magnet forensics powerpoint template · browsers –market share . browser forensics 6/3/2015 3 ......
TRANSCRIPT
![Page 1: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/1.jpg)
Browser Forensics 6/3/2015
1
PC and Mobile Browser Evidence Jad Saliba
Ryan Duquette
Agenda
• PC and Mobile based browsers
• Closer look into where they store data and what IEF recovers
• Specific Chrome and Firefox artifacts
• Refined Results
• Various URL Results
• Google Search URLs vs Parsed Search Queries
• Google Map Queries
• Our “Browser Activity” category
• In-Private/Recovery artifacts v PrivacIE
• Flash Cookies
• Google Analytics
• Rebuilt Webpages
![Page 2: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/2.jpg)
Browser Forensics 6/3/2015
2
IEF Browser Artifacts
PC Based Artifacts
Mobile Based Artifacts
Browsers – Market Share
![Page 3: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/3.jpg)
Browser Forensics 6/3/2015
3
Browsers – Market Share
Browsers
![Page 4: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/4.jpg)
Browser Forensics 6/3/2015
4
Chrome
PC Based Browsers - Chrome
• SQLite Database
• %root%/Users/%userprofile%/AppData/
Local/Google/Chrome/User
Data/Default
• Chrome Incognito
![Page 5: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/5.jpg)
Browser Forensics 6/3/2015
5
PC Based Browsers - Chrome Chrome
Web History Web Visits
Search Terms Downloads
Top Sites Autofill
Autofill Profiles Credit Cards
Logins Cookies
Archived Web History Fav Icons
History Index Bookmarks
Current Sessions Current Tabs
Last Sessions Last Tabs
Cache Records
Firefox
![Page 6: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/6.jpg)
Browser Forensics 6/3/2015
6
PC Based Browsers - Firefox
• SQLite Database
• %root%/Users/%userprofile%/AppData
/Local/Mozilla/Firefox/Profiles/*.default/
Cache
• Firefox Private Browsing
PC Based Browsers - Firefox
Firefox
Bookmarks Cookies
Downloads Fav Icons
Form History Form Input History
Web History Session Store
Cache Records Web Visits
Private Browsing History
![Page 7: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/7.jpg)
Browser Forensics 6/3/2015
7
Internet Explorer
PC Based Browsers – Internet Explorer (5-9)
• index.dat files
• \Documents and
Settings\[username]\Local
Settings\History\History.IE5
![Page 8: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/8.jpg)
Browser Forensics 6/3/2015
8
PC Based Browsers – Internet Explorer (5-9)
IE (5-9)
Cache Cookies
Downloads Main History
Daily History Weekly History
Leak PrivacIE
Redirect Typed URL’s
InPrivate/Recovery URL’s
PC Based Browsers – Internet Explorer (10+)
• No more index.dat
• ESE Databases
• Webcache.dat and log files
• %root%/Users/%userprofile%/AppData/
Local/Microsoft/Windows/History
• InPrivate Browsing
![Page 9: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/9.jpg)
Browser Forensics 6/3/2015
9
PC Based Browsers – Internet Explorer (10+)
IE (10+)
Content (similar to Cache) Cookies
Main History Daily/Weekly History
Dependency Entries Downloads
THIS IS MICROSOFT EDGE!
![Page 10: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/10.jpg)
Browser Forensics 6/3/2015
10
Browsers – Microsoft Edge
• The database filename is “WebCacheV01.dat” (unchanged from IE10/11).
• The recovery/InPrivate (“travel log”) record format has not changed either.
• It looks like the plan will be to keep both browsers on Windows 10 (IE11 and Edge)
at least for now, so IE11 can be used for older website compatibility.
• You’ll want to make sure to recover browser history from both browsers in their
respective locations
• (IE11 history is still stored in this folder:
C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache).
