If you use the free Avast Antivirus software, your web history is logged on your device even if you browse in “Private” or “Incognito” mode. Avast creates a database file called URL.db on the user’s machine. URL.db is a complete log of browsing history, regardless of browsing mode or deletion of browsing history.
Justin Bartshe, an Investigative Computer Specialist at the US Navy’s Naval Criminal Investigative Service (NCIS) Cyber Operations Field Office (CBFO), made this discovery earlier this year. Bartshe is part of a globally-based team of digital forensic examiners who support criminal and counter-intelligence investigations by providing assistance in the seizure, imaging, processing, and examination of digital evidence.
He is quick to point out, however, that he made his observations about URL.db on a computer not associated with the US government or military. In his work, Bartshe and his colleagues are frequently tasked with digital forensics in non-military contexts.
The Discovery of URL.db
Bartshe submitted a write-up pertaining to URL.db, a SQLite database maintained by Avast’s free anti-virus software. This file is used to store information about a user’s Internet browsing history, primarily centered on downloaded files in a table titled “URLs.” Additionally, in a separate “Paths” table, it appears to note executable files run by the user.
According to Bartshe, the conditions that led to the user’s history being stored appear largely dependent on the type of browser. In Avast Free Antivirus (version 17.5.2302 during testing), history artifacts were found more often when using Internet Explorer or Microsoft’s new Edge browser. Some items could be found relative to Chrome and Firefox (pre-Quantum), but on a much smaller scale. Items that were found included primarily downloaded files, executables, and some cache items. Bartshe shared, “Logically, it makes sense that antivirus software would be scanning files as they hit the disk, but the real surprise came when noting that even files downloaded using ‘InPrivate’ and ‘Incognito’ browsing modes were also being tracked by this database.”
As Bartshe explained, “When performing an examination of a computer, I review the file system, so I wasn’t targeting any specific database or file. Basic search routines are performed to view user data and in one particular case, I noted gaps in the user’s browsing history. Several relevant entries were identified in the Avast URL.db that filled those gaps.”
He added, “At the time, I could not immediately determine the purpose of the database, but being an Avast customer myself, I examined my own system and was surprised to find a fairly large file of the same name and path containing a snapshot of my browsing and download history dating back to when I first installed Avast on my system. Unfortunately, it is not apparent what browser each item stems from, whether or not ‘incognito’ browsing was used, or what user profile generated the activity.
Impact on Digital Forensics
The existence of the URL.db file has an impact on digital forensics. In court, digital forensic examiners need to be able to confidently take the stand, explain what they found, and be sure they’re accurately representing the data. Bartshe noted, “In this case, it was simply a matter of recreating the database, generating some history via multiple browsers and browsing modes, and examining that database to see if the activity matched. However, not all artifacts are so straight-forward, and require a person to go the extra mile and truly understand the data and what it represents.”
How Should Users View URL.db?
It’s probable that most PC users, certainly consumers, do not understand the depth and detail of how their online activities are logged. Yet, the practice is a standard part of providing cyber security for devices. When asked about URL.db, Avast’s CTO and EVP, Ondrej Vlcek, commented, “URL.db is a file used by Avast Antivirus to provide a persistent storage of source URLs that were used to download binary executable files. Its function is to remember the URLs of downloads that lead to executable files, as such information can be very helpful when making a decision whether a given file is trustworthy or not, and is, therefore, very important for the core functionality of the antivirus product.”
Users who may feel the urge to complain about URL.db should acknowledge that Vlcek is correct. To work, anti-virus software must “remember” the complete history of a particular machine. Vlcek also pointed out that “The URL.db file is stored on the local file system and is not available for external access. It contains URLs used to access binary files only, not common content such as HTML pages or images. Capturing of the source URL and its storing to the database happens independent of the requesting process on the PC, on a network driver level. That is, it doesn’t matter if the executable file is downloaded via a browser or any other process, and/or whether a given browser runs in a private mode or not. Avast only uses the database when scanning a particular binary file. When doing so, Avast computes the hash of the file and uses it to look up the source URL in the database.”
He concluded by saying, “We only touch the database in cases where the scanned file is already on the disk, while it is being scanned by the program. Beyond this, no further analysis of the URLs from the URL.db database is performed. Our job is to protect our users, and one of the key mechanisms we do that is by taking the source URL of downloaded files into consideration, which is why the URL.db is there and why it’s so important.”
When asked for comment on the issue of how their users’ history was logged even in private mode, Mozilla declined to comment. Microsoft referred us to Avast for comment. Google did not respond to a request for comment.
The real questions are how they handle the personal information they collect and, more importantly, whether they use it for anything other than the functionality of their product. They include a disclosure under California Civil Code § 1798.83 of (1) the categories of personal information that they have disclosed to third parties within the prior year, if that information was subsequently used for marketing purposes; and (2) the names and addresses of all such third parties to whom such the personal information was disclosed, and they say that there is none. So, they seem to be handling the data correctly, and parties can contract to share data as they are here.”
Cyber Policy Perspective
So, it’s legal and necessary. Users may still be surprised to learn about how their history is logged. From a policy perspective, the URL.db revelation should prompt a number of takeaways. As always, it’s essential to read privacy agreements and end user agreements carefully. For entities that engage in file preservation for e-discovery purposes, it would be wise to understand exactly what data is being preserved on the systems in question. Knowledge of potential forensic outcomes might guide decisions on data retention and device disposal policies.