Web Browser Forensics part 1: Uncovering Digital Evidence on Brave Browser
Web browsers have become the primary tool for accessing the internet. With the advancement of the web, they are not only limited to viewing webpages or reading information online but also to conducting various activities such as online shopping, streaming, accessing services and applications like emails, and ChatGPT. However, this has also led to an increase in online crimes such as cyber bullying, child pornography, and online fraud. Therefore, due to the vast array of activities that can be performed through web browsers and information stored, they have become an important source of evidence for forensic investigators, leading to the discipline of web browser forensics.
Web Browser Forensics
Web browser forensics is a subset of digital forensics that focus on identifying, extracting, and analyzing artifacts from the browser related to one’s internet browsing activities. Activities conducted using web browsers often leave forensically sound footprints on computer storage media or physical memory, because web browsers create numerous files on local systems during internet browsing. These footprints can be retrieved using web forensic techniques, allowing investigators to reconstruct events and analyze actions taken by the suspect.
Browser Artifacts Analysis
Artifacts collection methods may vary between browsers, since may have different file system as well as different formats for storing data. Investigating a single file from a browser may not be enough, as evidence can be spread across multiple files. For example, web applications or services like emails leave different forensic artifacts on different browsers. Therefore, investigators must consider how web browsers store data, the minimum information available in each browser, and any additional or relative information provided by each browser in order to collect we browser artifacts effectively.
Type of Browser Artifacts
Techniques to Acquire Web browser Forensics
File Carving: This technique involves recovering deleted files from storage that may contain browser artifacts such as cached pages, cookies, and download records.
Tools: Forensic Toolkit (FTK) and X-Ways Forensics.
Database Forensics: This method involves analyzing the SQLite databases used by browsers to store data such as history, cookies, and bookmarks.
Tools: DB Browser for SQLite, SQLite Forensic Toolkit.
Memory Dump Analysis: This technique involves analyzing memory dumps to extract volatile data related to browser activity, such as open tabs and session data. This technique can be crucial when suspect uses portable browser and incognito modes.
Tools: Volatility, BelkaSoft RAM Capture, and Internet Evidence Finder.
Web Forensics Scenarios
Browser forensics can assist investigations in various scenarios, offering crucial insights into a user’s online activities and aiding in uncovering web browser related evidence.
1. Violation of Company Policies: Examining browsing histories can reveal if employees visited inappropriate websites or spent excessive time on non-work-related sites.
2. Academic Integrity: Investigating web activities can help identifying if a student accessed cheat sites or other resources, such as ChatGPT, during an online test.
3. Cyber crime Investigations: Investigators can track the URLs visited by a employees to determine if they accessed phishing sites or to help identify if a user downloaded malicious software.
Moreover, recent experiments have been conducted where web forensics was used to analyze and retrieve data from web browser-based applications such as TikTok, Facebook, and Instagram. Digital evidence includes essential information such as chat messages, shared links, uploaded videos, deleted videos, and browsing history.
Web Browser Forensics Challenges
1. Multiple Web Browsers: The variety of web browsers creates enormous complexity in the proper forensic analysis of web browser activity, as different browsers may store different types of artifacts, in different ways, and in different locations.
2. Browser Features: Some browsers now offer capabilities such as private browsing, portable versions, and enhanced privacy features. These features prevent digital artifacts from being stored on the suspect’s machine, complicating forensic analysis.
3. Anti-Forensics: Data contained in the browser can be deleted by users, posing challenges during investigations.
Conclusion
Web browser forensics plays a critical role in digital forensics investigations, offering invaluable insights into a user’s online activities. Despite the challenges posed by the variety of web browsers, private mode, portable version features, and anti-forensic methods, effective techniques such as file carving, database forensics, and memory dump analysis enable investigators to uncover essential digital evidence.
References
College of Computers and Information Technologies, Taif University, Kingdom of Saudi Arabia, Lazzez, A., & Slimani, T. (2015). Forensics Investigation of Web Application Security Attacks. International Journal of Computer Network and Information Security, 7(3), 10–17. https://doi.org/10.5815/ijcnis.2015.03.02
Hariharan, M., Thakar, A., & Sharma, P. (2022). Forensic Analysis of Private Mode Browsing Artifacts in Portable Web Browsers Using Memory Forensics. 2022 International Conference on Computing, Communication, Security and Intelligent Systems (IC3SIS), 1–5. https://doi.org/10.1109/IC3SIS54991.2022.9885379
Nalawade, A., Bharne, S., & Mane, V. (2016). Forensic analysis and evidence collection for web browser activity. 2016 International Conference on Automatic Control and Dynamic Optimization Techniques (ICACDOT), 518–522. https://doi.org/10.1109/ICACDOT.2016.7877639
Mugisha, D. (2018). Web Browser Forensics: Evidence Collection and Analysis for Most Popular Web Browsers Usage in Windows 10. https://doi.org/10.13140/RG.2.2.25857.51049
Oh, J., Lee, S., & Lee, S. (2011). Advanced evidence collection and analysis of web browser activity. Digital Investigation, 8, S62–S70. https://doi.org/10.1016/j.diin.2011.05.008