Browsers – Microsoft Edge
Some slight path differences:
• Cookies are located in this folder:
• C:\Users\<username>\AppData\Local\Packages\Microsoft.Spartan_8wekyb3d8b
bwe\AC\Spartan\Cookies
• The cache/Temporary Internet Files are located in this folder:
• C:\Users\<username>\AppData\Local\Packages\Microsoft.Spartan_8wekyb3d8b
bwe\AC\Spartan\Cache
• Recovery URL files are located in this folder:
• C:\Users\<username>\AppData\Local\Packages\Microsoft.Spartan_8wekyb3d8b
bwe\AC\Spartan\User\Default\Recovery
• The location for browsing history is in this folder:
• C:\Users\<username>\AppData\Local\Spartan\Database
![Page 11: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/11.jpg)
Browser Forensics 6/3/2015
11
Mobile
Mobile Based Browsers - Android
Chrome on Android:
Data stored in:
"ROOT/data/data/com.android.chrome/app_chrome/Default
• Sqlite.db files are not obfuscated/encrypted
Firefox for Android:
Data stored in ROOT/data/data/org.mozilla.firefox
• Sqlite.db files are not encrypted
![Page 12: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/12.jpg)
Browser Forensics 6/3/2015
12
Mobile Based Browsers - Android
Chrome - Android
Webkit Artifacts Downloads
Top Sites Autofill
Autofill Profiles Credit Cards
Logins Login Data
Cookies Archived Web History
Fav Icons Bookmarks
Cache History
Searches
Mobile Based Browsers - Android
Firefox – Android
Cache Records Web History
Bookmarks Form History
Cookies
![Page 13: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/13.jpg)
Browser Forensics 6/3/2015
13
Mobile Based Browsers - iOS
Chrome on iOS:
• Data stored in ROOT/private/var/mobile/Applications/5661B076-549E-4480-B940-E96C6DA4E0BA (GUID may differ on each device)
• User data stored in ChromeROOT/Library/Application Support/Google/Chrome/Default/
• Not encrypted or obfuscated
Safari on iOS:
• Data stored at ROOT/private/var/mobile/Applications/6551E25E-89C0-4CCD-B8DE-9F3949D59EDB (GUID may differ on each device)
• User data in SafariROOT/Library/Caches/com.apple.mobilesafari
• Not encrypted or obfuscated
Mobile Based Browsers - iOS
Chrome - iOS
Webkit Artifacts Downloads
Top Sites Autofill
Autofill Profiles Credit Cards
Logins Login Data
Cookies Archived Web History
Fav Icons History Index
Bookmarks Current Sessions
Current Tabs Last Tab
Cache
![Page 14: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/14.jpg)
Browser Forensics 6/3/2015
14
Mobile Based Browsers - iOS
Safari – iOS
Bookmarks Web History
Cache Records Bookmarks
Mobile Based Browsers – Windows Phone
Data Stored in:
• \User\DefApps\APPDATA{218A0EBB-1585-4C7E-A9EC-054CF4569A79\
![Page 15: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/15.jpg)
Browser Forensics 6/3/2015
15
Mobile Based Browsers - Windows Phone
Internet Explorer – Windows Phone
Cache Cookies
Downloads History Main
History Daily History Weekly
IE Leak IE Privacy
IE Redirect IE Cache
IE Cookies Typed URLs
Chrome Tabs / Sessions(Last / Current)
![Page 16: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/16.jpg)
Browser Forensics 6/3/2015
16
Chrome
Current Session
• Contains URLs from current
Chrome session
• “Last Session” file contains
data from the previous
session
Chrome Current Tabs
• Currently opened URLs /
tabs
• “Last Tabs” file also exists
• Data is in an “SNSS”
format (proprietary)
![Page 17: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/17.jpg)
Browser Forensics 6/3/2015
17
Chrome FavIcons, History Index, Top Sites, and more!
Chrome Logins
• Great place to start an
investigation to see
what websites a user
logged into
![Page 18: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/18.jpg)
Browser Forensics 6/3/2015
18
Chrome Favicons
• Stores the
“favicons.ico” data for
sites
• Timestamp is not
necessarily the last
visited time
Chrome
History Index
• Stores text content
from websites visited
• Can provide great
information regarding
site content
• Useful for keyword
searches
![Page 19: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/19.jpg)
Browser Forensics 6/3/2015
19
Chrome
Top Sites
• Stores a thumbnail of a
“top site”
• Top Sites are frequently
visited sites
Chrome
Web History
• Consolidated history
view
• Does not show every
visit time, only visit
counts, etc
• Useful for quick
overview
![Page 20: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/20.jpg)
Browser Forensics 6/3/2015
20
Chrome
Web Visits
• Every visit shown
• Useful for timelines,
extra detail
• http://bit.ly example
here lines up with
previous slide
Chrome/etc
Carved History
• Carved URLs that were
stored in the Chrome
SQLite format
• 360 Safe Browser,
Opera, and potentially
other browsers store
history in the same
format
![Page 21: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/21.jpg)
Browser Forensics 6/3/2015
21
Firefox Session Store
Firefox
Session Store
Artifacts
• SessionStore.js
SessionSore.bak
• Similar to Last
Session/Tabs in
Chrome
• Can be carved
• Can contain the
referring site
![Page 22: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/22.jpg)
Browser Forensics 6/3/2015
22
Refined Results
Refined Results
• Categorizes commonly investigated URLs
for easier analysis
• Multiple artifact sources/browsers
• Investigators can create custom lists or
add to existing list
• Recovers search queries from common
search engines such as Google and Bing
![Page 23: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/23.jpg)
Browser Forensics 6/3/2015
23
Refined Results – Various URL’s
IEF searches for:
• Classified URLS’s
• Cloud Services URL’s
• Dating Site URL’s
• Facebook URL’s
• Tax Site URL’s
• Web Chat URLS’s
• Pornography Site URL’s
• Social Media URL’s
• Torrent Site URL’s
• Malware URL’s
Social Media URL’s
• Good place to start investigation to see user activity in relation to social
media conversations.
