1. No category

Magnet Forensics PowerPoint template

Browser Forensics
6/3/2015
PC and Mobile Browser Evidence
Jad Saliba
Ryan Duquette
Agenda
• PC and Mobile based browsers
• Closer look into where they store data and what IEF recovers
• Specific Chrome and Firefox artifacts
• Refined Results
• Various URL Results
• Google Search URLs vs Parsed Search Queries
• Google Map Queries
• Our “Browser Activity” category
• In-Private/Recovery artifacts v PrivacIE
• Flash Cookies
• Google Analytics
• Rebuilt Webpages
1
Browser Forensics
6/3/2015
IEF Browser Artifacts
PC Based Artifacts
Mobile Based Artifacts
Browsers – Market Share
2
Browser Forensics
6/3/2015
Browsers – Market Share
Browsers
3
Browser Forensics
6/3/2015
Chrome
PC Based Browsers - Chrome
• SQLite Database
• %root%/Users/%userprofile%/AppData/
Local/Google/Chrome/User
Data/Default
• Chrome Incognito
4
Browser Forensics
6/3/2015
PC Based Browsers - Chrome
Chrome
Web History
Web Visits
Search Terms
Downloads
Top Sites
Autofill
Autofill Profiles
Credit Cards
Logins
Cookies
Archived Web History
Fav Icons
History Index
Bookmarks
Current Sessions
Current Tabs
Last Sessions
Last Tabs
Cache Records
Firefox
5
Browser Forensics
6/3/2015
PC Based Browsers - Firefox
• SQLite Database
• %root%/Users/%userprofile%/AppData
/Local/Mozilla/Firefox/Profiles/*.default/
Cache
• Firefox Private Browsing
PC Based Browsers - Firefox
Firefox
Bookmarks
Cookies
Downloads
Fav Icons
Form History
Form Input History
Web History
Session Store
Cache Records
Web Visits
Private Browsing History
6
Browser Forensics
6/3/2015
Internet Explorer
PC Based Browsers – Internet Explorer (5-9)
• index.dat files
• \Documents and
Settings\[username]\Local
Settings\History\History.IE5
7
Browser Forensics
6/3/2015
PC Based Browsers – Internet Explorer (5-9)
IE (5-9)
Cache
Cookies
Downloads
Main History
Daily History
Weekly History
Leak
PrivacIE
Redirect
Typed URL’s
InPrivate/Recovery URL’s
PC Based Browsers – Internet Explorer (10+)
• No more index.dat
• ESE Databases
• Webcache.dat and log files
• %root%/Users/%userprofile%/AppData/
Local/Microsoft/Windows/History
• InPrivate Browsing
8
Browser Forensics
6/3/2015
PC Based Browsers – Internet Explorer (10+)
IE (10+)
Content (similar to Cache)
Cookies
Main History
Daily/Weekly History
Dependency Entries
Downloads
THIS IS MICROSOFT EDGE!
9
Browser Forensics
6/3/2015
Browsers – Microsoft Edge
• The database filename is “WebCacheV01.dat” (unchanged from IE10/11).
• The recovery/InPrivate (“travel log”) record format has not changed either.
• It looks like the plan will be to keep both browsers on Windows 10 (IE11 and Edge)
at least for now, so IE11 can be used for older website compatibility.
• You’ll want to make sure to recover browser history from both browsers in their
respective locations
• (IE11 history is still stored in this folder:
C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache).
