Forensic Examiners
Extract browser artifacts from suspect machines during forensic investigations. Read-only analysis preserves evidence integrity. CSV export feeds directly into forensic reports and case documentation.
Extract history, bookmarks, downloads and extensions from 8 browsers. Auto-detects all profiles. Forensically sound. Built by CISSP, ISSAP, ISSMP certified examiners.
Sherlock Forensics Browser Viewer is a free Windows desktop tool that extracts browsing history, bookmarks, downloads and extensions from Chrome, Edge, Firefox, Brave, Opera, Opera GX, Vivaldi and Tor. It auto-detects every profile, copies databases to a temp file for read-only analysis and works while browsers are open. The Forensic Edition at $29 USD adds CSV export of any filtered tab.
Linux requires: libgtk-3, libfontconfig1, libxkbcommon. See install instructions.
e52b07b98b5a15ce1423675b0994e0bc80d502ea2bb6dc09dcbdb483de1cc288
How to verify:
1. Open PowerShell (right-click Start menu, click Terminal)
2. Run: Get-FileHash .\sherlock-browser-viewer.exe
3. Compare the output with the hash above. If they match, the file has not been tampered with.
Forensic Context
Browser forensics extracts and analyzes browsing artifacts as digital evidence. The discipline matters across HR investigation browser reviews, civil litigation e-discovery, regulated-industry compliance audits, child internet monitoring and internal misconduct investigations. Sherlock Forensics Browser Viewer is built for the practical end of browser forensics: read-only extraction of browser history, bookmarks, downloads and extensions across 8 browsers, with optional CSV export for forensic reports and legal filings.
In an HR investigation browser review, the artifacts that matter are visited URLs (where the employee navigated), search queries (intent signals), browser timeline reconstruction (when activity occurred), downloaded files (data exfiltration evidence) and form data (account access patterns). For civil litigation e-discovery, browser history is increasingly listed in document requests alongside email and chat. For regulated industries (healthcare, finance, government), compliance auditors check browser activity against internet-usage policy. For parental monitoring, browser history reveals the platforms a child actually uses versus what they say they use.
Sherlock's read-only extraction model keeps the browser history evidence forensically sound. The Forensic Edition adds CSV export so investigators can deliver structured browser-evidence packets to HR, legal counsel or compliance officers without the back-and-forth screenshotting that wastes investigator time. Pair the tool with our browser history evidence in HR investigation guide and browser forensics extraction methodology walkthrough for the full operational playbook. See also the Browser Viewer 1.0 launch notes for the build history. For the parallel mailbox-forensics layer of HR investigations and incident response, pair Browser Viewer's browser-history extraction with Sherlock Forensics PST Viewer for the email and calendar artifact extraction from the same custodian's mailbox. To preserve chain-of-custody on the exported CSV, hash the file with Sherlock Forensics Hash Calculator at the moment of acquisition and again at the moment of delivery to legal counsel or HR; matching hashes prove the evidence has not been altered in transit.
Compatibility
Auto-detects every installed browser and all profiles on the system.
Extraction
Complete browsing history from all detected browsers and profiles.
All saved bookmarks with full folder hierarchy.
Download records from all browsers.
Installed browser extensions and add-ons.
Browser-Specific Extraction
Each browser family stores its artifacts in a different SQLite schema. Sherlock Forensics Browser Viewer normalizes browser forensics across the Chromium and Gecko stacks so the investigator works in a single unified browser timeline rather than juggling six separate forensic tools and six different export formats.
Competitor Displacement
Nirsoft BrowsingHistoryView is the free Windows-only browsing history view utility that has dominated the casual browser forensics space for over a decade. It's a single-purpose tool: enumerate browser history records and dump them to a list. For a casual one-off lookup of nirsoft browsing history records, the free browsing history view utility still works and we'll be the first to say so. The nirsoft browsing history workflow stops short of forensic-grade output and for evidentiary work the gaps are real.
