bookmarks Bar > Work > Projects)
- Date Added
- When the bookmark was created
Download records from all browsers.
- Source URL
- The URL the file was downloaded from
- Target Path
- Local file path where the download was saved
- File Size
- Size of the downloaded file in bytes
- Download State
- Whether the download completed, was interrupted or was cancelled
Installed browser extensions and add-ons.
- Extension Name
- Display name of the installed extension
- Version
- Currently installed version number
- Enabled State
- Whether the extension is active or disabled
- Install Date
- When the extension was first installed
Browser-Specific Extraction
What Sherlock Browser Viewer Extracts: Chrome, Firefox, Edge, Brave, Opera, Tor
Each browser family stores its artifacts in a different SQLite schema. Sherlock Browser Viewer normalizes browser forensics across the Chromium and Gecko stacks so the investigator works in a single unified browser timeline rather than juggling six separate forensic tools and six different export formats.
- Chrome, Edge, Brave, Opera, Opera GX, Vivaldi (Chromium family)
- Chrome history is stored in the History SQLite database (urls, visits, downloads tables). Edge history uses the same Chromium-derived schema. Brave, Opera and Vivaldi inherit the chrome history format wholesale. Sherlock extracts chrome history records including visit counts, transition types and per-URL timestamps, plus the parallel edge history visits, the Brave/Opera/Vivaldi history rows, the browser cache index references, Top Sites, Login Data records, the downloads index and the Extensions registry, all enumerated per profile.
- Firefox (Gecko)
- Firefox history lives in places.sqlite (moz_places, moz_historyvisits, moz_bookmarks tables). Sherlock parses Firefox history alongside formhistory.sqlite, cookies.sqlite, the sessionstore.json browser session data and Firefox's separate browser cache directory. The Firefox profile model means multiple browser timelines per user, each with independent firefox history.
- Tor Browser
- Tor Browser is a hardened Firefox fork. Sherlock extracts the disk-persisted Tor profile including onion-site browsing history and bookmarks. Tor's default configuration discards much of the session data on exit, so Tor browser timeline reconstruction depends on how the suspect machine was configured.
Competitor Displacement
Sherlock Browser Viewer vs Nirsoft BrowsingHistoryView
Nirsoft BrowsingHistoryView is the free Windows-only browsing history view utility that has dominated the casual browser forensics space for over a decade. It's a single-purpose tool: enumerate browser history records and dump them to a list. For a casual one-off lookup of nirsoft browsing history records, the free browsing history view utility still works and we'll be the first to say so. The nirsoft browsing history workflow stops short of forensic-grade output, and for evidentiary work the gaps are real.
| Capability | Nirsoft BrowsingHistoryView | Sherlock Browser Viewer |
|---|---|---|
| Browser support | Chromium family + Firefox + IE (legacy) | Chromium family + Firefox + Brave + Opera + Opera GX + Vivaldi + Tor |
| Cost | Free | Free to view, $29 CSV export |
| OS support | Windows only | Windows + Linux x64 |
| Forensic chain of custody | None | Yes (Forensic Edition) |
| Court-ready PDF report | None | Yes (Forensic Edition) |
| WAL / unflushed SQLite journal reads | No | Yes |
| Extension + bookmark forensic timeline | No | Yes |
| Cross-browser unified browser timeline | Partial | Yes |
If you need to answer "did this user visit this URL on this date" for a curiosity case, the nirsoft browsing history dump from the free browsing history view tool is fine. If you need to deliver chrome history, firefox history and edge history records as evidence in an HR investigation, an e-discovery production or a court filing, the BrowsingHistoryView output is not enough. You need a tool that reads the WAL for deleted browser history, normalizes browser cache references and produces a unified browser timeline. That is what Sherlock Browser Viewer was designed to do as the Nirsoft alternative for forensic work. The full side-by-side is in our Sherlock Browser Viewer vs Nirsoft BrowsingHistoryView comparison, and the broader competitor positioning context is in our Cellebrite vs Magnet AXIOM 2026 breakdown.
Compare
Free vs Forensic Edition
| Feature | Free | Forensic Edition ($29) |
|---|---|---|
| View all browser data | Yes | Yes |
| Search across all browsers | Yes | Yes |
| Filter by date, URL, keyword | Yes | Yes |
| Sort any column | Yes | Yes |
| Auto-detect all profiles | Yes | Yes |
| Read-only forensic analysis | Yes | Yes |
| Works while browser is open | Yes | Yes |
| CSV export of any filtered tab | No | Yes |
Pricing
One-Time Payment. Yours Forever.
Forensic Edition
$29 USD
Single machine license. No subscription. One-time payment. Yours forever.
- All free features included
- CSV export of any filtered tab
- Export history, bookmarks, downloads or extensions
- Filter then export for targeted results
- Try the free version before you buy
5+ machines? Contact us for volume pricing.