![Page 24: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/24.jpg)
Browser Forensics 6/3/2015
24
Initial Introductions – LinkedIn
• Many social
media sites are
connected to an
email account
Facebook URLs
![Page 25: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/25.jpg)
Browser Forensics 6/3/2015
25
• Potential Activity
• Snapshot of FB Activity
Google Searches
![Page 26: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/26.jpg)
Browser Forensics 6/3/2015
26
Google Searches
• Original Search Query
• Timestamp differences
(favicon)
• &ei= parameter
• Search Session
timestamp
![Page 27: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/27.jpg)
Browser Forensics 6/3/2015
27
Refined Results –Google Searches vs Parsed Search Queries
IEF uses REGEX expressions and will search through all Browser data.
^https?://(?!maps).*\.google\..*/ | Google Searches
(\&|\#|\?)q= | Google Searches
Refined Results –Google Searches vs Parsed Search Queries
IEF will parse Search Queries from the following:
• bing | Bing
• yahoo | Yahoo
• youtube | YouTube
• piratebay | PirateBay
• facebook | Facebook
• ?value= | Facebook
![Page 28: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/28.jpg)
Browser Forensics 6/3/2015
28
Google Translate
• Translation string
• Language from/to
![Page 29: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/29.jpg)
Browser Forensics 6/3/2015
29
Google Maps
• Started in 2004
• Over 1,162,460 sites use Google Maps
• Overtook MapQuest in terms of traffic in 2009
• Google Maps Navigation, included on Android handsets,
has guided users 12 billion miles a year
• 200 million users on Google Maps for Mobile
• Cases involving runaway youths, kidnapping, luring, homicide
Google Maps
• Temporary Internet Files
• RAM captures
• pagefile.sys / hiberfil.sys
![Page 30: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/30.jpg)
Browser Forensics 6/3/2015
30
Google Maps
• Uses a tile system to display maps
• Each tile is 256x256 pixels
• Filename in Temporary Internet Files contains x, y, and z coordinates
• Coordinates are based on a world map
• x, y requires the z value (zoom)
Examples:
• lyrs=m@196000000&hl=en&src=app&x=5&y=8&z=4&s=Galileo[1].png
• &x=9054&y=11982&z=15.png
Google Maps
![Page 31: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/31.jpg)
Browser Forensics 6/3/2015
31
Google Maps
Tiles can be downloaded:
http://mt.google.com/vt/&x=XXX&y=XXX&z=XXX
![Page 32: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/32.jpg)
Browser Forensics 6/3/2015
32
http://www.darrinward.com/lat-long/
New Google Maps
• Newer version of Google Maps launched in March 2014
• Tile filenames and URLs are different now (thanks, Google!)