| Capability | Nirsoft BrowsingHistoryView | Sherlock Forensics Browser Viewer |
|---|---|---|
| Browser support | Chromium family + Firefox + IE (legacy) | Chromium family + Firefox + Brave + Opera + Opera GX + Vivaldi + Tor |
| Cost | Free | Free to view, $29 CSV export |
| OS support | Windows only | Windows + Linux x64 |
| Forensic chain of custody | None | Yes (Forensic Edition) |
| Court-ready PDF report | None | Yes (Forensic Edition) |
| Tor Browser support | No | Yes |
| Extension + bookmark forensic timeline | No | Yes |
| Cross-browser unified browser timeline | Partial | Yes |
If you need to answer "did this user visit this URL on this date" for a curiosity case, the nirsoft browsing history dump from the free browsing history view tool is fine. If you need to deliver chrome history, firefox history and edge history records as evidence in an HR investigation, an e-discovery production or a court filing, the BrowsingHistoryView output is not enough. You need a tool that runs on Windows and Linux, supports Tor Browser, normalizes records across the Chromium and Gecko families into a unified browser timeline, ships a chain of custody manifest with the Forensic Edition and exports cleanly to CSV for the evidence binder. That is what Sherlock Forensics Browser Viewer was designed to do as the Nirsoft alternative for forensic work. The full side-by-side is in our Sherlock Forensics Browser Viewer vs Nirsoft BrowsingHistoryView comparison plus the broader competitor positioning context in our Cellebrite vs Magnet AXIOM 2026 breakdown.
Compare
| Feature | Free | Forensic Edition ($29) |
|---|---|---|
| View all browser data | Yes | Yes |
| Search across all browsers | Yes | Yes |
| Filter by date, URL, keyword | Yes | Yes |
| Sort any column | Yes | Yes |
| Auto-detect all profiles | Yes | Yes |
| Read-only forensic analysis | Yes | Yes |
| Works while browser is open | Yes | Yes |
| CSV export of any filtered tab | No | Yes |
Pricing
5+ machines? Contact us for volume pricing.
Use Cases
Extract browser artifacts from suspect machines during forensic investigations. Read-only analysis preserves evidence integrity. CSV export feeds directly into forensic reports and case documentation.
Review employee browsing activity on corporate workstations during workplace investigations. Filter by date range or keyword. Export filtered results for HR documentation without involving IT.
During security incidents, extract browser history to identify malicious downloads, phishing URLs and compromised credentials. Works on live systems without disrupting the user session. See our incident response services for full investigation support.
Collect browser evidence for civil and criminal proceedings. Pairs with our expert witness services for testimony support. CSV exports provide structured data for legal review platforms.
Review browsing history across all browsers installed on a family computer. See every profile, every browser. Free edition provides full visibility without any purchase required.
Guide
Recovery Reality
The two most common buyer questions on browser forensics are: can I recover deleted browser history and can I retrieve incognito history. The honest answers depend on what was deleted, how it was deleted and whether the browser had time to commit the changes to disk.
When a user clears their chrome history, the SQLite urls and visits records are removed from the live database. To recover records that the user has explicitly deleted, the workflow is forensic carving: acquire the disk image with Sherlock Forensics Disk Imager, then mount the resulting E01 or DD image and point Browser Viewer at the mounted profile path. For deleted-record carving against the unallocated SQLite pages, the workflow chains into our forensic carving service. Sherlock Forensics Browser Viewer reads the live committed browser history databases as they exist on disk at the time of acquisition and does not perform freelist or unallocated-page carving against the SQLite files. For the carving workflow that does recover explicitly-deleted records, the right path is a forensic disk image plus the carving service.
Older deletions are harder. Once the WAL is checkpointed and the SQLite database is vacuumed, the recover browser history path requires unallocated-page carving or full-disk-image forensic carving. That is out of scope for a $29 browser viewer but it is in scope for our full forensic investigation services, where we recover browser history from disk images for civil and criminal matters.
Chrome incognito mode, Edge InPrivate, Firefox private browsing and Brave private windows are designed to NOT persist incognito history to the local SQLite database. By design, Sherlock Forensics Browser Viewer reads the disk-persisted state and will not surface incognito history from disk alone. Incognito history is not always perfectly invisible: DNS resolver cache, OS-level prefetch artifacts, network-adapter logs, hosts-file lookups, the browser cache that sometimes leaks under crash recovery and RAM dumps (if captured at the right moment) can all expose private browsing activity. For an incognito history investigation Sherlock covers the disk-artifact side. Combine with memory forensics and network logs for a complete private browsing timeline reconstruction.
Questions
Get Started
Free for viewing, searching, filtering and sorting browser data from 8 browsers. Forensic Edition at $29 USD for CSV export. Built by the same team that delivers expert witness testimony and forensic investigations in Canadian courts. See also: forensic tool suite, chain of custody software and private investigator forensic tools.
Linux requires: libgtk-3, libfontconfig1, libxkbcommon. See install instructions.
Sherlock Forensics Browser Viewer is provided for lawful use. Terms of Service
Your email is optional. If you provide it, we send 3 product introduction emails over the next 2 weeks. No long-term marketing. No data sharing. Skip the field and download directly.
$29.00 USD. One-time payment. License key delivered to your email.