Browsers – Microsoft Edge
Some slight path differences:
• Cookies are located in this folder:
• C:\Users\<username>\AppData\Local\Packages\Microsoft.Spartan_8wekyb3d8b
bwe\AC\Spartan\Cookies
• The cache/Temporary Internet Files are located in this folder:
• C:\Users\<username>\AppData\Local\Packages\Microsoft.Spartan_8wekyb3d8b
bwe\AC\Spartan\Cache
• Recovery URL files are located in this folder:
• C:\Users\<username>\AppData\Local\Packages\Microsoft.Spartan_8wekyb3d8b
bwe\AC\Spartan\User\Default\Recovery
• The location for browsing history is in this folder:
• C:\Users\<username>\AppData\Local\Spartan\Database
10
Browser Forensics
6/3/2015
Mobile
Mobile Based Browsers - Android
Chrome on Android:
Data stored in:
"ROOT/data/data/com.android.chrome/app_chrome/Default
• Sqlite.db files are not obfuscated/encrypted
Firefox for Android:
Data stored in ROOT/data/data/org.mozilla.firefox
• Sqlite.db files are not encrypted
11
Browser Forensics
6/3/2015
Mobile Based Browsers - Android
Chrome - Android
Webkit Artifacts
Downloads
Top Sites
Autofill
Autofill Profiles
Credit Cards
Logins
Login Data
Cookies
Archived Web History
Fav Icons
Bookmarks
Cache
History
Searches
Mobile Based Browsers - Android
Firefox – Android
Cache Records
Web History
Bookmarks
Form History
Cookies
12
Browser Forensics
6/3/2015
Mobile Based Browsers - iOS
Chrome on iOS:
• Data stored in ROOT/private/var/mobile/Applications/5661B076-549E-4480-B940E96C6DA4E0BA (GUID may differ on each device)
• User data stored in ChromeROOT/Library/Application Support/Google/Chrome/Default/
• Not encrypted or obfuscated
Safari on iOS:
• Data stored at ROOT/private/var/mobile/Applications/6551E25E-89C0-4CCD-B8DE9F3949D59EDB (GUID may differ on each device)
• User data in SafariROOT/Library/Caches/com.apple.mobilesafari
• Not encrypted or obfuscated
Mobile Based Browsers - iOS
Chrome - iOS
Webkit Artifacts
Downloads
Top Sites
Autofill
Autofill Profiles
Credit Cards
Logins
Login Data
Cookies
Archived Web History
Fav Icons
History Index
Bookmarks
Current Sessions
Current Tabs
Last Tab
Cache
13
Browser Forensics
6/3/2015
Mobile Based Browsers - iOS
Safari – iOS
Bookmarks
Web History
Cache Records
Bookmarks
Mobile Based Browsers – Windows Phone
Data Stored in:
• \User\DefApps\APPDATA{218A0EBB-1585-4C7E-A9EC-054CF4569A79\
14
Browser Forensics
6/3/2015
Mobile Based Browsers - Windows Phone
Internet Explorer – Windows Phone
Cache
Cookies
Downloads
History Main
History Daily
History Weekly
IE Leak
IE Privacy
IE Redirect
IE Cache
IE Cookies
Typed URLs
Chrome Tabs / Sessions
(Last / Current)
15
Browser Forensics
6/3/2015
Chrome
Current Session
• Contains URLs from current
Chrome session
• “Last Session” file contains
data from the previous
session
Chrome Current Tabs
• Currently opened URLs /
tabs
• “Last Tabs” file also exists
• Data is in an “SNSS”
format (proprietary)
16
Browser Forensics
6/3/2015
Chrome FavIcons, History Index,
Top Sites, and more!
