Over the past few weeks, I have been reading about different types of web browsers, how they work under the hood from the DFIR side, and how/where they store artifacts on a disk. What I saw on the internet was very much on theory like where the data is stored and in what format (some of it was outdated already), but nobody talks about how the data actually looks like. There are really good tools out there that make your life really easy to pull & parse the data, but as a DFIR analyst, you need to know what's happening under the hood, so you can do it without the need of tools/limited tools.
I will be writing a series of blogs covering web browser forensics in depth where I will be covering popular web browsers and where to find them (artifacts). Before I jump into it, let's talk a little about web browsers in general, the data we get in return from analyzing browsing activities as a DFIR analyst, and what makes each one of them different.
About Web Browsers:
- Internet Browsers or Web Browser is used by everyone. (Whether Phone or System or tablet or even embedded devices itself)
- Searching for evidence left by Web browsing activity is a crucial component of Incident Response and Forensic investigations as it allows you to understand how attackers navigated the victim to bypass network security controls and downloaded the initial payload.
- Almost every movement a user performs while using a Web browser leaves a trace on the computer.
- Typically, a user accesses all these sources (web emails, social networks, sites) using web browsers.
- Web Browser is also the main source of malware/spyware/adware via emails (including web mails), social networks, and other compromised sites.
- Web browsers are not just limited to HTTP or HTTPS, they are used for viewing a multitude of file types (such as pdf, XML) which can be part of the local system, or activities on different protocols (FTP and FILE://)
Thus, it is important to understand how this information is stored and how we can fetch these artifacts for forensics.
What sort of Traces are left by Web Browsers?
- Cache: The web browser’s cache can contain downloaded images, videos, documents, executable files, and scripts. These are very helpful in proving the activities of a user, especially when legal or HR is involved.
- Cookies: You might clear your history, but cookies still indicate that you visited the site, when that cookie was set and associated activities of your session.
- User Profiles: Modern browsers allow you to sync up your data online and on multiple devices. This can allow DFIR analyst to link activities back to an personal email account associated with the activity, maybe logged in on a corporate machine.
- History: Ahhh, the browsing history. Some browsers store limited history of up to 90 days only. Good luck with getting older data!
- Sessions Data: Every time you open a browser, a browser session starts and the browser notes down what tabs are opened, in what order, and info around it. This data is used by the browser to restore your activities, which could be lost due to accidental reasons (browser crash & power lost, etc).
- Form values (Searches, Autofill): It's not just username and passwords anymore, browsers do record other stuff like address, city, pincode, country, and certain times credit card details. Really juicy stuff as you can guess.
- Downloaded files: Lastly, what files were downloaded by the browser, the size of each, and the referrer from which it was redirected and downloaded from. This can help you establish a chain of events and timeline for an investigation.
Now you understand the importance of browsers and what data it holds, let's start the series with the most popular one, i.e. Google’s Chromium browser codebase from which many browsers are derived.
Part 1: To be continued..