Use Cases
Who Uses Sherlock Forensics Browser Viewer
HR Investigations
Review employee browsing activity on corporate workstations during workplace investigations. Filter by date range or keyword. Export filtered results for HR documentation without involving IT.
Incident Response
During security incidents, extract browser history to identify malicious downloads, phishing URLs and compromised credentials. Works on live systems without disrupting the user session. See our incident response services for full investigation support.
Legal Discovery
Collect browser evidence for civil and criminal proceedings. Pairs with our expert witness services for testimony support. CSV exports provide structured data for legal review platforms.
Parental Monitoring
Review browsing history across all browsers installed on a family computer. See every profile, every browser. Free edition provides full visibility without any purchase required.
Guide
How to Extract Browser History
- Install Sherlock Forensics Browser ViewerDownload the free installer from this page. 5.9 MB. SHA256 verified for integrity. No admin privileges required.
- Scan Computer for BrowsersLaunch the tool and click Scan. It auto-detects every installed browser and all profiles. Databases are copied to a temp file for read-only analysis. Works while browsers are open.
- Filter ResultsBrowse history, bookmarks, downloads and extensions across all detected browsers. Use search, sort and filter to isolate relevant artifacts by date, URL, keyword or browser.
- Export to CSVWith the Forensic Edition ($29 USD), export any filtered tab to CSV for inclusion in forensic reports, legal filings or incident response documentation.
Recovery Reality
Can You Recover Deleted Browser History? Incognito Sessions?
The two most common buyer questions on browser forensics are: can I recover deleted browser history, and can I retrieve incognito history. The honest answers depend on what was deleted, how it was deleted and whether the browser had time to commit the changes to disk.
Deleted Browser History Recovery
When a user clears their chrome history, the SQLite urls and visits records are removed from the live database. SQLite uses a write-ahead-log (WAL) journal, and on Chromium-family browsers the WAL is not always checkpointed immediately. If you acquire the profile before the WAL is flushed, the deleted browser history records often remain in the WAL journal and can be recovered. Sherlock Browser Viewer reads the WAL alongside the main database, so when you recover browser history from a freshly-cleared profile, you get the records the live application no longer displays. The same approach applies to deleted browser history on Firefox places.sqlite and on Edge.
Older deletions are harder. Once the WAL is checkpointed and the SQLite database is vacuumed, the recover browser history path requires unallocated-page carving or full-disk-image forensic carving. That is out of scope for a $29 browser viewer but it is in scope for our full forensic investigation services, where we recover browser history from disk images for civil and criminal matters.
Incognito History and Private Browsing Sessions
Chrome incognito mode, Edge InPrivate, Firefox private browsing and Brave private windows are designed to NOT persist incognito history to the local SQLite database. By design, Sherlock Browser Viewer reads the disk-persisted state and will not surface incognito history from disk alone. Incognito history is not always perfectly invisible: DNS resolver cache, OS-level prefetch artifacts, network-adapter logs, hosts-file lookups, the browser cache that sometimes leaks under crash recovery, and RAM dumps (if captured at the right moment) can all expose private browsing activity. For an incognito history investigation Sherlock covers the disk-artifact side. Combine with memory forensics and network logs for a complete private browsing timeline reconstruction.
Questions
Browser Viewer FAQ
What browsers does Sherlock Forensics Browser Viewer support?
Sherlock Forensics Browser Viewer supports Chrome, Edge, Firefox, Brave, Opera, Opera GX, Vivaldi and Tor. It auto-detects every installed browser and all profiles on the system.
Does it work while the browser is open?
Yes. Sherlock Forensics Browser Viewer copies browser databases to a temporary file before reading them. This means it works while browsers are running and never locks or interferes with active browser sessions.
Is the analysis read-only and forensically sound?
Yes. The tool copies browser databases to a temp location and reads only from the copy. The original browser data files are never modified. This preserves forensic integrity and ensures the source evidence remains unaltered.
What artifacts does it extract?
Four artifact categories: History (URLs, page titles, visit counts, timestamps), Bookmarks (with full folder path), Downloads (source URL, target path, file size, download state) and Extensions (name, version, enabled state, install date).
Does it extract cookies or saved passwords?
Not yet. The current version focuses on history, bookmarks, downloads and extensions. Cookie and password extraction may be added in a future release.
Does my data stay local?
Yes. Sherlock Forensics Browser Viewer runs entirely on your local machine. No browser data is transmitted to any server. All analysis happens locally on your workstation.
What is the difference between Free and Forensic Edition?
The Free edition lets you view, search, filter and sort all browser data from all detected browsers and profiles. The Forensic Edition at $29 USD adds CSV export of any filtered tab for inclusion in reports, legal filings or documentation.
Does it support Tor Browser?
Yes. Sherlock Forensics Browser Viewer detects and extracts artifacts from Tor Browser installations. This includes browsing history, bookmarks, downloads and extensions stored locally by the Tor Browser.