Chrome Logins
• Great place to start an
investigation to see
what websites a user
logged into
17
Browser Forensics
6/3/2015
Chrome Favicons
• Stores the
“favicons.ico” data for
sites
• Timestamp is not
necessarily the last
visited time
Chrome
History Index
• Stores text content
from websites visited
• Can provide great
information regarding
site content
• Useful for keyword
searches
18
Browser Forensics
6/3/2015
Chrome
Top Sites
• Stores a thumbnail of a
“top site”
• Top Sites are frequently
visited sites
Chrome
Web History
• Consolidated history
view
• Does not show every
visit time, only visit
counts, etc
• Useful for quick
overview
19
Browser Forensics
6/3/2015
Chrome
Web Visits
• Every visit shown
• Useful for timelines,
extra detail
• http://bit.ly example
here lines up with
previous slide
Chrome/etc
Carved History
• Carved URLs that were
stored in the Chrome
SQLite format
• 360 Safe Browser,
Opera, and potentially
other browsers store
history in the same
format
20
Browser Forensics
6/3/2015
Firefox Session Store
Firefox
Session Store
Artifacts
• SessionStore.js
SessionSore.bak
• Similar to Last
Session/Tabs in
Chrome
• Can be carved
• Can contain the
referring site
21
Browser Forensics
6/3/2015
Refined Results
Refined Results
• Categorizes commonly investigated URLs
for easier analysis
• Multiple artifact sources/browsers
• Investigators can create custom lists or
add to existing list
• Recovers search queries from common
search engines such as Google and Bing
22
Browser Forensics
6/3/2015
Refined Results – Various URL’s
IEF searches for:
•
•
•
•
•
Classified URLS’s
Cloud Services URL’s
Dating Site URL’s
Facebook URL’s
Tax Site URL’s
•
•
•
•
•
Web Chat URLS’s
Pornography Site URL’s
Social Media URL’s
Torrent Site URL’s
Malware URL’s
Social Media URL’s
• Good place to start investigation to see user activity in relation to social
media conversations.
23
Browser Forensics
6/3/2015
Initial Introductions – LinkedIn
• Many social
media sites are
connected to an
email account
Facebook URLs
24
Browser Forensics
6/3/2015
• Potential Activity
• Snapshot of FB Activity
Google Searches
25
Browser Forensics
6/3/2015
Google Searches
• Original Search Query
• Timestamp differences
(favicon)
• &ei= parameter
• Search Session
timestamp
26
Browser Forensics
6/3/2015
Refined Results –
Google Searches vs Parsed Search Queries
IEF uses REGEX expressions and will search through all Browser data.
^https?://(?!maps).*\.google\..*/ | Google Searches
(\&|\#|\?)q= | Google Searches
Refined Results –
Google Searches vs Parsed Search Queries
IEF will parse Search Queries from the following:
•
•
•
•
•
•
bing | Bing
yahoo | Yahoo
youtube | YouTube
piratebay | PirateBay
facebook | Facebook
?value= | Facebook
27
Browser Forensics
6/3/2015
Google Translate
• Translation string
• Language from/to
28
Browser Forensics
6/3/2015
Google Maps
• Started in 2004
• Over 1,162,460 sites use Google Maps
• Overtook MapQuest in terms of traffic in 2009
• Google Maps Navigation, included on Android handsets,
has guided users 12 billion miles a year
• 200 million users on Google Maps for Mobile
• Cases involving runaway youths, kidnapping, luring, homicide
Google Maps
• Temporary Internet Files
• RAM captures
• pagefile.sys / hiberfil.sys
29
Browser Forensics
6/3/2015
Google Maps
• Uses a tile system to display maps
• Each tile is 256x256 pixels
• Filename in Temporary Internet Files contains x, y, and z coordinates
• Coordinates are based on a world map
• x, y requires the z value (zoom)
Examples:
• lyrs=m@196000000&hl=en&src=app&x=5&y=8&z=4&s=Galileo[1].png
• &x=9054&y=11982&z=15.png
Google Maps
30
Browser Forensics
6/3/2015
Google Maps
Tiles can be downloaded:
http://mt.google.com/vt/&x=XXX&y=XXX&z=XXX
31
Browser Forensics
6/3/2015
http://www.darrinward.com/latlong/
New Google Maps
• Newer version of Google Maps launched in March 2014
• Tile filenames and URLs are different now (thanks, Google!)