• It’s not pretty:
• pb=!1m4!1m3!1i11!2i564!3i751!2m3!1e0!2sm!3i258034118!3
m8!2sen!5e1105!12m1!1e47!12m1!1e1007!12m1!1e38!4e0!7
s!20m1!1b1[1].png
![Page 33: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/33.jpg)
Browser Forensics 6/3/2015
33
New Google Maps
The new URLs:
https://www.google.com/maps/@43.7242262,-79.4051719,12z
https://www.google.com/maps/place/Cambridge,+ON/@43.4022995,-80.332588,12z/data=!3m1!4b1!4m2!3m1!1s0x882b89b820e46c19:0x5037b28c7231d70
https://www.google.com/maps/dir/Ayr,+ON,+Canada/123+Gunn+Ave,+Cambridge,+ON+N3C+2Z6,+Canada/@43.3588082,-80.5205289,11z/data=!3m1!4b1!4m13!4m12!1m5!1m1!1s0x882c732d9485d199:0x581a671dca1a1705!2m2!1d-80.4507835!2d43.2854723!1m5!1m1!1s0x882b88f2ca61211d:0xf99f9dd46477f986!2m2!1d-80.2990956!2d43.4253036
New Google Maps
The new tiles:
• Sample filename:
• pb=!1m4!1m3!1i11!2i564!3i751!2m3!1e0!2sm!3i258034118!3m8!2sen!5e
1105!12m1!1e47!12m1!1e1007!12m1!1e38!4e0!7s!20m1!1b1[1].png
• Another sample, slightly different:
• pb=!1m5!1m4!1i15!2i18147!3i23991!4i128!2m1!1e0!3m3!5e1105!12m1!
1e47!4e0[1].png
![Page 34: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/34.jpg)
Browser Forensics 6/3/2015
34
Browser Activity
• Targeting Incognito,
Private browsing
• Why it’s called Browser
Activity
• Need to look at multiple
variables
![Page 35: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/35.jpg)
Browser Forensics 6/3/2015
35
Another example
![Page 36: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/36.jpg)
Browser Forensics 6/3/2015
36
The Source column
• A real hit
• User activity
• Source is helpful
![Page 37: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/37.jpg)
Browser Forensics 6/3/2015
37
Refined Results – Various URL’s
Original
Search
Term
Searches
Classified
URL’s
Refined Results – Various URL’s
Never
visited this
webpage
![Page 38: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/38.jpg)
Browser Forensics 6/3/2015
38
InPrivate/Recovery URLs
• More context,
but still limited
• InPrivate vs
Recovery
• Source is a
clue again
![Page 39: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/39.jpg)
Browser Forensics 6/3/2015
39
• Hits from pagefile,
unallocated are
more difficult
Incognito/Private Browsing Mode
![Page 40: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/40.jpg)
Browser Forensics 6/3/2015
40
Firefox Private browsing
Firefox Private browsing
![Page 41: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/41.jpg)
Browser Forensics 6/3/2015
41
Firefox Private browsing
Observations:
• Nothing is written to disk (relating to web activity)
• Great deal of data left behind in RAM, pagefile.sys, and hiberfil.sys
• However, hard to pinpoint if records were from the user or browser
processes (cert authority URLs sometimes found)
• Also hard to label as Firefox history (could be from Chrome or other
browsers)
Firefox Private browsing
![Page 42: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/42.jpg)
Browser Forensics 6/3/2015
42
Chrome Incognito browsing
Chrome Incognito browsing
![Page 43: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/43.jpg)
Browser Forensics 6/3/2015
43
Chrome Incognito browsing
Observations:
• Nothing is written to disk (relating to web activity)
• Good deal of data left behind in RAM, pagefile.sys, and hiberfil.sys
• However, hard to pinpoint if records were from the user or browser
processes (cert authority URLs sometimes found)
• Like Firefox, also hard to label as Chrome history (could be from
Firefox or other browsers)
Chrome Incognito browsing
![Page 44: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/44.jpg)
Browser Forensics 6/3/2015
44
![Page 45: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/45.jpg)
Browser Forensics 6/3/2015
45
Flash Cookies / Local Shared Objects
![Page 46: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/46.jpg)
Browser Forensics 6/3/2015
46
• Cookies stored by
Macromedia Flash
• Different format and
location from traditional
browser cookies
• Can contain metadata or
user identifying info
• Not easily deleted
• Can reveal visited sites
even when Incognito/etc
• Stored in .sol files
• Under AppData or
Application Data
• Folder location can
be indicative as well
![Page 47: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/47.jpg)
Browser Forensics 6/3/2015
47
Google Analytics
Google Analytics Cookies
Google Analytics cookie data parsed
by IEF into sub-categoriesFirst Visit
Referral
Session
Each sub-category represents
separate record entries from the
same Google Analytics cookie file
![Page 48: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/48.jpg)
Browser Forensics 6/3/2015
48
Google Analytics First Visit Cookies
Timestamps stored as Unix numeric values
Rebuilt Webpages
![Page 49: Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating](https://reader031.vdocuments.site/reader031/viewer/2022021712/5b886d7a7f8b9a5b688b80fd/html5/thumbnails/49.jpg)
Browser Forensics 6/3/2015
49
THANK YOU!