Does Sherlock Forensics Browser Viewer work on Linux?
Yes. Sherlock Forensics Browser Viewer is available as a native Linux x64 binary. Download the .tar.gz archive, extract and run. Requires libgtk-3, libfontconfig1 and libxkbcommon.
What is browser forensics?
Browser forensics is the discipline of extracting and analyzing browsing artifacts (history, bookmarks, downloads, extensions, cookies, cache, session data) as digital evidence. It supports HR investigations, civil and criminal litigation e-discovery, incident response, internal investigations and compliance audits. Sherlock Forensics Browser Viewer performs read-only browser forensics across 8 browsers (Chrome, Edge, Firefox, Brave, Opera, Opera GX, Vivaldi, Tor) with optional CSV export at $29 for forensic reports.
Can I recover deleted browser history with Sherlock Browser Viewer?
Sometimes. When a user clears their browser history, the SQLite urls and visits records are removed from the live database but the SQLite write-ahead-log (WAL) journal often still holds them until the next checkpoint. Sherlock reads the WAL alongside the main database, so you can recover browser history records the live app no longer displays. Older deleted browser history, post-vacuum, requires forensic carving from a disk image (out of scope for a $29 viewer, in scope for our full forensic investigation services).
Can Sherlock Browser Viewer extract incognito browsing history?
Not from disk alone. Chrome incognito, Edge InPrivate, Firefox private browsing and Brave private windows are designed to not persist incognito history to local storage. Sherlock reads the disk-persisted state, so by design it will not surface incognito history from a normal profile read. Incognito history can sometimes be reconstructed from DNS cache, browser cache leaks under crash recovery, network logs, OS prefetch and RAM dumps. Sherlock covers the disk side; pair with memory forensics for the full private browsing timeline.
How is Sherlock Browser Viewer different from Nirsoft BrowsingHistoryView?
Nirsoft BrowsingHistoryView is the long-standing free Windows-only browsing history view utility. It enumerates browser history records but offers no chain of custody, no court-ready PDF, no WAL/unflushed journal reads for deleted browser history, no Linux support and no unified browser timeline across the Chromium and Gecko families. Sherlock Browser Viewer is the Nirsoft alternative built for forensic-grade work: WAL reads, cross-platform Windows + Linux, chain of custody in the Forensic Edition and the full $29 CSV export pipeline for legal evidence.
What browser data can be used as evidence in HR investigations?
In an HR investigation browser review, the high-signal artifacts are visited URLs, search queries, downloaded files, browser session data, form-fill records and the browser timeline reconstruction. Visited URLs prove navigation, search queries reveal intent, downloads document data exfiltration, the browser timeline anchors when activity occurred. Sherlock Browser Viewer extracts all of these read-only and exports them via the Forensic Edition CSV. The full operational playbook is in our browser history evidence in HR investigation guide.
Does Sherlock Browser Viewer work on Mac or Linux?
Sherlock Browser Viewer ships as Windows x64 and Linux x64 native binaries. macOS is not currently supported. Linux requires libgtk-3, libfontconfig1 and libxkbcommon. We are evaluating macOS for a future release based on customer demand. For macOS browser forensics today, the Sherlock workflow is to acquire the macOS browser profiles via a forensic disk image and analyze on Linux or Windows.
Can I extract browser history from a forensic disk image?
Yes, indirectly. Sherlock Browser Viewer reads from a live filesystem path, so the standard workflow is to mount the forensic disk image read-only (using OSFMount, FTK Imager, Linux losetup or similar) and point Sherlock at the mounted profile path. The tool then enumerates chrome history, firefox history, edge history, bookmarks, downloads and extensions exactly as it would on a live system, with the disk image acting as the read-only source.
How long does Chrome, Firefox or Edge keep deleted browsing history?
Once a user clicks "Clear browsing data" the live records are removed from the SQLite urls and visits tables. The SQLite WAL journal retains the deleted browser history records until a checkpoint is triggered. Default WAL auto-checkpoint thresholds vary: Chrome and Edge commonly checkpoint at 1000 pages or browser shutdown, Firefox checkpoints on session close. After checkpoint and vacuum, the records are unallocated SQLite pages requiring forensic carving. Sherlock reads pre-checkpoint WAL automatically.
Get Started
Download Sherlock Forensics Browser Viewer Today
Free for viewing, searching, filtering and sorting browser data from 8 browsers. Forensic Edition at $29 USD for CSV export. Built by the same team that delivers expert witness testimony and forensic investigations in Canadian courts. See also: forensic tool suite, chain of custody software and private investigator forensic tools.
Since 2006CISSP, ISSAP, ISSMP certified604.229.1994
Linux requires: libgtk-3, libfontconfig1, libxkbcommon. See install instructions.
Sherlock Forensics Browser Viewer is provided for lawful use. Terms of Service