• It’s not pretty:
• pb=!1m4!1m3!1i11!2i564!3i751!2m3!1e0!2sm!3i258034118!3
m8!2sen!5e1105!12m1!1e47!12m1!1e1007!12m1!1e38!4e0!7
s!20m1!1b1[1].png
32
Browser Forensics
6/3/2015
New Google Maps
The new URLs:
https://www.google.com/maps/@43.7242262,-79.4051719,12z
https://www.google.com/maps/place/Cambridge,+ON/@43.4022995,80.332588,12z/data=!3m1!4b1!4m2!3m1!1s0x882b89b820e46c19:0x5037b28c7231d70
https://www.google.com/maps/dir/Ayr,+ON,+Canada/123+Gunn+Ave,+Cambridge,+ON+N3C
+2Z6,+Canada/@43.3588082,80.5205289,11z/data=!3m1!4b1!4m13!4m12!1m5!1m1!1s0x882c732d9485d199:0x581a671d
ca1a1705!2m2!1d80.4507835!2d43.2854723!1m5!1m1!1s0x882b88f2ca61211d:0xf99f9dd46477f986!2m2!1d80.2990956!2d43.4253036
New Google Maps
The new tiles:
• Sample filename:
• pb=!1m4!1m3!1i11!2i564!3i751!2m3!1e0!2sm!3i258034118!3m8!2sen!5e
1105!12m1!1e47!12m1!1e1007!12m1!1e38!4e0!7s!20m1!1b1[1].png
• Another sample, slightly different:
• pb=!1m5!1m4!1i15!2i18147!3i23991!4i128!2m1!1e0!3m3!5e1105!12m1!
1e47!4e0[1].png
33
Browser Forensics
6/3/2015
Browser Activity
• Targeting Incognito,
Private browsing
• Why it’s called Browser
Activity
• Need to look at multiple
variables
34
Browser Forensics
6/3/2015
Another example
35
Browser Forensics
6/3/2015
The Source column
• A real hit
• User activity
• Source is helpful
36
Browser Forensics
6/3/2015
Refined Results – Various URL’s
Original
Search
Term
Google
Searches
Classified
URL’s
Refined Results – Various URL’s
Never
visited this
webpage
37
Browser Forensics
6/3/2015
InPrivate/Recovery URLs
• More context,
but still limited
• InPrivate vs
Recovery
• Source is a
clue again
38
Browser Forensics
6/3/2015
• Hits from pagefile,
unallocated are
more difficult
Incognito/Private Browsing Mode
39
Browser Forensics
6/3/2015
Firefox Private browsing
Firefox Private browsing
40
Browser Forensics
6/3/2015
Firefox Private browsing
Observations:
• Nothing is written to disk (relating to web activity)
• Great deal of data left behind in RAM, pagefile.sys, and hiberfil.sys
• However, hard to pinpoint if records were from the user or browser
processes (cert authority URLs sometimes found)
• Also hard to label as Firefox history (could be from Chrome or other
browsers)
Firefox Private browsing
41
Browser Forensics
6/3/2015
Chrome Incognito browsing
Chrome Incognito browsing
42
Browser Forensics
6/3/2015
Chrome Incognito browsing
Observations:
• Nothing is written to disk (relating to web activity)
• Good deal of data left behind in RAM, pagefile.sys, and hiberfil.sys
• However, hard to pinpoint if records were from the user or browser
processes (cert authority URLs sometimes found)
• Like Firefox, also hard to label as Chrome history (could be from
Firefox or other browsers)
Chrome Incognito browsing
43
Browser Forensics
6/3/2015
44
Browser Forensics
6/3/2015
Flash Cookies /
Local Shared Objects
45
Browser Forensics
6/3/2015
• Cookies stored by
Macromedia Flash
• Different format and
location from traditional
browser cookies
• Can contain metadata or
user identifying info
• Not easily deleted
• Can reveal visited sites
even when Incognito/etc
• Stored in .sol files
• Under AppData or
Application Data
• Folder location can
be indicative as well
46
Browser Forensics
6/3/2015
Google Analytics
Google Analytics Cookies
Google Analytics cookie data parsed
by IEF into sub-categories
First Visit
Referral
Session
Each sub-category represents
separate record entries from the
same Google Analytics cookie file
47
Browser Forensics
6/3/2015
Google Analytics First Visit Cookies
Timestamps stored as Unix numeric values
Rebuilt Webpages
48
Browser Forensics
6/3/2015
THANK YOU!
49

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz